diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2022-12-14 12:01:33 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2022-12-18 13:29:34 +0100 |
| commit | 7ea3baad594b889f6f7f4e7e4ccc4dc7c0099bc6 (patch) | |
| tree | 211a5c2004e22bc858c00560bbd37e1137b07816 /roles/common/templates/etc | |
| parent | c854664b9043e9a04fe0115fb115643543eddf6f (diff) | |
Improve Debian 11's fail2ban rules.
Diffstat (limited to 'roles/common/templates/etc')
| -rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 4 | ||||
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 6 |
2 files changed, 6 insertions, 4 deletions
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index b01709a..3cd19cc 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -1,36 +1,38 @@ # {{ ansible_managed }} # Do NOT edit this file directly! [DEFAULT] # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = admin@fripost.org # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }} banaction = nftables-allports -logpath = /var/log/fail2ban/fail2ban.log + +# must match nftables.conf's blackholes timeouts +bantime = 10m # # JAILS # [sshd] enabled = true [postfix] enabled = {{ 'MX' in group_names }} [dovecot] enabled = {{ 'IMAP' in group_names }} [postfix-sasl] enabled = {{ 'MSA' in group_names }} [roundcube-auth] enabled = {{ 'webmail' in group_names }} logpath = /var/log/roundcube/errors.log diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 66b1f9d..805d1a8 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -128,83 +128,83 @@ table inet raw { # stateless filter for bogus TCP packets tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet tcp flags & (fin|psh|urg) == fin|psh|urg counter drop # XMAS packet tcp flags & (syn|rst) == syn|rst counter drop tcp flags & (fin|rst) == fin|rst counter drop tcp flags & (fin|syn) == fin|syn counter drop tcp flags & (fin|psh|ack) == fin|psh counter drop } chain PREROUTING { type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200) policy accept # stateful filter ct state invalid counter drop } } table inet filter { - # blackholes + # blackholes (timeout must match /etc/fail2ban/jail.local) set fail2ban { type ipv4_addr; timeout 10m; } set fail2ban6 { type ipv6_addr; timeout 10m; } chain input { type filter hook input priority 0 policy drop iif lo accept # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions # to match match inbound resp. outbound policies and source resp. destination tunnel addresses. # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way # peers can't impersonate each other. meta l4proto esp accept # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept # NTP (ntpd uses sport 123 but systemd-timesyncd does not) udp sport 123 ct state related,established accept {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept {% endif %} {% endif %} udp sport 53 ct state related,established accept tcp sport 53 ct state related,established accept {% if 'dhclient' in group_names %} ip version 4 udp sport 67 udp dport 68 ct state related,established accept ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept {% endif %} - meta l4proto tcp ip saddr @fail2ban counter drop - meta l4proto tcp ip6 saddr @fail2ban6 counter drop + ip saddr @fail2ban counter drop + ip6 saddr @fail2ban6 counter drop tcp dport $in-tcp-ports ct state related,established accept tcp dport $in-tcp-ports ct state new counter accept tcp sport $out-tcp-ports ct state related,established accept } chain output { type filter hook output priority 0 policy drop oif lo accept # XXX Bullseye: unlike for input we can't use marks or test for # secpath existence here, because by the time we see a packet to # 172.16.0.0/24 we don't know if it'll be encapsulated meta l4proto esp accept # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept meta l4proto { icmp, icmpv6 } counter accept |