[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fail2Ban Question: Can I do this without restarting the service?

On 08/17/2018 10:55 AM, Dave Sherohman wrote:
On Thu, Aug 16, 2018 at 02:07:02PM -0400, cyaiplexys wrote:
See, that all is way over my head. I don't understand this stuff as I'm
pretty much a total beginner in this.

OK, fair enough.  Let's see what help I can offer.

Greatly appreciated. :)

Does Debian and Debian based systems have the firewall installed and
running by default?

No.  For general-purpose firewalling, I would suggest installing ufw
(`sudo apt-get install ufw`), as it's much simpler to manage than using
iptables (the underlying firewall control scheme used by both ufw and
fail2ban to communicate with the kernel) directly.

After installing ufw, the following commands should get you started (all
of them need to be run with sudo or from a root shell):

If I'm following you so far, ufw is a firewall like iptables? Or a replacement for iptables?

ufw allow to any port 22 from [your IP address] proto tcp
(If you're using ssh to connect to the server, you *must* do this one
before enabling the firewall, or else you'll lock yourself out.

I *never ever* use port 22 for ssh. I pick some random port that I know isn't going to be used for anything else on the server and set ssh to use that port instead. How do I set ufw to use the ssh port of my choosing?

> If you need to connect with ssh from multiple addresses, you can
> either run it multiple times with different addresses, or specify a
> network in CIDR notation.)

That's not going to be possible to determine. I and the other admin (who also doesn't know about this stuff) both connect remotely via ssh and we both have dynamic IPs that are set (and changed) periodically (and at times we have no idea) by our ISP. Neither of us can afford a static IP to our homes.

ufw enable
(Starts the firewall.)

ufw logging off
(...because it will otherwise flood your logs with reports of pretty
much every packet recieved on the network interface.)

ufw allow 80,443/tcp
(Opens port 80 (http) and 443 (https) for connections from anywhere on
the internet.)
> Repeat the last one with the appropriate port numbers for any other
> service that you want to make publicly available.

Can I do this too?

ufw deny 22/tcp # Deny connection to port 22 (ssh default port)
ufw allow [new-ssh-port]/tcp # Allow connection to new chosen ssh port

I hvae no idea how to jail or whatever in fail2ban. Sounds that's what I
want to do. Detect IP addresses hitting the server 1000 times in an hour and
then ban those for a good long while (week sounds good).

That's pretty much exactly what fail2ban is intended to do.  A "jail" is
just fail2ban's term for a rule for what activities aren't allowed and
how to handle IP addresses which break the rule.

Unfortunately, adding a custom jail requires changes to multiple files,
but I can at least give you specific details on how to create this
particular one.  Again, these files need to be created or edited using
sudo or from a root shell.

First, you need to create a filter definition.  Create the file
/etc/fail2ban/filter.d/apache-missing-local.conf containing:

failregex = <HOST> [^ ]+ [^ ]+ \[[^]]+\] "[^"]+" 40[04] [0-9]+

Lines matching the failregex (an apache log line for a 404 error) count
as "failures".

Thing is, the bots hitting the server aren't getting 404 errors. They are trying to do php XSite injection on Wordpress sites and hitting actual web sites (HTTP 202).

Next, you need to define a jail which uses that filter.  Create the file
/etc/fail2ban/jail.local (or edit it if it exists, but I don't think it
exists by default) and add:

enabled  = true
port     = http,https
filter   = apache-missing-local
logpath  = /var/log/apache2/*access*.log
maxretry = 1000
findtime = 3600
bantime  = 604800
ignoreip =

Aha! THIS makes sense to me now! :)

'port' is the list of ports to block when an address is put in the jail.
'logpath' is the list of logfiles to monitor for offending entries (in
this case, all log files in /var/log/apache2 with "access" in their
names).  'maxretry' is the number of times an address can break the rule
before getting jailed.  'findtime' is how long (in seconds, 3600 = 1
hour) the retries are remembered.  And 'bantime' is how long (in
seconds again, 604800 = 1 week) the address should remain jailed before
it is released and allowed to access your service again.

That I will need to be like a larger amount, like several months? *reaching for my calculator*.

'ignoreip' is a list of IP addresses which should never be blocked.

Can I separate a list with commas like done for port?

After setting up these files, you can either restart fail2ban or run
`sudo fail2ban-client reload` to activate the new jail.

When using 'reload', does that just ensure changes take effect *without* restarting fail2bain service, right?

I wish there was an easy tutorial for doing these things.

It would be nice, yes.  I've figured out everything in this mail by
reading man pages and examining the existing config files.  Good
tutorials would have made that a lot easier.

You are very talented if you can make sense of man pages. I digress. I have used Linux since Slackware 1.0 (been through Red Had, Mandriva/Manjaro, Mint, SolydX/K, and now sticking with Debian but also use Ubuntu servers from time to time (though Ubuntu seems to do things differently for Debian but that's OK since I would assume this stuff is the same for Debian and Ubuntu as for fail2ban/ufw?) I am trying to get something going with Debian too, though so I do need the Debian way to do things as well.

Thank you for all the info and helping me out. I now think I am 'getting it' (please feel free to correct my errors so I make sure I'm on the right track).

Reply to: