FreeBSD 14
Sponsored Link

Fail2Ban : Intrusion Prevention System2024/09/09

 

Install and configure [Fail2Ban] that is the kind of Intrusion Detection System.

[1] Install Fail2Ban.
root@dlp:~ #
pkg install -y py311-fail2ban whois
# enable packet filter

root@dlp:~ #
sysrc pf_enable="YES"

root@dlp:~ #
sysrc pflogd_enable="YES"

root@dlp:~ #
sysrc pf_rules="/etc/pf.conf"

root@dlp:~ #
vi /etc/pf.conf
# create new file

set skip on lo
scrub in
anchor "f2b/*"
root@dlp:~ #
service pf start
[2] The default configuration is defined in [/usr/local/etc/fail2ban/jail.conf].
The default values ​​may change with package updates, so if you want to change the settings, create a [jail.local] file and modify it.
root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.conf
# line 87 : ignore your own local IP
#ignoreself = true

# line 92 : possible to add ignored networks
#ignoreip = 127.0.0.1/8 ::1

# line 103 : number of seconds that a host is banned
# - 1m ⇒ 1 minutes
# - 1h ⇒ 1 houer
# - 1d ⇒ 1 day
# - 1mo ⇒ 1 month
# - 1y ⇒ 1 year
bantime  = 10m

# line 107 : A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 10m

# line 110 : "maxretry" is the number of failures before a host get banned
maxretry = 5

# line 178 : destination email address if enabling email notification
destemail = root@localhost

# line 181 : sender address if enabling email notification
sender = root@<fq-hostname>

# line 263 : default action
# - %(action_)s ⇒ ban only
# - %(action_mw)s ⇒ band and email notification (includes Whois info)
# - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs)
action = %(action_)s


root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.local
# create new
# possible to override the default values
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
banaction = pf[actiontype=<multiport>]
banaction_allports = pf[actiontype=<allports>]
bantime  = 1d
findtime  = 5m
maxretry = 5
destemail = root@localhost
sender = root@dlp.srv.world

root@dlp:~ #
service fail2ban enable

fail2ban enabled in /etc/rc.conf
root@dlp:~ #
service fail2ban start

Server ready
[3] If you want to monitor services, add settings. (Default is unset)
As an example, set the SSH as the service to be monitored.
root@dlp:~ #
fail2ban-client status

Status
|- Number of jail:      0
`- Jail list:

root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.d/sshd.conf
# create new
[sshd]
enabled = true

# possible to override the default values by service
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

root@dlp:~ #
service fail2ban reload

OK
# show status

root@dlp:~ #
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# some hosts that exceed the threshold are banned

root@dlp:~ #
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203

# actual ban action is controlled by pf

root@dlp:~ #
pfctl -a f2b/sshd -s rules

block drop quick proto tcp from <f2b-sshd> to any port = ssh
root@dlp:~ #
pfctl -a f2b/sshd -t f2b-sshd -T show

   10.0.0.203

# if enabled email notifications, you will receive the following email

root@dlp:~ #
s-nail

you have mail
s-nail version v14.9.24.  Type `?' for help
/var/mail/root: 3 messages 3 unread
 U  2 Fail2Ban           2024-09-09 10:45   21/529   [Fail2Ban] sshd: started on dlp.srv.world
 U  3 Fail2Ban           2024-09-09 10:47   40/1045  [Fail2Ban] sshd: banned 10.0.0.203 from dlp.srv.world

& 3
[-- Message  3 -- 40 lines, 1045 bytes --]:
Subject: [Fail2Ban] sshd: banned 10.0.0.203 from dlp.srv.world
Date: Mon, 09 Sep 2024 10:47:59 +0900
From: Fail2Ban <root@dlp.srv.world>
To: root@localhost
Message-Id: <20240909014759.AAB9A200B3@dlp.srv.world>

Hi,

The IP 10.0.0.203 has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 10.0.0.203 :
.....
.....
[4] If you want to manually add or remove banned hosts, run the following.
root@dlp:~ #
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203

# unban [10.0.0.203]

root@dlp:~ #
fail2ban-client set sshd unbanip 10.0.0.203

1
root@dlp:~ #
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:

# ban [10.0.0.192/28]

root@dlp:~ #
fail2ban-client set sshd banip 10.0.0.192/28

1
root@dlp:~ #
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   10.0.0.192/28

# to remove all banned hosts, run like follows

root@dlp:~ #
fail2ban-client unban --all

[5] [jail.conf] has many predefined services other than SSH, so you can set them as monitoring targets by specifying the definition name.
root@dlp:~ #
grep '^\[' /usr/local/etc/fail2ban/jail.conf | tail -n +3

[sshd]
[dropbear]
[selinux-ssh]
[apache-auth]
[apache-badbots]
[apache-noscript]
[apache-overflows]
[apache-nohome]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
.....
.....

# for example, set up Apache2 Basic authentication

root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.d/apache-auth.conf
# create new

[apache-auth]
enabled = true
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

# for example, set up Vsftpd

root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.d/vsftpd.conf
# create new

[vsftpd]
enabled = true
action = %(action_mw)s

# for example, set up Postfix SASL

root@dlp:~ #
vi /usr/local/etc/fail2ban/jail.d/postfix-sasl.conf
# create new

[postfix-sasl]
enabled = true
action = %(action_mw)s

root@dlp:~ #
service fail2ban reload
root@dlp:~ #
fail2ban-client status

Status
|- Number of jail:      4
`- Jail list:   apache-auth, postfix-sasl, sshd, vsftpd

# verify settings by failing authentication manually

root@dlp:~ #
fail2ban-client status apache-auth

Status for the jail: apache-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     10
|  `- File list:        /var/log/httpd/error_log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.5

root@dlp:~ #
pfctl -a f2b/apache-auth -t f2b-apache-auth -T show

   10.0.0.5

root@dlp:~ #
fail2ban-client status vsftpd

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/vsftpd.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203

root@dlp:~ #
pfctl -a f2b/vsftpd -t f2b-vsftpd -T show

   10.0.0.203
Matched Content