Fail2ban

De Linuxmemo.

[modifier] Configuration

[DEFAULT]
ignoreip = 127.0.0.1 8.8.8.8
findtime = 3600
bantime = 86400
[ssh]
enabled = true
port    = ssh,sftp
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

[modifier] Status

sudo fail2ban-client status ssh
sudo: unable to resolve host HOSTNAME
Status for the jail: ssh
|- filter
|  |- File list:	/var/log/auth.log 
|  |- Currently failed:	1
|  `- Total failed:	69
`- action
   |- Currently banned:	1
   |  `- IP list:	104.238.xxx.xxx 
   `- Total banned:	1

[modifier] Astuces

• Si les dates d'envoi des messages ne correspondent pas à la date réelle, il faut alors ajouter à la fin du fichier /etc/default/fail2ban :

LC_ALL=C
LANG=C

• Pour activer l'envoi de mail

Modifier la fail2ban_default_actions de:

'action_' en 'action_mw' ou 'action_mwl' dans jail.conf

• Problème sur envoi de mail avec ssmtp: sender

si ssmtp vous dit: Sender address rejected: you are not root@free.fr

vim /etc/ssmtp/revaliases
root:prenom.nom@free.fr

• Rendre Fail2ban persistant au redémarrage

touch /etc/fail2ban/ip.blacklist
vim /etc/fail2ban/action.d/iptables-multiport.conf

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            echo <ip> >> /etc/fail2ban/ip.blacklist

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
              sed -i /<ip>/d /etc/fail2ban/ip.blacklist