[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fail2Ban Question: Can I do this without restarting the service?

On Thu, Aug 16, 2018 at 02:07:02PM -0400, cyaiplexys wrote:
> See, that all is way over my head. I don't understand this stuff as I'm
> pretty much a total beginner in this.

OK, fair enough.  Let's see what help I can offer.

> Does Debian and Debian based systems have the firewall installed and
> running by default?

No.  For general-purpose firewalling, I would suggest installing ufw
(`sudo apt-get install ufw`), as it's much simpler to manage than using
iptables (the underlying firewall control scheme used by both ufw and
fail2ban to communicate with the kernel) directly.

After installing ufw, the following commands should get you started (all
of them need to be run with sudo or from a root shell):

ufw allow to any port 22 from [your IP address] proto tcp
(If you're using ssh to connect to the server, you *must* do this one
before enabling the firewall, or else you'll lock yourself out.  If you
need to connect with ssh from multiple addresses, you can either run it
multiple times with different addresses, or specify a network in CIDR

ufw enable
(Starts the firewall.)

ufw logging off
(...because it will otherwise flood your logs with reports of pretty
much every packet recieved on the network interface.)

ufw allow 80,443/tcp
(Opens port 80 (http) and 443 (https) for connections from anywhere on
the internet.)

Repeat the last one with the appropriate port numbers for any other
service that you want to make publicly available.

> I hvae no idea how to jail or whatever in fail2ban. Sounds that's what I
> want to do. Detect IP addresses hitting the server 1000 times in an hour and
> then ban those for a good long while (week sounds good).

That's pretty much exactly what fail2ban is intended to do.  A "jail" is
just fail2ban's term for a rule for what activities aren't allowed and
how to handle IP addresses which break the rule.

Unfortunately, adding a custom jail requires changes to multiple files,
but I can at least give you specific details on how to create this
particular one.  Again, these files need to be created or edited using
sudo or from a root shell.

First, you need to create a filter definition.  Create the file
/etc/fail2ban/filter.d/apache-missing-local.conf containing:

failregex = <HOST> [^ ]+ [^ ]+ \[[^]]+\] "[^"]+" 40[04] [0-9]+

Lines matching the failregex (an apache log line for a 404 error) count
as "failures".

Next, you need to define a jail which uses that filter.  Create the file
/etc/fail2ban/jail.local (or edit it if it exists, but I don't think it
exists by default) and add:

enabled  = true
port     = http,https
filter   = apache-missing-local
logpath  = /var/log/apache2/*access*.log
maxretry = 1000
findtime = 3600
bantime  = 604800
ignoreip =

'port' is the list of ports to block when an address is put in the jail.
'logpath' is the list of logfiles to monitor for offending entries (in
this case, all log files in /var/log/apache2 with "access" in their
names).  'maxretry' is the number of times an address can break the rule
before getting jailed.  'findtime' is how long (in seconds, 3600 = 1
hour) the retries are remembered.  And 'bantime' is how long (in
seconds again, 604800 = 1 week) the address should remain jailed before
it is released and allowed to access your service again.  'ignoreip' is
a list of IP addresses which should never be blocked.

After setting up these files, you can either restart fail2ban or run
`sudo fail2ban-client reload` to activate the new jail.

> I wish there was an easy tutorial for doing these things.

It would be nice, yes.  I've figured out everything in this mail by
reading man pages and examining the existing config files.  Good
tutorials would have made that a lot easier.

Dave Sherohman

Reply to: