 |
VOOZH | about |
|
VOOZH | about |
| 👁 Warning Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
This guide will configure Fail2Ban to work with nftables.
# aptinstallfail2baniptables-
Note: Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.
# aptinstallfail2ban/stretchiptables-
Note2: On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables
# aptinstallfail2baniptables-iptables:i386-
After you change configuration, or add a new jail, don't forget to restart fail2ban
# servicefail2banrestart
nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 nftables-* files from the official repository and add them to /etc/fail2ban/action.d.
Create file /etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f # Use ip as fail2ban doesn't support ipv6 yet table ip fail2ban { chain input { # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation type filter hook input priority 100; } }
Then add line include "/etc/nftables/fail2ban.conf" in /etc/nftables.conf.
Finally activate your rule in nftables
# nft-f/etc/nftables/fail2ban.conf
Create file /etc/fail2ban/action.d/nftables-common.local
[Init] # Definition of the table used nftables_family=ip nftables_table=fail2ban # Drop packets blocktype=drop # Remove nftables prefix. Set names are limited to 15 char so we want them all nftables_set_prefix=
Create file /etc/fail2ban/jail.local
[DEFAULT] # Destination email for action that send you an email destemail=fail2ban@mydomain.example # Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this sender=fail2ban@mydomain.example # Default action. Will block user and send you an email with whois content and log lines. action=%(action_mwl)s # configure nftables banaction=nftables-multiport chain=input
The recidive rule ban users for a longer period if they have been banned multiple time in a row.
Create file /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. If you increase bantime, you must increase value of dbpurgeage # to maintain entries for failed logins for sufficient amount of time. # The default is defined in fail2ban.conf and you can override it in fail2ban.local [recidive] enabled=true logpath=/var/log/fail2ban.log banaction=nftables-allports bantime=86400; 1 day findtime=86400; 1 day maxretry=3 protocol=0-255
Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.
