Fail2ban: Difference between revisions

(4 intermediate revisions by 3 users not shown)

Line 1:

[https://www.fail2ban.org Fail2ban] is an intrusion prevention software. It scans through log files to find signs of malicious intent. In general, Fail2ban will update the firewall rules to reject the offending IP address for a set amount of time.

Fail2Ban uses the concept of a "jail" to modularize its configuration. A jail consists of an action (such as blocking a port using iptables) that is triggered when a filter (regular expression) applied to a log file triggers/matches more than a certain number of times in a certain time period. Actions that ship with Fail2Ban are defined in <~~source~~ lang="nix" ~~enclose="none"~~>/etc/fail2ban/action.d</~~source~~>, while filters are defined in <~~source~~ lang="nix" ~~enclose="none"~~>/etc/fail2ban/filter.d</~~source~~>.

Fail2Ban uses the concept of a "jail" to modularize its configuration. A jail consists of an action (such as blocking a port using iptables) that is triggered when a filter (regular expression) applied to a log file triggers/matches more than a certain number of times in a certain time period. Actions that ship with Fail2Ban are defined in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight>, while filters are defined in <syntaxhighlight lang="nix" inline>/etc/fail2ban/filter.d</syntaxhighlight>.

== Basic Usage ==

Line 12:

== Advanced Usage ==

The Fail2ban NixOS module exposes various parameters for adjusting the configuration. In the following, all options mentioned are implicitly prefixed with <~~source~~ lang="nix" ~~enclose="none"~~>services.fail2ban</~~source~~> , unless specified otherwise.

The Fail2ban NixOS module exposes various parameters for adjusting the configuration. In the following, all options mentioned are implicitly prefixed with <syntaxhighlight lang="nix" inline>services.fail2ban</syntaxhighlight> , unless specified otherwise.

* The <~~source~~ lang="nix" ~~enclose="none"~~>maxretry</~~source~~> option allows you to specify how many failures are required for an IP address to be blocked.

* The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked.

* To prevent being locked out accidentally, use <~~source~~ lang="nix" ~~enclose="none"~~>ignoreIP</~~source~~> to whitelist IPs or IP ranges to be never cheked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "nixos.~~wiki~~" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.

* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to whitelist IPs or IP ranges to be never cheked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.

* <~~source~~ lang="nix" ~~enclose="none"~~>bantime</~~source~~> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <~~source~~ lang="nix" ~~enclose="none"~~>bantime-increment.enable = true;</~~source~~>. The bantime increment can then be customized by specifying a formula (in Python) like <~~source~~ lang="python" ~~enclose="none"~~>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</~~source~~> with <~~source~~ lang="nix" ~~enclose="none"~~>bantime-increment.formula</~~source~~>, the multipliers with <~~source~~ lang="nix" ~~enclose="none"~~>bantime-increment.multipliers</~~source~~>, the maximum bantime with <~~source~~ lang="nix" ~~enclose="none"~~>bantime-increment.maxtime</~~source~~> and the indication to consider the bans issued throughout multiple jails with <~~source~~ lang="nix" ~~enclose="none"~~>bantime-increment.overalljails</~~source~~>

* <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight>

* <~~source~~ lang="nix" ~~enclose="none"~~>banaction</~~source~~> specifies which of the actions in <~~source~~ lang="nix" ~~enclose="none"~~>/etc/fail2ban/action.d</~~source~~> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)

* <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)

* <~~source~~ lang="nix" ~~enclose="none"~~>extraPackages</~~source~~> contains a list of derivations whose outputs are needed by Fail2ban actions

* <syntaxhighlight lang="nix" inline>extraPackages</syntaxhighlight> contains a list of derivations whose outputs are needed by Fail2ban actions

Line 30:

"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"

"8.8.8.8" # whitelist a specific IP

"nixos.~~wiki~~" # resolve the IP via DNS

"wiki.nixos.org" # resolve the IP via DNS

];

bantime = "24h"; # Ban IPs for one day on the first ban

Line 61:

== Extending Fail2ban ==

Fail2ban capabilities can be freely extended by adding new jails, filters, and actions; the first ones of them are already covered in the "Basic usage" section, while the other two need dedicated config files to be created in the <~~source~~ lang="nix" ~~enclose="none"~~>/etc/fail2ban/filter.d</~~source~~> and <~~source~~ lang="nix" ~~enclose="none"~~>/etc/fail2ban/action.d</~~source~~> folders.

Fail2ban capabilities can be freely extended by adding new jails, filters, and actions; the first ones of them are already covered in the "Basic usage" section, while the other two need dedicated config files to be created in the <syntaxhighlight lang="nix" inline>/etc/fail2ban/filter.d</syntaxhighlight> and <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> folders.

In order to do this, you'll have to add a <~~source~~ lang="nix" ~~enclose="none"~~>environment.etc</~~source~~> section to your NixOS config file and specify there the contents of your custom actions and filters:

In order to do this, you'll have to add a <syntaxhighlight lang="nix" inline>environment.etc</syntaxhighlight> section to your NixOS config file and specify there the contents of your custom actions and filters:

Line 83:

The defined filters and actions can then be used in a new jail (created as seen above):

<~~syntaxHighlight~~ lang=nix>

services.fail2ban = {

# --- snip ---

jails = {

~~ngnix~~-url-probe.settings = {

nginx-url-probe.settings = {

enabled = true;

filter = "nginx-url-probe";

Line 99:

};

</~~syntaxHighlight~~>

</syntaxhighlight>

For more details on how to develop Fail2ban filters please see [https://fail2ban.readthedocs.io/en/latest/filters.html the official documentation].

Line 109:

[[Category:Applications]]

[[Category:Server]]

[[Category:Networking]]

@@ Line 1: / Line 1: @@
 [https://www.fail2ban.org Fail2ban] is an intrusion prevention software. It scans through log files to find signs of malicious intent. In general, Fail2ban will update the firewall rules to reject the offending IP address for a set amount of time.
-Fail2Ban uses the concept of a "jail" to modularize its configuration. A jail consists of an action (such as blocking a port using iptables) that is triggered when a filter (regular expression) applied to a log file triggers/matches more than a certain number of times in a certain time period. Actions that ship with Fail2Ban are defined in <source lang="nix" enclose="none">/etc/fail2ban/action.d</source>, while filters are defined in <source lang="nix" enclose="none">/etc/fail2ban/filter.d</source>.
+Fail2Ban uses the concept of a "jail" to modularize its configuration. A jail consists of an action (such as blocking a port using iptables) that is triggered when a filter (regular expression) applied to a log file triggers/matches more than a certain number of times in a certain time period. Actions that ship with Fail2Ban are defined in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight>, while filters are defined in <syntaxhighlight lang="nix" inline>/etc/fail2ban/filter.d</syntaxhighlight>.
 == Basic Usage ==
@@ Line 12: / Line 12: @@
 == Advanced Usage ==
-The Fail2ban NixOS module exposes various parameters for adjusting the configuration. In the following, all options mentioned are implicitly prefixed with <source lang="nix" enclose="none">services.fail2ban</source> , unless specified otherwise.
+The Fail2ban NixOS module exposes various parameters for adjusting the configuration. In the following, all options mentioned are implicitly prefixed with <syntaxhighlight lang="nix" inline>services.fail2ban</syntaxhighlight> , unless specified otherwise.
-* The <source lang="nix" enclose="none">maxretry</source> option allows you to specify how many failures are required for an IP address to be blocked.
+* The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked.
-* To prevent being locked out accidentally, use <source lang="nix" enclose="none">ignoreIP</source> to whitelist IPs or IP ranges to be never cheked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "nixos.wiki" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.
+* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to whitelist IPs or IP ranges to be never cheked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.
-* <source lang="nix" enclose="none">bantime</source> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <source lang="nix" enclose="none">bantime-increment.enable = true;</source>. The bantime increment can then be customized by specifying a formula (in Python) like <source lang="python" enclose="none">ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</source> with <source lang="nix" enclose="none">bantime-increment.formula</source>, the multipliers with <source lang="nix" enclose="none">bantime-increment.multipliers</source>, the maximum bantime with <source lang="nix" enclose="none">bantime-increment.maxtime</source> and the indication to consider the bans issued throughout multiple jails with <source lang="nix" enclose="none">bantime-increment.overalljails</source>
+* <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight>
-* <source lang="nix" enclose="none">banaction</source> specifies which of the actions in <source lang="nix" enclose="none">/etc/fail2ban/action.d</source> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)
+* <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)
-* <source lang="nix" enclose="none">extraPackages</source> contains a list of derivations whose outputs are needed by Fail2ban actions
+* <syntaxhighlight lang="nix" inline>extraPackages</syntaxhighlight> contains a list of derivations whose outputs are needed by Fail2ban actions
@@ Line 30: / Line 30: @@
        "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
        "8.8.8.8" # whitelist a specific IP
-       "nixos.wiki" # resolve the IP via DNS
+       "wiki.nixos.org" # resolve the IP via DNS
      ];
      bantime = "24h"; # Ban IPs for one day on the first ban
@@ Line 61: / Line 61: @@
 == Extending Fail2ban ==
-Fail2ban capabilities can be freely extended by adding new jails, filters, and actions; the first ones of them are already covered in the "Basic usage" section, while the other two need dedicated config files to be created in the <source lang="nix" enclose="none">/etc/fail2ban/filter.d</source> and <source lang="nix" enclose="none">/etc/fail2ban/action.d</source> folders.
+Fail2ban capabilities can be freely extended by adding new jails, filters, and actions; the first ones of them are already covered in the "Basic usage" section, while the other two need dedicated config files to be created in the <syntaxhighlight lang="nix" inline>/etc/fail2ban/filter.d</syntaxhighlight> and <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> folders.
-In order to do this, you'll have to add a <source lang="nix" enclose="none">environment.etc</source> section to your NixOS config file and specify there the contents of your custom actions and filters:
+In order to do this, you'll have to add a <syntaxhighlight lang="nix" inline>environment.etc</syntaxhighlight> section to your NixOS config file and specify there the contents of your custom actions and filters:
 <syntaxHighlight lang=nix>
@@ Line 83: / Line 83: @@
 The defined filters and actions can then be used in a new jail (created as seen above):
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
    services.fail2ban = {
      # --- snip ---
      jails = {
-       ngnix-url-probe.settings = {
+       nginx-url-probe.settings = {
          enabled = true;
          filter = "nginx-url-probe";
@@ Line 99: / Line 99: @@
      };
    };
-</syntaxHighlight>
+</syntaxhighlight>
 For more details on how to develop Fail2ban filters please see [https://fail2ban.readthedocs.io/en/latest/filters.html the official documentation].
@@ Line 109: / Line 109: @@
 [[Category:Applications]]
+[[Category:Server]]
+[[Category:Networking]]