Blame
| 86372d | admin | 2025-09-03 14:13:59 | 1 | # Fail2Ban |
| 2 | ||||
| 3 | Fail2Ban est un logiciel de sécurité pour les serveurs qui **protège |
|||
| 4 | contre les attaques de type "brute force"** (tentatives de connexion |
|||
| 5 | répétées avec des mots de passe incorrects). |
|||
| 6 | ||||
| 7 | Il **surveille les journaux de sécurité du serveur** et bloque les |
|||
| 8 | adresses IP qui tentent de se connecter avec trop de tentatives de |
|||
| 9 | connexion échouées. |
|||
| 10 | ||||
| 11 | Cela empêche les pirates de hacker de prendre le contrôle de votre |
|||
| 12 | serveur en essayant de deviner votre mot de passe. |
|||
| 13 | ||||
| 14 | ``` shell |
|||
| 15 | sudo apt install fail2ban |
|||
| 16 | ``` |
|||
| 17 | ||||
| 18 | Les fichiers de configuration se trouve à : |
|||
| 19 | ||||
| 20 | ``` shell |
|||
| 21 | /etc/fail2ban |
|||
| 22 | ``` |
|||
| 23 | ||||
| 24 | <WRAP left round important 100%> |
|||
| 25 | ||||
| 26 | Don't copy the conf to local We want to make precise modifications to |
|||
| 27 | the default, so let's not loose ourselves in thousands of parameters. |
|||
| 28 | Let's target the ones we need to change. |
|||
| 29 | ||||
| 30 | </WRAP> |
|||
| 31 | ||||
| 32 | Tout d'abord on créer un fichier `jail.local` pour override les |
|||
| 33 | paramètres par défault: |
|||
| 34 | ||||
| 35 | ``` shell |
|||
| 36 | sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
|||
| 37 | ``` |
|||
| 38 | ||||
| 39 | Ensuite on va faire des modifications dans le fichier: |
|||
| 40 | ||||
| 41 | ``` shell |
|||
| 42 | # ouvrire le fichier avec notre éditeur de texte micro |
|||
| 43 | sudo micro /etc/fail2ban/jail.local |
|||
| 44 | ``` |
|||
| 45 | ||||
| 46 | Il y a deux sections par défault dans le fichier: **DEFAULT** et |
|||
| 47 | **sshd** |
|||
| 48 | ||||
| 49 | #### Default |
|||
| 50 | ||||
| 51 | ``` toml |
|||
| 52 | # "bantime" is the number of seconds that a host is banned. |
|||
| 53 | bantime = 7800m |
|||
| 54 | ||||
| 55 | # A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
|||
| 56 | findtime = 30m |
|||
| 57 | ||||
| 58 | # "maxretry" is the number of failures before a host get banned. |
|||
| 59 | maxretry = 5 |
|||
| 60 | ||||
| 61 | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban |
|||
| 62 | # will not ban a host which matches an address in this list. Several addresses |
|||
| 63 | # can be defined using space (and/or comma) separator. |
|||
| 64 | ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88 |
|||
| 65 | ||||
| 66 | # Longer ban if multiple |
|||
| 67 | bantime.increment = true |
|||
| 68 | bantime.rndtime = 2048 |
|||
| 69 | bantime.multipliers = 1 5 30 60 300 720 1440 2880 |
|||
| 70 | ``` |
|||
| 71 | ||||
| 72 | #### sshd |
|||
| 73 | ||||
| 74 | ``` toml |
|||
| 75 | [sshd] |
|||
| 76 | enabled = true |
|||
| 77 | port = 53684 |
|||
| 78 | bantime = 1d |
|||
| 79 | findtime = 1d |
|||
| 80 | maxretry = 3 |
|||
| 81 | maxfailures = 5 |
|||
| 82 | # Paramètres de récidive |
|||
| 83 | #bantime.increment = true |
|||
| 84 | bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation |
|||
| 85 | bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y |
|||
| 86 | ``` |
|||
| 87 | ||||
| 88 | Après avoir modifié la configuration de `fail2ban`, on doit (re)démarré |
|||
| 89 | `fail2ban`: |
|||
| 90 | ||||
| 91 | ``` shell |
|||
| 92 | # Lancer pour la première fois |
|||
| 93 | sudo systemctl start fail2ban |
|||
| 94 | sudo systemctl enable fail2ban |
|||
| 95 | ||||
| 96 | # Redémarré |
|||
| 97 | sudo systemctl restart fail2ban |
|||
| 98 | ||||
| 99 | # Vérifier que le service fonctionne |
|||
| 100 | sudo systemctl status fail2ban |
|||
| 101 | ``` |
|||
| 102 | ||||
| 103 | ## Jails |
|||
| 104 | ||||
| 105 | Pour vérifier quelles jails sont active: |
|||
| 106 | ||||
| 107 | ``` shell |
|||
| 108 | sudo fail2ban-client status |
|||
| 109 | ``` |
|||
| 110 | ||||
| 111 | ## Mailu setup |
|||
| 112 | ||||
| 113 | [[%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban]] |
|||
| 114 | ||||
| 115 | If you use a reverse proxy in front of Mailu, it is vital to set the |
|||
| 116 | environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these |
|||
| 117 | environment variables, Mailu will not trust the remote client IP passed |
|||
| 118 | on by the reverse proxy and as a result your reverse proxy will be |
|||
| 119 | banned. |
|||
| 120 | ||||
| 121 | See the [configuration |
|||
| 122 | reference](https://mailu.io/2024.06/configuration.html#reverse-proxy-headers) |
|||
| 123 | for more information. |
|||
| 124 | ||||
| 125 | Assuming you have a working Fail2Ban installation on the host running |
|||
| 126 | your Docker containers, follow these steps: |
|||
| 127 | ||||
| 128 | - In the mailu docker compose set the logging driver of the front |
|||
| 129 | container to `journald`; and set the tag to `mailu-front` |
|||
| 130 | ||||
| 131 | ``` yaml |
|||
| 132 | logging: |
|||
| 133 | driver: journald |
|||
| 134 | options: |
|||
| 135 | tag: mailu-front |
|||
| 136 | ``` |
|||
| 137 | ||||
| 138 | - Add the `/etc/fail2ban/filter.d/bad-auth-bots.conf` |
|||
| 139 | ||||
| 140 | ``` toml |
|||
| 141 | [Definition] |
|||
| 142 | failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server: |
|||
| 143 | ignoreregex = |
|||
| 144 | journalmatch = CONTAINER_TAG=mailu-front |
|||
| 145 | ``` |
|||
| 146 | ||||
| 147 | - Add the `/etc/fail2ban/jail.d/bad-auth-bots.conf` |
|||
| 148 | ||||
| 149 | [bad-auth-bots] |
|||
| 150 | enabled = true |
|||
| 151 | backend = systemd |
|||
| 152 | filter = bad-auth-bots |
|||
| 153 | bantime = 604800 |
|||
| 154 | findtime = 600 |
|||
| 155 | maxretry = 5 |
|||
| 156 | action = docker-action-net |
|||
| 157 | ||||
| 158 | The above will block flagged IPs for a week, you can of course change it |
|||
| 159 | to your needs. |
|||
| 160 | ||||
| 161 | - Add the following to /etc/fail2ban/action.d/docker-action-net.conf |
|||
| 162 | ||||
| 163 | <WRAP left round important 100%> |
|||
| 164 | ||||
| 165 | You have to install ipset on the host system, eg. |
|||
| 166 | `apt-get install ipset` on a Debian/Ubuntu system. |
|||
| 167 | ||||
| 168 | </WRAP> |
|||
| 169 | ||||
| 170 | See ipset homepage for details on ipset, <https://ipset.netfilter.org/>. |
|||
| 171 | ||||
| 172 | [Definition] |
|||
| 173 | ||||
| 174 | actionstart = ipset --create f2b-bad-auth-bots nethash |
|||
| 175 | iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP |
|||
| 176 | ||||
| 177 | actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP |
|||
| 178 | ipset --destroy f2b-bad-auth-bots |
|||
| 179 | ||||
| 180 | actionban = ipset add -exist f2b-bad-auth-bots <ip>/24 |
|||
| 181 | ||||
| 182 | actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24 |
|||
| 183 | ||||
| 184 | Using DOCKER-USER chain ensures that the blocked IPs are processed in |
|||
| 185 | the correct order with Docker. See more in: |
|||
| 186 | <https://docs.docker.com/network/iptables/>. |
|||
| 187 | ||||
| 188 | Please note that the provided example will block the subnet from sending |
|||
| 189 | any email to the Mailu instance. |
|||
| 190 | ||||
| 191 | - Configure and restart the Fail2Ban service |
|||
| 192 | ||||
| 193 | Make sure Fail2Ban is started after the Docker service by adding a |
|||
| 194 | partial override which appends this to the existing configuration. |
|||
| 195 | ||||
| 196 | sudo systemctl edit fail2ban |
|||
| 197 | ||||
| 198 | Add the override and save the file. |
|||
| 199 | ||||
| 200 | ``` toml |
|||
| 201 | [Unit] |
|||
| 202 | After=docker.service |
|||
| 203 | ``` |
|||
| 204 | ||||
| 205 | Restart the Fail2Ban service. |
|||
| 206 | ||||
| 207 | ``` shell |
|||
| 208 | sudo systemctl restart fail2ban |
|||
| 209 | ``` |
|||
| 210 | ||||
| 211 | ## Sources |
|||
| 212 | ||||
| 213 | - https://wiki.archlinux.org/title/Fail2ban |
|||
| 214 | - https://doc.ubuntu-fr.org/fail2ban |
|||
| 215 | - https://help.ubuntu.com/community/Fail2ban |
|||
| 216 | - https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533 |