Re: Fail2Ban Question: Can I do this without restarting the service?
On Fri, Aug 17, 2018 at 12:50:16PM -0400, cyaiplexys wrote:
> If I'm following you so far, ufw is a firewall like iptables? Or a
> replacement for iptables?
ufw is a more user-friendly front end for managing iptables rules.
Under the hood, it's still iptables doing the actual firewalling.
(After ufw is activated, you can use iptables -L to see the rules
created by both ufw and fail2ban if you're curious. But be warned, they
will be voluminous and may become rather complex, since they're not
meant for human consumption.)
> >ufw allow to any port 22 from [your IP address] proto tcp
> >(If you're using ssh to connect to the server, you *must* do this one
> >before enabling the firewall, or else you'll lock yourself out.
>
> I *never ever* use port 22 for ssh. I pick some random port that I know
> isn't going to be used for anything else on the server and set ssh to use
> that port instead. How do I set ufw to use the ssh port of my choosing?
In the ufw rule, just change "port 22" to whatever port you actually run
it on. The important thing, of course, is just that you don't block the
ssh port if you're doing this over ssh.
> > If you need to connect with ssh from multiple addresses, you can
> > either run it multiple times with different addresses, or specify a
> > network in CIDR notation.)
>
> That's not going to be possible to determine. I and the other admin (who
> also doesn't know about this stuff) both connect remotely via ssh and we
> both have dynamic IPs that are set (and changed) periodically (and at times
> we have no idea) by our ISP. Neither of us can afford a static IP to our
> homes.
If you collect your DHCP-assigned addresses across a few changes, you
should be able to guess pretty accurately at the range of possible
addresses you might be assigned. Also, even with a single address, your
odds are pretty good if you just use the /24 CIDR block containing that
address, since most DHCP pools aren't going to be larger than that.
So, e.g., I'm currently at a hotel with IP address 83.244.xxx.85. I
could almost certainly give access to the hotel's entire range of
dynamically-assigned IP addresses by allowing access from
83.244.xxx.0/24.
> Can I do this too?
>
> ufw deny 22/tcp # Deny connection to port 22 (ssh default port)
You could, but there's generally no point because all ports are denied
by default. You usually don't need to create specific deny rules unless
you have a port that you want to have open to the world, but then close
it for specific addresses, or if there's an IP address that you want to
allow access to all ports, except for a few specific ports.
> ufw allow [new-ssh-port]/tcp # Allow connection to new chosen ssh port
This would work, and would allow every IP address in the world to
connect to your custom ssh port. (Which is not, IMO, a bad thing, but
your level of paranoia may vary.)
> Thing is, the bots hitting the server aren't getting 404 errors. They are
> trying to do php XSite injection on Wordpress sites and hitting actual web
> sites (HTTP 202).
It just so happens I have a jail like that on a couple of my servers,
too. I have the filter in /etc/fail2ban/filter.d/http-get-dos.conf
---
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*
ignoreregex = ^ -.*^<HOST> -.*\"(GET|POST).*Googlebot
---
This will match all GET and POST requests (even though the filter name
just says "get"... I forgot to change the name when I added POSTs),
unless they're coming from a Googlebot user agent (because it's a public
server with several hundred thousand pages which we do want indexed).
The corresponding jail definition is:
---
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/*access.log
maxretry = 600
findtime = 300
bantime = 600
ignoreip = 10.0.0.0/8
---
Based on what you've said so far, I expect you'll want to adjust the
maxretry/findtime/bantime values, but my experience has been that
banning offending IP addresses for 10 minutes generally seems to be
enough for them to give up and go bother someone else. Banning for
months at a time is unlikely to be necessary unless you're dealing with
a targeted attack.
> >'ignoreip' is a list of IP addresses which should never be blocked.
>
> Can I separate a list with commas like done for port?
fail2ban uses space-separated lists rather than comma-separated. Aside
from that, though, yes, you can list as many addresses as you like.
e.g.,
ignoreip = 8.8.8.8 127.0.0.1
> >After setting up these files, you can either restart fail2ban or run
> >`sudo fail2ban-client reload` to activate the new jail.
>
> When using 'reload', does that just ensure changes take effect *without*
> restarting fail2bain service, right?
Correct
> (though Ubuntu seems to do things differently for Debian but that's OK
> since I would assume this stuff is the same for Debian and Ubuntu as
> for fail2ban/ufw?)
I have limited experience with Ubuntu, but my impression is that their
differences (aside from release schedule) are primarily dealing with
end-user-focused applications. Networking and firewall management are
deep enough in the guts that I'm 99% sure they'll be the same in both
distros.
--
Dave Sherohman
Reply to: