Security/Fail2ban

Security » Fail2ban

Fail2ban » Install

cat <<'EXE' | sudo bash
apt-get update
apt-get install -y fail2ban
# export DEBIAN_FRONTEND=noninteractive
# apt-get install -y --no-install-recommends msmtp msmtp-mta bsd-mailx
fail2ban-client --version
apt-get clean
EXE

cat <<'INI' | sudo tee /etc/fail2ban/fail2ban.local >/dev/null
[Definition]
allowipv6 = no
INI

cat <<'EXE' | sudo bash
systemctl enable  fail2ban
systemctl start   fail2ban
systemctl status  fail2ban
EXE

Fail2ban » Config

cat <<'INI' | sudo tee /etc/fail2ban/jail.local >/dev/null
###############################################
# DEFAULT SETTINGS
###############################################
[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
backend  = systemd
ignoreip = 127.0.0.1/8 ::1
action   = %(action_)s


###############################################
# 1️⃣ SSH PROTECTION
###############################################
[sshd]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5


###############################################
# 2️⃣ GENERAL NGINX PROTECTION (all VHOSTS)
###############################################
[nginx-general]
enabled  = true
port     = http,https
filter   = nginx-http-auth
logpath  = /var/log/nginx/error.log
maxretry = 5
findtime = 10m
bantime  = 1h


###############################################################
# 3️⃣ APPLICATION LOGIN PROTECTION (academia.chorke.org)
###############################################################
[nginx-academia-login]
enabled  = true
port     = http,https
filter   = nginx-academia-login
logpath  = /home/chorke/sites/academia.chorke.org/current/log/nginx.access.log
maxretry = 5
findtime = 10m
bantime  = 1h


###############################################
# 4️⃣ POSTGRESQL PROTECTION
###############################################
[postgresql]
enabled  = true
port     = 5432
filter   = postgresql
logpath  = /var/log/postgresql/postgresql-*.log
maxretry = 5
INI

Fail2ban » Filter
cat <<'INI' \| sudo tee /etc/fail2ban/filter.d/nginx-academia-login.conf >/dev/null [Definition] # Matches failed login attempts for: # https://academia.chorke.org/users/sign_in # # Supports: # - 422 (Rails/Devise validation failure) # - 303 (redirect on failure) # - 401/403 (if used anywhere) # failregex = ^<HOST> - .* "POST /users/sign_in HTTP/." 422 ^<HOST> - . "POST /users/sign_in HTTP/." 401 ^<HOST> - . "POST /users/sign_in HTTP/." 403 ^<HOST> - . "POST /users/sign_in HTTP/.*" 303 ignoreregex = INI
cat <<'EXE' \| sudo bash sed -i "s\|^[# ]log_connections =.\|log_connections = on\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_disconnections =.\|log_disconnections = on\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_line_prefix =.\|log_line_prefix = '%m %u %d %h '\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_statement =.\|log_statement = 'none'\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_min_messages =.\|log_min_messages = warning\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_min_error_statement =.\|log_min_error_statement = error\|" /etc/postgresql/16/main/postgresql.conf sed -i "s\|^[# ]log_min_duration_statement =.*\|log_min_duration_statement = -1\|" /etc/postgresql/16/main/postgresql.conf systemctl restart postgresql EXE
cat <<'EXE' \| sudo bash sudo -u postgres psql -c "SHOW log_connections;" sudo -u postgres psql -c "SHOW log_disconnections;" sudo -u postgres psql -c "SHOW log_line_prefix;" sudo -u postgres psql -c "SHOW log_statement;" sudo -u postgres psql -c "SHOW log_min_messages;" sudo -u postgres psql -c "SHOW log_min_error_statement;" sudo -u postgres psql -c "SHOW log_min_duration_statement;" EXE
cat <<'INI' \| sudo tee /etc/fail2ban/filter.d/postgresql.conf >/dev/null [Definition] # PostgreSQL login failures # Matches: # FATAL: password authentication failed for user "..." # FATAL: no pg_hba.conf entry for host ... # connection received: host=<ip> ... # connection authorized: user=... database=... failregex = ^.FATAL:\s+password authentication failed for user "."\s+host=<HOST>.$ ^.FATAL:\s+no pg_hba\.conf entry for host "<HOST>".$ ^.connection received:\s+host=<HOST>.$ ^.invalid length of startup packet from <HOST>.*$ ignoreregex = INI

Fail2ban » Restart

cat <<'EXE' | sudo bash
fail2ban-client   reload
systemctl restart fail2ban
EXE

cat <<'EXE' | sudo bash
fail2ban-client status sshd
fail2ban-client status nginx-general
fail2ban-client status nginx-academia-login
fail2ban-client status postgresql
EXE

Fail2ban » Verify

cat <<'EXE' | sudo bash
fail2ban-client status sshd                 | grep Banned
fail2ban-client status nginx-general        | grep Banned
fail2ban-client status nginx-academia-login | grep Banned
fail2ban-client status postgresql           | grep Banned
EXE

References

References
Security » HTTP » Basic Authentication Security » OpenLDAP » BackSQL Security » Java » Key Store Security » Java » Mail API Security » Password Security » ZA Proxy Security » Domain Security » Spring Security » HTTP Security » Java	Security » Certificate » TLS » Configuration Generator Security » SSH » Public Key Authentication Security » Container » Snyk Security » Container » Trivy Security » Container » Sign Security » Certificate » TLS Security » Helm » Sign Security » Wireshark Security » OpenVAS Security » ClamAV	Security » Jasypt Security » Lynis
K8s » Configure Service Accounts for Pods K8s » Restart Pods With Kubectl K8s » Interactive Pod K8s » Restart Pods Docker » Makefile Kubernetes Minikube Kubectl CURL K8s	K8s » `kubectl rollout` K8s » CSI Hostpath Driver Security » Password K8s » Storage K8s » Ingress K8s » Service K8s » Run MinIO CIDR UFW	Bind9 » Authoritative DNS Server Bind9 » Secondary DNS Server Minikube » Ingress DNS Minikube » Systemd Minikube » MetalLB Minikube » Registry Minikube » Tunnel Localtunnel ZA Proxy

Security/Fail2ban

Security » Fail2ban

References

Navigation menu

Search