wiki

security | fail2ban

fail2ban and filters

Install fail2ban and check status:

sudo apt-get install fail2ban

sudo fail2ban-client status

sudo fail2ban-client status sshd

References:

fail2ban.org help.ubuntu digitalocean wiki.arch

To edit settings:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

Enable following filter.

[recidive]

enabled = true

filter = recidive

logpath = /var/log/fail2ban.log

action = iptables-allports[name=recidive]

sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime = 1814800 ; 3 week

findtime = 259200 ; 2 day

maxretry = 5

Also edit the setting:

sudo nano /etc/fail2ban/fail2ban.conf

and increase the number:

dbpurgeage = 886400

Then restart and check:

sudo service fail2ban restart

sudo fail2ban-client status

If you wish to be notified of bans by email, modify this line with your email address:

destemail = your_email@domain.com

Then find the line:

action = %(action_)s

and change it to

action = %(action_mwl)s

Reload config:

sudo fail2ban-client reload

Change ssh port number:

sudo nano /etc/fail2ban/jail.local

Then change the line:

[sshd]
port    = 40
logpath = %(sshd_log)s

Also change the following line

banaction = iptables-multiport

to:

banaction = iptables-allports

Reload config:

sudo fail2ban-client reload

other settings

[DEFAULT]

ignoreip = 127.0.0.1/8

bantime = 54000

findtime = 600

maxretry = 3

change Fail2Ban settings to include nginx

(sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local)

sudo nano /etc/fail2ban/jail.local

enable the lines:

[nginx-http-auth]

enabled = true

filter = nginx-http-auth

port = http,https

logpath = /var/log/nginx/error.log

Then restart and check:

sudo service fail2ban restart

sudo fail2ban-client status

References:

digitalocean snippets easyengine

Additional security for nginx

digitalocean

A.

(sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local)

sudo nano /etc/fail2ban/jail.local

Add the following lines:

[nginx-noscript]

enabled = true

port = http,https

filter = nginx-noscript

logpath = /var/log/nginx/access.log

maxretry = 6

[nginx-badbots]

enabled = true

port = http,https

filter = nginx-badbots

logpath = /var/log/nginx/access.log

maxretry = 2

[nginx-nohome]

enabled = true

port = http,https

filter = nginx-nohome

logpath = /var/log/nginx/access.log

maxretry = 2

[nginx-noproxy]

enabled = true

port = http,https

filter = nginx-noproxy

logpath = /var/log/nginx/access.log

maxretry = 2

B.

cd /etc/fail2ban/filter.d

sudo nano /etc/fail2ban/filter.d/nginx-http-auth.conf

Change to the following by adding the second failregex line:

[Definition]

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

C.

sudo cp /etc/fail2ban/filter.d/apache-badbots.conf /etc/fail2ban/filter.d/nginx-badbots.conf

D.

sudo nano /etc/fail2ban/filter.d/nginx-noscript.conf

In the code below remove the scripts you use. For example, remove php if you have a php page.

[Definition]

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)

ignoreregex =

E.

sudo nano /etc/fail2ban/filter.d/nginx-nohome.conf

Create as follows:

[Definition]

failregex = ^<HOST> -.*GET .*/~.*

ignoreregex =

F.

sudo nano /etc/fail2ban/filter.d/nginx-noproxy.conf

Create as follows:

[Definition]

failregex = ^<HOST> -.*GET http.*

ignoreregex =

G.

sudo service fail2ban restart

sudo fail2ban-client status

sudo iptables -S