Haack's Wiki

User Tools

Site Tools

Trace: fail2ban
computing:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:fail2ban [2026/03/22 15:24] oemb1905computing:fail2ban [2026/03/22 21:31] (current) oemb1905
Line 11: Line 11:
 ------------------------------------------- -------------------------------------------
  
-This tutorial is designed to help you install fail2ban and get a basic set of configurations in place.+This tutorial is designed to help you install fail2ban and get a basic set of configurations in place. My logic is as follows: 
 + 
 +//My defaults give a very small 1 hour punishment for first time offense of 3 violations of any jail. Repeat offenders, however, get immediate life-bans. So, the default is very tolerant and the extreme is essentially for life punishment. Using this framework, you override individual services with ''maxretry = xx'' to fit that service's tolerance level. For example, email and web services get a value of 5-10, while ssh might get 1-3. For floods, bot attacks, etc., you will also need to adjust ''findtime = yy'' to fit the interval.// 
 + 
 +You will need to change this recipe to fit your needs. At the same time, there are certain aspects in this tutorial, that are just "always best to do" kind of things, so hopefully you recognize those! Be careful, and don't f2b yourself out of your instance too many times ;)
  
   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Line 40: Line 44:
   logpath = %(sshd_log)s   logpath = %(sshd_log)s
   backend = %(sshd_backend)s   backend = %(sshd_backend)s
-  maxretry = 1+  maxretry = 3
  
 The repeat offender, or recidivist jail, is listed under ''[recidive]'' and I give it particular attention. In a tightly controlled environment, if someone has banged once on ssh invalidly and does it again, they have no reason to bang again indefinitely. Again, in larger environments, it might not be possible to enforce maxretry = 1. The repeat offender, or recidivist jail, is listed under ''[recidive]'' and I give it particular attention. In a tightly controlled environment, if someone has banged once on ssh invalidly and does it again, they have no reason to bang again indefinitely. Again, in larger environments, it might not be possible to enforce maxretry = 1.
Line 190: Line 194:
 EOF EOF
  
 +mkdir -p /home/logs
 sudo chmod 750 /usr/local/bin/fail2ban-report.sh sudo chmod 750 /usr/local/bin/fail2ban-report.sh
 </code> </code>
Line 197: Line 202:
   0 * * * * /usr/bin/flock --nonblock /tmp/f2b-report.lock /bin/bash /usr/local/bin/fail2ban-report.sh > /dev/null 2>&1   0 * * * * /usr/bin/flock --nonblock /tmp/f2b-report.lock /bin/bash /usr/local/bin/fail2ban-report.sh > /dev/null 2>&1
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/03/22 15:24//+Create a custom jail for postfix floods, for example: 
 + 
 +<code> 
 +cat << 'EOF' >> /etc/fail2ban/jail.local 
 + 
 +[postfix-flood-attack] 
 +enabled  = true 
 +maxretry = 1 
 +filter   = postfix-flood-attack 
 +action   = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] 
 +logpath  = /var/log/mail.log 
 + 
 +EOF 
 + 
 +# 2. Create the filter definition 
 +cat << 'EOF' > /etc/fail2ban/filter.d/postfix-flood-attack.conf 
 +[Definition] 
 +failregex = lost connection after AUTH from (.*)\[<HOST>\] 
 +ignoreregex = 
 +EOF 
 + 
 +# Set permissions and reload the jail 
 +chmod 750 /etc/fail2ban/jail.local /etc/fail2ban/filter.d/postfix-flood-attack.conf 
 +systemctl restart fail2ban.service 
 +</code> 
 + 
 + --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/03/22 20:44//
computing/fail2ban.1774193093.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki