Fail2Ban

Fail2Ban est un logiciel de sécurité pour les serveurs qui protège contre les attaques de type "brute force" (tentatives de connexion répétées avec des mots de passe incorrects).

Il surveille les journaux de sécurité du serveur et bloque les adresses IP qui tentent de se connecter avec trop de tentatives de connexion échouées.

Cela empêche les pirates de hacker de prendre le contrôle de votre serveur en essayant de deviner votre mot de passe.

sudo apt install fail2ban

Configuration

Les fichiers de configuration se trouve à :

/etc/fail2ban

Don't copy the conf to local, we want to make precise modifications to the default, so let's not loose ourselves in thousands of parameters. Let's target the ones we need to change.

Tout d'abord on créer un fichier jail.local pour override les paramètres par défault:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Ensuite on va faire des modifications dans le fichier:

# ouvrire le fichier avec notre éditeur de texte micro
sudo micro /etc/fail2ban/jail.local

Il y a deux sections par défault dans le fichier: DEFAULT et sshd

Default

# "bantime" is the number of seconds that a host is banned.  
bantime = 7800m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.  
findtime = 30m

# "maxretry" is the number of failures before a host get banned.  
maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88

# Longer ban if multiple 
bantime.increment = true
bantime.rndtime = 2048
bantime.multipliers = 1 5 30 60 300 720 1440 2880

sshd

[sshd]
enabled = true
port = 53684
bantime = 1d
findtime = 1d
maxretry = 3
maxfailures = 5
# Paramètres de récidive
#bantime.increment = true
bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation
bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y

Après avoir modifié la configuration de fail2ban, on doit (re)démarré fail2ban:

# Lancer pour la première fois
sudo systemctl start fail2ban  
sudo systemctl enable fail2ban

# Redémarré
sudo systemctl restart fail2ban  

# Vérifier que le service fonctionne
sudo systemctl status fail2ban

Jails

Pour vérifier quelles jails sont active:

sudo fail2ban-client status

Mailu setup

%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban

If you use a reverse proxy in front of Mailu, it is vital to set the environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these environment variables, Mailu will not trust the remote client IP passed on by the reverse proxy and as a result your reverse proxy will be banned.

See the configuration reference for more information.

Assuming you have a working Fail2Ban installation on the host running your Docker containers, follow these steps:

In the mailu docker compose set the logging driver of the front

container to journald; and set the tag to mailu-front

logging:
  driver: journald
  options:
    tag: mailu-front

Add the /etc/fail2ban/filter.d/bad-auth-bots.conf

[Definition]
failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front

Add the /etc/fail2ban/jail.d/bad-auth-bots.conf

    [bad-auth-bots]
    enabled = true
    backend = systemd
    filter = bad-auth-bots
    bantime = 604800
    findtime = 600
    maxretry = 5
    action = docker-action-net

The above will block flagged IPs for a week, you can of course change it to your needs.

Add the following to /etc/fail2ban/action.d/docker-action-net.conf

You have to install ipset on the host system, eg. apt-get install ipset on a Debian/Ubuntu system.

See ipset homepage for details on ipset, https://ipset.netfilter.org/.

    [Definition]

    actionstart = ipset --create f2b-bad-auth-bots nethash
                  iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

    actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP
                 ipset --destroy f2b-bad-auth-bots

    actionban = ipset add -exist f2b-bad-auth-bots <ip>/24

    actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24

Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/.

Please note that the provided example will block the subnet from sending any email to the Mailu instance.

Configure and restart the Fail2Ban service

Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.

sudo systemctl edit fail2ban

Add the override and save the file.

[Unit]
After=docker.service

Restart the Fail2Ban service.

sudo systemctl restart fail2ban

Troubleshooting

Unban

Pour vérifier si une adresse a été ban, on a plusieurs possibilité:

less /var/log/fail2ban.log | grep  YOUR_IP

sudo fail2ban-client set THE_JAIL_NAME unbanip YOUR_IP

Whitelist (to avoid ban in the first place)

Edit the /etc/fail2ban/jail.local ignore_ip field, by appending at the end of the line your routers IP adress. Then restart the fail2ban service:

sudo systemctl restart fail2ban

and check that it runs correctly:

systemctl status fail2ban

Make sure that your home router's IP is in the whitelisted ips.