diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-01-23 05:33:17 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-01-25 01:57:05 +0100 |
| commit | ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch) | |
| tree | d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/files/etc | |
| parent | 7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff) | |
Improve/harden fail2ban configuration.
* Use nftables sets with a timeout
* Start daemon with a hardened unit file and restricted Capability
Bounding Set. (This requires to change the log path to
/var/log/fail2ban/*.)
* Skip database as we don't care about persistence.
* Refactor jail.local
Diffstat (limited to 'roles/common/files/etc')
5 files changed, 60 insertions, 16 deletions
diff --git a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local new file mode 100644 index 0000000..3c8c030 --- /dev/null +++ b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local @@ -0,0 +1,16 @@ +[Definition] +# No need to create sets and rules, these are defined globally in nftables.conf +actionstart = +actionstop = +actioncheck = + +# unbanning is taken care of by setting a timeout on the nft set already +actionunban = + +[Init] +# With banaction = *-allports there is no need for separate rule names +set_name = fail2ban +blocktype = drop + +[Init?family=inet6] +set_name = fail2ban6 diff --git a/roles/common/files/etc/fail2ban/fail2ban.local b/roles/common/files/etc/fail2ban/fail2ban.local new file mode 100644 index 0000000..53cba35 --- /dev/null +++ b/roles/common/files/etc/fail2ban/fail2ban.local @@ -0,0 +1,20 @@ +[Definition] + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR +# +logtarget = /var/log/fail2ban/fail2ban.log + +# Options: dbfile +# Notes.: Set the file for the fail2ban persistent data to be stored. +# A value of ":memory:" means database is only stored in memory +# and data is lost when fail2ban is stopped. +# A value of "None" disables the database. +# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 +dbfile = None diff --git a/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf b/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf new file mode 100644 index 0000000..22305d6 --- /dev/null +++ b/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf @@ -0,0 +1,6 @@ +# Source: https://github.com/nextcloud/vm/blob/master/apps/fail2ban.sh + +[Definition] +failregex=(?:^{|,)\"message\":\"Login failed: <F-USER>.*?</F-USER> \(Remote IP: '<HOST>'\)\"(:?,|}$) + (?:^{|,)\"message\":\"Login failed: <F-USER>.*?</F-USER> \(Remote IP: <HOST>\)\"(:?,|}$) + (?:^{|,)\"remoteAddr\":\"<HOST>\",.*Trusted domain error diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf deleted file mode 100644 index c8cb5d3..0000000 --- a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf +++ /dev/null @@ -1,16 +0,0 @@ -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "<HOST>" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) -# Values: TEXT -# -failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\. - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf new file mode 100644 index 0000000..e3e651f --- /dev/null +++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf @@ -0,0 +1,18 @@ +[Unit] +After=nftables.service + +[Service] +# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH +SupplementaryGroups=adm + +# Hardening +NoNewPrivileges=yes +ProtectSystem=strict +ReadWriteDirectories=/var/log/fail2ban +RuntimeDirectory=fail2ban +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW |