Re: Fail2Ban Question: Can I do this without restarting the service?

[cyaiplexys <cyaiplexys@sitesplace.net>]

On 08/17/2018 10:55 AM, Dave Sherohman wrote:
> On Thu, Aug 16, 2018 at 02:07:02PM -0400, cyaiplexys wrote:
> > See, that all is way over my head. I don't understand this stuff as I'm
> > pretty much a total beginner in this.
>
> OK, fair enough.  Let's see what help I can offer.

Greatly appreciated. :)

> > Does Debian and Debian based systems have the firewall installed and
> > running by default?
>
> No.  For general-purpose firewalling, I would suggest installing ufw
> (`sudo apt-get install ufw`), as it's much simpler to manage than using
> iptables (the underlying firewall control scheme used by both ufw and
> fail2ban to communicate with the kernel) directly.
>
> After installing ufw, the following commands should get you started (all
> of them need to be run with sudo or from a root shell):

If I'm following you so far, ufw is a firewall like iptables? Or a 
replacement for iptables?

> ufw allow to any port 22 from [your IP address] proto tcp
> (If you're using ssh to connect to the server, you *must* do this one
> before enabling the firewall, or else you'll lock yourself out. 

I *never ever* use port 22 for ssh. I pick some random port that I know 
isn't going to be used for anything else on the server and set ssh to 
use that port instead. How do I set ufw to use the ssh port of my choosing?

> If you need to connect with ssh from multiple addresses, you can
> either run it multiple times with different addresses, or specify a
> network in CIDR notation.)

That's not going to be possible to determine. I and the other admin (who 
also doesn't know about this stuff) both connect remotely via ssh and we 
both have dynamic IPs that are set (and changed) periodically (and at 
times we have no idea) by our ISP. Neither of us can afford a static IP 
to our homes.

> ufw enable
> (Starts the firewall.)
>
> ufw logging off
> (...because it will otherwise flood your logs with reports of pretty
> much every packet recieved on the network interface.)
>
> ufw allow 80,443/tcp
> (Opens port 80 (http) and 443 (https) for connections from anywhere on
> the internet.)
> Repeat the last one with the appropriate port numbers for any other
> service that you want to make publicly available.

Can I do this too?

ufw deny 22/tcp # Deny connection to port 22 (ssh default port)
ufw allow [new-ssh-port]/tcp # Allow connection to new chosen ssh port

> > I hvae no idea how to jail or whatever in fail2ban. Sounds that's what I
> > want to do. Detect IP addresses hitting the server 1000 times in an hour and
> > then ban those for a good long while (week sounds good).
>
> That's pretty much exactly what fail2ban is intended to do.  A "jail" is
> just fail2ban's term for a rule for what activities aren't allowed and
> how to handle IP addresses which break the rule.
>
> Unfortunately, adding a custom jail requires changes to multiple files,
> but I can at least give you specific details on how to create this
> particular one.  Again, these files need to be created or edited using
> sudo or from a root shell.
>
> First, you need to create a filter definition.  Create the file
> /etc/fail2ban/filter.d/apache-missing-local.conf containing:
>
> ---
> [Definition]
> failregex = <HOST> [^ ]+ [^ ]+ \[[^]]+\] "[^"]+" 40[04] [0-9]+
> ---
>
> Lines matching the failregex (an apache log line for a 404 error) count
> as "failures".

Thing is, the bots hitting the server aren't getting 404 errors. They 
are trying to do php XSite injection on Wordpress sites and hitting 
actual web sites (HTTP 202).

> Next, you need to define a jail which uses that filter.  Create the file
> /etc/fail2ban/jail.local (or edit it if it exists, but I don't think it
> exists by default) and add:
>
> ---
> [apache-missing-local]
> enabled  = true
> port     = http,https
> filter   = apache-missing-local
> logpath  = /var/log/apache2/*access*.log
> maxretry = 1000
> findtime = 3600
> bantime  = 604800
> ignoreip = 127.0.0.1
> ---

Aha! THIS makes sense to me now! :)

> 'port' is the list of ports to block when an address is put in the jail.
> 'logpath' is the list of logfiles to monitor for offending entries (in
> this case, all log files in /var/log/apache2 with "access" in their
> names).  'maxretry' is the number of times an address can break the rule
> before getting jailed.  'findtime' is how long (in seconds, 3600 = 1
> hour) the retries are remembered.  And 'bantime' is how long (in
> seconds again, 604800 = 1 week) the address should remain jailed before
> it is released and allowed to access your service again.

That I will need to be like a larger amount, like several months? 
*reaching for my calculator*.

> 'ignoreip' is a list of IP addresses which should never be blocked.

Can I separate a list with commas like done for port?

> After setting up these files, you can either restart fail2ban or run
> `sudo fail2ban-client reload` to activate the new jail.

When using 'reload', does that just ensure changes take effect *without* 
restarting fail2bain service, right?

> > I wish there was an easy tutorial for doing these things.
>
> It would be nice, yes.  I've figured out everything in this mail by
> reading man pages and examining the existing config files.  Good
> tutorials would have made that a lot easier.

You are very talented if you can make sense of man pages. I digress. I 
have used Linux since Slackware 1.0 (been through Red Had, 
Mandriva/Manjaro, Mint, SolydX/K, and now sticking with Debian but also 
use Ubuntu servers from time to time (though Ubuntu seems to do things 
differently for Debian but that's OK since I would assume this stuff is 
the same for Debian and Ubuntu as for fail2ban/ufw?) I am trying to get 
something going with Debian too, though so I do need the Debian way to 
do things as well.

Thank you for all the info and helping me out. I now think I am 'getting 
it' (please feel free to correct my errors so I make sure I'm on the 
right track).