Code Monkey home page Code Monkey logo

iocage-plugin-fail2ban's Introduction

iocage-plugin/fail2ban

Sets up Fail2Ban for FreeBSD systems (including FreeNAS).

Overall, this plugin brings the meaningful settings into visibility by leveraging the jail overlay ability, so only the files that you probably want to edit and only the settings you probably care about are present here.

Explore the tree and most of the modifications you may want to make should be fairly apparent.

Installation

Check out this repository:

git clone [email protected]:TwilightCoders/iocage-plugin-fail2ban.git

Install with iocage from within the project directory:

  • iocage fetch -P -n fail2ban.json ip4_addr="[interface]|[ip_address]/[cidr]"
  • e.g. iocage fetch -P -n fail2ban.json ip4_addr="em0|192.168.0.111/24"

Configuration

Stop the jail: iocage stop fail2ban

Logs

Mount your root log directory (read only recommended):

auth.log for SSH:

  • iocage fstab -a fail2ban /var/log /mnt/log/root nullfs ro 0 0

Settings

You can read more about fail2ban configuration by referencing the man pages "fail2ban-jail(5)"

Mount global fail2ban config directory (readonly recommended, but not required):

  • iocage fstab -a fail2ban /path/to/dataset/for/fail2ban/global/conf /usr/local/etc/fail2ban/fail2ban.d nullfs ro 0 0
  • e.g. iocage fstab -a fail2ban /mnt/raid1/data/fail2ban/global /usr/local/etc/fail2ban/fail2ban.d nullfs ro 0 0

Example fail2ban.conf to go in /path/to/dataset/for/fail2ban/global/conf:

[Definition]

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log

Mount jail configurations (fail2ban calls the enabled filter/action combos 'jails', not to be confused with FreeBSD jails):

  • iocage fstab -a fail2ban /path/to/dataset/for/fail2ban/jail/conf /usr/local/etc/fail2ban/fail2ban.d nullfs ro 0 0
  • e.g. iocage fstab -a fail2ban /mnt/raid1/data/fail2ban/jails /usr/local/etc/fail2ban/jail.d nullfs ro 0 0

SSH

SSH is a common service to monitor for banning IPs from botnet bruteforce attempts.

Mounts

Mount the directory where the hosts.evil file will be written to (outside of the jail) for persistant storage.

  • iocage fstab -a fail2ban /path/to/dataset/for/jail/hosts /usr/local/etc/hosts nullfs rw 0 0
  • e.g. iocage fstab -a fail2ban /mnt/raid1/data/fail2ban/etc /usr/local/etc/hosts nullfs rw 0 0

Config

Example "jail config" (sshd.conf) to go in /path/to/dataset/for/fail2ban/jail/conf

# sshd.conf
[DEFAULT]

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 750h

# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal

# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
enabled = true
mode   = normal
port	= ssh
logpath = /mnt/log/root/auth.log
bantime  = 750h
maxretry = 3
findtime = 20m
backend = %(sshd_backend)s
action = hostsdeny

Update the host's hosts.allow (add above ALL : ALL : allow):

# enable fail2ban
sshd : /path/to/dataset/for/jail/hosts/hosts.evil : deny

e.g.

# enable fail2ban
sshd : /mnt/raid1/data/fail2ban/etc/hosts.evil : deny

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

Note, if you're on FreeNAS you'll want to edit /conf/base/etc/hosts.allow to make changes persistent across reboots[1]. Ensure it works the way you intended by first editing /etc/hosts.allow before editing the base config.

1Actually, currently there is a bug in FreeNAS TrueNAS that prevents this from working. You'll need to add a startup script to accomplish this. ln -fs /conf/base/etc/hosts.allow /etc/hosts.allow

Finally, restart sshd service sshd restart

Maintenance

The db will grow in size over time. To find duplicates:

  • SELECT ip, count(*) count FROM bans GROUP BY ip HAVING count > 1; TODO: Exponential increase in bantime? Deduplicate db??

Contributions

Source for the original distillation of instructions found here came from onthax

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/TwilightCoders/iocage-plugin-fail2ban.

License

Released under the MIT License.

iocage-plugin-fail2ban's People

Contributors

voltechs avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

pro edavrio

iocage-plugin-fail2ban's Issues

Exception: KeyError:'adminportal' occured, destroyed fail2ban.

As per the title, I get the above error when using the plugin on FreeNas:

rob@becks:~/iocage-plugin-fail2ban % sudo iocage fetch -P -n fail2ban.json ip4_addr="em0|192.168.20.200/24"
Plugin: Fail2Ban
Official Plugin: False
Using RELEASE: 11.2-RELEASE
Using Branch: 11.2-RELEASE
Post-install Artifact: .
These pkgs will be installed:
- python36
- vim-tiny
- bash
- security/py-fail2ban

Testing SRV response to iocage-plugins
Testing DNSSEC response to iocage-plugins

Installing plugin packages:

  • python36...
  • vim-tiny...
  • bash...
  • security/py-fail2ban...

Fetching artifact...

Branch 11.2-RELEASE does not exist at .!
Using "master" branch for plugin, this may not work with your RELEASE

Running post_install.sh

Command output:
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
Checking integrity... done (1 conflicting)

  • py36-fail2ban-0.10.4 conflicts with py27-fail2ban-0.10.4 on /usr/local/man/man1/fail2ban-client.1.gz
    Checking integrity... done (0 conflicting)
    The following 2 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
py27-fail2ban-0.10.4

New packages to be INSTALLED:
py36-fail2ban: 0.10.4

Number of packages to be removed: 1
Number of packages to be installed: 1
[fail2ban] [1/2] Deinstalling py27-fail2ban-0.10.4...
[fail2ban] [1/2] Deleting files for py27-fail2ban-0.10.4:
[fail2ban] [1/2] Deleting files for py27-fail2ban-0.10.4............. done
[fail2ban] [2/2] Installing py36-fail2ban-0.10.4...
[fail2ban] [2/2] Extracting py36-fail2ban-0.10.4: .......... done
Message from py36-fail2ban-0.10.4:

Please do not edit the fail2ban.conf, jail.conf, or any other
files in the distributen as they will be overwritten upon each
upgrade of the port. Instead, create new files named *.local e.g.
fail2ban.local or jail.local.

For more information, see the official manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration

If you have custom filters or actions and you are upgrading from
0.9.x please check them.

Users of pf: please read the notes in action.d/pf.conf and the
discussion at fail2ban/fail2ban#1925
Please note that fail2ban will put curly braces '{}' around the
ports in the action so you shouldn't do it yourself.

fail2ban_enable: -> YES
Server ready

Exception: KeyError:'adminportal' occured, destroyed fail2ban.
rob@becks:~/iocage-plugin-fail2ban % uname -a
FreeBSD becks.local 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+3b66a34f3aa(HEAD): Thu Feb 14 13:40:20 EST 2019 [email protected]:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64
r

Fail2Ban fails to install on TruenNAS Core 12.0-U3

`iocage fetch -P fail2ban.json vnet=1 nat=1
Plugin: fail2ban
Official Plugin: False
Using RELEASE: 12.1-RELEASE
Using Branch: 12.2-RELEASE
Post-install Artifact: https://github.com/TwilightCoders/iocage-plugin-fail2ban.git
These pkgs will be installed:
- python36
- vim-tiny
- bash
- security/py-fail2ban

Testing Host DNS response to pkg.FreeBSD.org
Testing fail2ban's SRV response to pkg.FreeBSD.org
Testing fail2ban's DNSSEC response to pkg.FreeBSD.org

Installing plugin packages:

  • python36...
  • vim-tiny...
  • bash...
  • security/py-fail2ban...

Fetching artifact...
Cloning git repository

Branch 12.2-RELEASE does not exist at https://github.com/TwilightCoders/iocage-plugin-fail2ban.git!
Using "master" branch for plugin, this may not work with your RELEASE

Running post_install.sh
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
fail2ban_enable: -> YES
fail2ban_enable: -> YES
chsh: user information updated
Last 10 lines:
chsh: user information updated
fail2ban had a failure
Exception: SystemExit Message: 1
Partial plugin destroyed`

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.