Fail2Ban - blame (154d13)

Blame

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

# Fail2Ban

154d13	theophile	2025-12-21 17:40:54
consolidation into one page

- [Wikipedia Article](https://en.wikipedia.org/wiki/Fail2ban)

- [Source Code](https://github.com/fail2ban/fail2ban)

- [Archlinux Wiki](https://wiki.archlinux.org/title/Fail2ban)

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

Fail2Ban est un logiciel de sécurité pour les serveurs qui **protège

contre les attaques de type "brute force"** (tentatives de connexion

répétées avec des mots de passe incorrects).

Il **surveille les journaux de sécurité du serveur** et bloque les

adresses IP qui tentent de se connecter avec trop de tentatives de

connexion échouées.

Cela empêche les pirates de hacker de prendre le contrôle de votre

serveur en essayant de deviner votre mot de passe.

``` shell

sudo apt install fail2ban

```

Les fichiers de configuration se trouve à :

``` shell

/etc/fail2ban

```

Don't copy the conf to local We want to make precise modifications to

the default, so let's not loose ourselves in thousands of parameters.

Let's target the ones we need to change.

</WRAP>

Tout d'abord on créer un fichier `jail.local` pour override les

paramètres par défault:

``` shell

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

```

Ensuite on va faire des modifications dans le fichier:

``` shell

# ouvrire le fichier avec notre éditeur de texte micro

sudo micro /etc/fail2ban/jail.local

```

Il y a deux sections par défault dans le fichier: **DEFAULT** et

**sshd**

#### Default

``` toml

# "bantime" is the number of seconds that a host is banned.

bantime = 7800m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.  

findtime = 30m

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

# will not ban a host which matches an address in this list. Several addresses

# can be defined using space (and/or comma) separator.

ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88

# Longer ban if multiple

bantime.increment = true

bantime.rndtime = 2048

bantime.multipliers = 1 5 30 60 300 720 1440 2880

```

#### sshd

``` toml

[sshd]

enabled = true

port = 53684

bantime = 1d

findtime = 1d

maxretry = 3

maxfailures = 5

# Paramètres de récidive

#bantime.increment = true

bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation

bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y

```

Après avoir modifié la configuration de `fail2ban`, on doit (re)démarré

`fail2ban`:

``` shell

# Lancer pour la première fois

sudo systemctl start fail2ban

sudo systemctl enable fail2ban

100

# Redémarré

101

sudo systemctl restart fail2ban

102

103

# Vérifier que le service fonctionne

104

sudo systemctl status fail2ban

105

```

106

107

## Jails

108

109

Pour vérifier quelles jails sont active:

110

111

``` shell

112

sudo fail2ban-client status

113

```

114

115

## Mailu setup

116

117

[[%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban]]

118

119

If you use a reverse proxy in front of Mailu, it is vital to set the

120

environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these

121

environment variables, Mailu will not trust the remote client IP passed

122

on by the reverse proxy and as a result your reverse proxy will be

123

banned.

124

125

See the [configuration

126

reference](https://mailu.io/2024.06/configuration.html#reverse-proxy-headers)

127

for more information.

128

129

Assuming you have a working Fail2Ban installation on the host running

130

your Docker containers, follow these steps:

131

132

- In the mailu docker compose set the logging driver of the front

133

container to `journald`; and set the tag to `mailu-front`

134

135

``` yaml

136

logging:

137

driver: journald

138

options:

139

tag: mailu-front

140

```

141

142

- Add the `/etc/fail2ban/filter.d/bad-auth-bots.conf`

143

144

``` toml

145

[Definition]

146

failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:

147

ignoreregex =

148

journalmatch = CONTAINER_TAG=mailu-front

149

```

150

151

- Add the `/etc/fail2ban/jail.d/bad-auth-bots.conf`

152

153

[bad-auth-bots]

154

enabled = true

155

backend = systemd

156

filter = bad-auth-bots

157

bantime = 604800

158

findtime = 600

159

maxretry = 5

160

action = docker-action-net

161

162

The above will block flagged IPs for a week, you can of course change it

163

to your needs.

164

165

- Add the following to /etc/fail2ban/action.d/docker-action-net.conf

166

167

168

169

You have to install ipset on the host system, eg.

170

`apt-get install ipset` on a Debian/Ubuntu system.

171

172

</WRAP>

173

174

See ipset homepage for details on ipset, <https://ipset.netfilter.org/>.

175

176

[Definition]

177

178

actionstart = ipset --create f2b-bad-auth-bots nethash

179

                  iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

180

181

    actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

182

ipset --destroy f2b-bad-auth-bots

183

184

actionban = ipset add -exist f2b-bad-auth-bots <ip>/24

185

186

actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24

187

188

Using DOCKER-USER chain ensures that the blocked IPs are processed in

189

the correct order with Docker. See more in:

190

<https://docs.docker.com/network/iptables/>.

191

192

Please note that the provided example will block the subnet from sending

193

any email to the Mailu instance.

194

195

- Configure and restart the Fail2Ban service

196

197

Make sure Fail2Ban is started after the Docker service by adding a

198

partial override which appends this to the existing configuration.

199

200

sudo systemctl edit fail2ban

201

202

Add the override and save the file.

203

204

``` toml

205

[Unit]

206

After=docker.service

207

```

208

209

Restart the Fail2Ban service.

210

211

``` shell

212

sudo systemctl restart fail2ban

213

```

214

215

## Sources

216

217

- https://wiki.archlinux.org/title/Fail2ban

218

- https://doc.ubuntu-fr.org/fail2ban

219

- https://help.ubuntu.com/community/Fail2ban

220

-   https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533