Commit 86372d
2025-09-03 14:13:59 admin: added original dokuwiki page| /dev/null .. fail2ban.md | |
| @@ 0,0 1,216 @@ | |
| + | # Fail2Ban |
| + | |
| + | Fail2Ban est un logiciel de sécurité pour les serveurs qui **protège |
| + | contre les attaques de type "brute force"** (tentatives de connexion |
| + | répétées avec des mots de passe incorrects). |
| + | |
| + | Il **surveille les journaux de sécurité du serveur** et bloque les |
| + | adresses IP qui tentent de se connecter avec trop de tentatives de |
| + | connexion échouées. |
| + | |
| + | Cela empêche les pirates de hacker de prendre le contrôle de votre |
| + | serveur en essayant de deviner votre mot de passe. |
| + | |
| + | ``` shell |
| + | sudo apt install fail2ban |
| + | ``` |
| + | |
| + | Les fichiers de configuration se trouve à : |
| + | |
| + | ``` shell |
| + | /etc/fail2ban |
| + | ``` |
| + | |
| + | <WRAP left round important 100%> |
| + | |
| + | Don't copy the conf to local We want to make precise modifications to |
| + | the default, so let's not loose ourselves in thousands of parameters. |
| + | Let's target the ones we need to change. |
| + | |
| + | </WRAP> |
| + | |
| + | Tout d'abord on créer un fichier `jail.local` pour override les |
| + | paramètres par défault: |
| + | |
| + | ``` shell |
| + | sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
| + | ``` |
| + | |
| + | Ensuite on va faire des modifications dans le fichier: |
| + | |
| + | ``` shell |
| + | # ouvrire le fichier avec notre éditeur de texte micro |
| + | sudo micro /etc/fail2ban/jail.local |
| + | ``` |
| + | |
| + | Il y a deux sections par défault dans le fichier: **DEFAULT** et |
| + | **sshd** |
| + | |
| + | #### Default |
| + | |
| + | ``` toml |
| + | # "bantime" is the number of seconds that a host is banned. |
| + | bantime = 7800m |
| + | |
| + | # A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
| + | findtime = 30m |
| + | |
| + | # "maxretry" is the number of failures before a host get banned. |
| + | maxretry = 5 |
| + | |
| + | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban |
| + | # will not ban a host which matches an address in this list. Several addresses |
| + | # can be defined using space (and/or comma) separator. |
| + | ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88 |
| + | |
| + | # Longer ban if multiple |
| + | bantime.increment = true |
| + | bantime.rndtime = 2048 |
| + | bantime.multipliers = 1 5 30 60 300 720 1440 2880 |
| + | ``` |
| + | |
| + | #### sshd |
| + | |
| + | ``` toml |
| + | [sshd] |
| + | enabled = true |
| + | port = 53684 |
| + | bantime = 1d |
| + | findtime = 1d |
| + | maxretry = 3 |
| + | maxfailures = 5 |
| + | # Paramètres de récidive |
| + | #bantime.increment = true |
| + | bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation |
| + | bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y |
| + | ``` |
| + | |
| + | Après avoir modifié la configuration de `fail2ban`, on doit (re)démarré |
| + | `fail2ban`: |
| + | |
| + | ``` shell |
| + | # Lancer pour la première fois |
| + | sudo systemctl start fail2ban |
| + | sudo systemctl enable fail2ban |
| + | |
| + | # Redémarré |
| + | sudo systemctl restart fail2ban |
| + | |
| + | # Vérifier que le service fonctionne |
| + | sudo systemctl status fail2ban |
| + | ``` |
| + | |
| + | ## Jails |
| + | |
| + | Pour vérifier quelles jails sont active: |
| + | |
| + | ``` shell |
| + | sudo fail2ban-client status |
| + | ``` |
| + | |
| + | ## Mailu setup |
| + | |
| + | [[%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban]] |
| + | |
| + | If you use a reverse proxy in front of Mailu, it is vital to set the |
| + | environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these |
| + | environment variables, Mailu will not trust the remote client IP passed |
| + | on by the reverse proxy and as a result your reverse proxy will be |
| + | banned. |
| + | |
| + | See the [configuration |
| + | reference](https://mailu.io/2024.06/configuration.html#reverse-proxy-headers) |
| + | for more information. |
| + | |
| + | Assuming you have a working Fail2Ban installation on the host running |
| + | your Docker containers, follow these steps: |
| + | |
| + | - In the mailu docker compose set the logging driver of the front |
| + | container to `journald`; and set the tag to `mailu-front` |
| + | |
| + | ``` yaml |
| + | logging: |
| + | driver: journald |
| + | options: |
| + | tag: mailu-front |
| + | ``` |
| + | |
| + | - Add the `/etc/fail2ban/filter.d/bad-auth-bots.conf` |
| + | |
| + | ``` toml |
| + | [Definition] |
| + | failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server: |
| + | ignoreregex = |
| + | journalmatch = CONTAINER_TAG=mailu-front |
| + | ``` |
| + | |
| + | - Add the `/etc/fail2ban/jail.d/bad-auth-bots.conf` |
| + | |
| + | [bad-auth-bots] |
| + | enabled = true |
| + | backend = systemd |
| + | filter = bad-auth-bots |
| + | bantime = 604800 |
| + | findtime = 600 |
| + | maxretry = 5 |
| + | action = docker-action-net |
| + | |
| + | The above will block flagged IPs for a week, you can of course change it |
| + | to your needs. |
| + | |
| + | - Add the following to /etc/fail2ban/action.d/docker-action-net.conf |
| + | |
| + | <WRAP left round important 100%> |
| + | |
| + | You have to install ipset on the host system, eg. |
| + | `apt-get install ipset` on a Debian/Ubuntu system. |
| + | |
| + | </WRAP> |
| + | |
| + | See ipset homepage for details on ipset, <https://ipset.netfilter.org/>. |
| + | |
| + | [Definition] |
| + | |
| + | actionstart = ipset --create f2b-bad-auth-bots nethash |
| + | iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP |
| + | |
| + | actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP |
| + | ipset --destroy f2b-bad-auth-bots |
| + | |
| + | actionban = ipset add -exist f2b-bad-auth-bots <ip>/24 |
| + | |
| + | actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24 |
| + | |
| + | Using DOCKER-USER chain ensures that the blocked IPs are processed in |
| + | the correct order with Docker. See more in: |
| + | <https://docs.docker.com/network/iptables/>. |
| + | |
| + | Please note that the provided example will block the subnet from sending |
| + | any email to the Mailu instance. |
| + | |
| + | - Configure and restart the Fail2Ban service |
| + | |
| + | Make sure Fail2Ban is started after the Docker service by adding a |
| + | partial override which appends this to the existing configuration. |
| + | |
| + | sudo systemctl edit fail2ban |
| + | |
| + | Add the override and save the file. |
| + | |
| + | ``` toml |
| + | [Unit] |
| + | After=docker.service |
| + | ``` |
| + | |
| + | Restart the Fail2Ban service. |
| + | |
| + | ``` shell |
| + | sudo systemctl restart fail2ban |
| + | ``` |
| + | |
| + | ## Sources |
| + | |
| + | - https://wiki.archlinux.org/title/Fail2ban |
| + | - https://doc.ubuntu-fr.org/fail2ban |
| + | - https://help.ubuntu.com/community/Fail2ban |
| + | - https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533 |