# Fail2Ban

Fail2Ban est un logiciel de sécurité pour les serveurs qui **protège
contre les attaques de type "brute force"** (tentatives de connexion
répétées avec des mots de passe incorrects).

Il **surveille les journaux de sécurité du serveur** et bloque les
adresses IP qui tentent de se connecter avec trop de tentatives de
connexion échouées.

Cela empêche les pirates de hacker de prendre le contrôle de votre
serveur en essayant de deviner votre mot de passe.

``` shell
sudo apt install fail2ban
```

Les fichiers de configuration se trouve à :

``` shell
/etc/fail2ban
```

<WRAP left round important 100%>

Don't copy the conf to local We want to make precise modifications to
the default, so let's not loose ourselves in thousands of parameters.
Let's target the ones we need to change.

</WRAP>

Tout d'abord on créer un fichier `jail.local` pour override les
paramètres par défault:

``` shell
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
```

Ensuite on va faire des modifications dans le fichier:

``` shell
# ouvrire le fichier avec notre éditeur de texte micro
sudo micro /etc/fail2ban/jail.local
```

Il y a deux sections par défault dans le fichier: **DEFAULT** et
**sshd**

#### Default

``` toml
# "bantime" is the number of seconds that a host is banned.  
bantime = 7800m
  
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.  
findtime = 30m
  
# "maxretry" is the number of failures before a host get banned.  
maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88

# Longer ban if multiple 
bantime.increment = true
bantime.rndtime = 2048
bantime.multipliers = 1 5 30 60 300 720 1440 2880
```

#### sshd

``` toml
[sshd]
enabled = true
port = 53684
bantime = 1d
findtime = 1d
maxretry = 3
maxfailures = 5
# Paramètres de récidive
#bantime.increment = true
bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation
bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y
```

Après avoir modifié la configuration de `fail2ban`, on doit (re)démarré
`fail2ban`:

``` shell
# Lancer pour la première fois
sudo systemctl start fail2ban  
sudo systemctl enable fail2ban

# Redémarré
sudo systemctl restart fail2ban  

# Vérifier que le service fonctionne
sudo systemctl status fail2ban
```

## Jails

Pour vérifier quelles jails sont active:

``` shell
sudo fail2ban-client status
```

## Mailu setup

[[%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban]]

If you use a reverse proxy in front of Mailu, it is vital to set the
environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these
environment variables, Mailu will not trust the remote client IP passed
on by the reverse proxy and as a result your reverse proxy will be
banned.

See the [configuration
reference](https://mailu.io/2024.06/configuration.html#reverse-proxy-headers)
for more information.

Assuming you have a working Fail2Ban installation on the host running
your Docker containers, follow these steps:

- In the mailu docker compose set the logging driver of the front
container to `journald`; and set the tag to `mailu-front`

``` yaml
logging:
  driver: journald
  options:
    tag: mailu-front
```

- Add the `/etc/fail2ban/filter.d/bad-auth-bots.conf`

``` toml
[Definition]
failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front
```

- Add the `/etc/fail2ban/jail.d/bad-auth-bots.conf`

    [bad-auth-bots]
    enabled = true
    backend = systemd
    filter = bad-auth-bots
    bantime = 604800
    findtime = 600
    maxretry = 5
    action = docker-action-net

The above will block flagged IPs for a week, you can of course change it
to your needs.

- Add the following to /etc/fail2ban/action.d/docker-action-net.conf

<WRAP left round important 100%>

You have to install ipset on the host system, eg.
`apt-get install ipset` on a Debian/Ubuntu system.

</WRAP>

See ipset homepage for details on ipset, <https://ipset.netfilter.org/>.

    [Definition]

    actionstart = ipset --create f2b-bad-auth-bots nethash
                  iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

    actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP
                 ipset --destroy f2b-bad-auth-bots

    actionban = ipset add -exist f2b-bad-auth-bots <ip>/24

    actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24

Using DOCKER-USER chain ensures that the blocked IPs are processed in
the correct order with Docker. See more in:
<https://docs.docker.com/network/iptables/>.

Please note that the provided example will block the subnet from sending
any email to the Mailu instance.

- Configure and restart the Fail2Ban service

Make sure Fail2Ban is started after the Docker service by adding a
partial override which appends this to the existing configuration.

sudo systemctl edit fail2ban

Add the override and save the file.

``` toml
[Unit]
After=docker.service
```

Restart the Fail2Ban service.

``` shell
sudo systemctl restart fail2ban
```

## Sources

-   https://wiki.archlinux.org/title/Fail2ban
-   https://doc.ubuntu-fr.org/fail2ban
-   https://help.ubuntu.com/community/Fail2ban
-   https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533