Fail2Ban

Fail2Ban est un logiciel de sécurité pour les serveurs qui protège contre les attaques de type "brute force" (tentatives de connexion répétées avec des mots de passe incorrects).

Il surveille les journaux de sécurité du serveur et bloque les adresses IP qui tentent de se connecter avec trop de tentatives de connexion échouées.

Cela empêche les pirates de hacker de prendre le contrôle de votre serveur en essayant de deviner votre mot de passe.

sudo apt install fail2ban

Les fichiers de configuration se trouve à :

/etc/fail2ban

<WRAP left round important 100%>

Don't copy the conf to local We want to make precise modifications to the default, so let's not loose ourselves in thousands of parameters. Let's target the ones we need to change.

Tout d'abord on créer un fichier jail.local pour override les paramètres par défault:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Ensuite on va faire des modifications dans le fichier:

# ouvrire le fichier avec notre éditeur de texte micro
sudo micro /etc/fail2ban/jail.local

Il y a deux sections par défault dans le fichier: DEFAULT et sshd

Default

# "bantime" is the number of seconds that a host is banned.  
bantime = 7800m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.  
findtime = 30m

# "maxretry" is the number of failures before a host get banned.  
maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88

# Longer ban if multiple 
bantime.increment = true
bantime.rndtime = 2048
bantime.multipliers = 1 5 30 60 300 720 1440 2880

sshd

[sshd]
enabled = true
port = 53684
bantime = 1d
findtime = 1d
maxretry = 3
maxfailures = 5
# Paramètres de récidive
#bantime.increment = true
bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation
bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y

Après avoir modifié la configuration de fail2ban, on doit (re)démarré fail2ban:

# Lancer pour la première fois
sudo systemctl start fail2ban  
sudo systemctl enable fail2ban

# Redémarré
sudo systemctl restart fail2ban  

# Vérifier que le service fonctionne
sudo systemctl status fail2ban

Jails

Pour vérifier quelles jails sont active:

sudo fail2ban-client status

Mailu setup

%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban

If you use a reverse proxy in front of Mailu, it is vital to set the environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these environment variables, Mailu will not trust the remote client IP passed on by the reverse proxy and as a result your reverse proxy will be banned.

See the configuration reference for more information.

Assuming you have a working Fail2Ban installation on the host running your Docker containers, follow these steps:

• In the mailu docker compose set the logging driver of the front

container to journald; and set the tag to mailu-front

logging:
  driver: journald
  options:
    tag: mailu-front

• Add the /etc/fail2ban/filter.d/bad-auth-bots.conf

[Definition]
failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front

• Add the /etc/fail2ban/jail.d/bad-auth-bots.conf

  [bad-auth-bots] enabled = true backend = systemd filter = bad-auth-bots bantime = 604800 findtime = 600 maxretry = 5 action = docker-action-net

The above will block flagged IPs for a week, you can of course change it to your needs.

• Add the following to /etc/fail2ban/action.d/docker-action-net.conf

<WRAP left round important 100%>

You have to install ipset on the host system, eg. apt-get install ipset on a Debian/Ubuntu system.

See ipset homepage for details on ipset, https://ipset.netfilter.org/.

[Definition]

actionstart = ipset --create f2b-bad-auth-bots nethash
              iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP
             ipset --destroy f2b-bad-auth-bots

actionban = ipset add -exist f2b-bad-auth-bots <ip>/24

actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24

Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/.

Please note that the provided example will block the subnet from sending any email to the Mailu instance.

• Configure and restart the Fail2Ban service

Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.

sudo systemctl edit fail2ban

Add the override and save the file.

[Unit]
After=docker.service

Restart the Fail2Ban service.

sudo systemctl restart fail2ban

Sources

• https://wiki.archlinux.org/title/Fail2ban
• https://doc.ubuntu-fr.org/fail2ban
• https://help.ubuntu.com/community/Fail2ban
• https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533