Improve Debian 11's fail2ban rules.

7 files changed, 15 insertions, 35 deletions

diff --git a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
index 3c8c030..3b9ebc8 100644
--- a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
+++ b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
@@ -1,16 +1,16 @@
 [Definition]
 # No need to create sets and rules, these are defined globally in nftables.conf
 actionstart =
 actionstop =
 actioncheck =
 
 # unbanning is taken care of by setting a timeout on the nft set already
 actionunban =
 
 [Init]
 # With banaction = *-allports there is no need for separate rule names
-set_name = fail2ban
-blocktype = drop
+table = filter
+addr_set = fail2ban
 
 [Init?family=inet6]
-set_name = fail2ban6
+addr_set = fail2ban6
diff --git a/roles/common/files/etc/fail2ban/fail2ban.local b/roles/common/files/etc/fail2ban/fail2ban.local
index 53cba35..23a92e9 100644
--- a/roles/common/files/etc/fail2ban/fail2ban.local
+++ b/roles/common/files/etc/fail2ban/fail2ban.local
@@ -1,20 +1,9 @@
 [Definition]
 
-# Option: logtarget
-# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
-#         Only one log target can be specified.
-#         If you change logtarget from the default value and you are
-#         using logrotate -- also adjust or disable rotation in the
-#         corresponding configuration file
-#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
-#
-logtarget = /var/log/fail2ban/fail2ban.log
-
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory
 #         and data is lost when fail2ban is stopped.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
 dbfile = None
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index b626946..9b0d0fe 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -62,40 +62,42 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: getfile: [._[:alnum:]-]+ not found on remote server \(IP: [.[:digit:]]+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Incremental update failed, trying to download daily\.cvd$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING|ERROR): (getpatch: )?Can't download [._[:alnum:]-]+ from [.[:alnum:]-]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> \*Can't query [._[:alnum:]-]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> DON'T PANIC! Read https?://www\.clamav\.net/(support/faq|documents/upgrading-clamav)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> DON'T PANIC! Read https://docs\.clamav\.net/manual/Installing\.html$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database updated \([0-9]+ signatures\) from .* \(IP: [[:xdigit:].:]{3,39}\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Clamd successfully notified about the update\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Received signal: re-opening log file$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Reading databases from /var/lib/clamav$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> SelfCheck: (Database status OK|Database modification detected\. Forcing reload)\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database correctly reloaded \([0-9]+ signatures\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> SIGHUP caught: re-opening log file\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Activating the newly loaded database\.\.\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd:  \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www\.rsyslog\.com"\] rsyslogd was HUPed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/sd[a-z] \[SAT\], CHECK POWER STATUS spins up disk \(0x[0-9a-f]{2} -> 0xff\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9.]+|<stdin>): Invoked with
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[0-9]+\]: ansible-[_a-z0-9.]+ Invoked with
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fail2ban-server\[[0-9]+\]: fail2ban\.filter\s*\[[0-9]+\]: INFO\s+\[[._[:alnum:]-]+\] Found [[:xdigit:].:]{3,39} -
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fail2ban-server\[[0-9]+\]: fail2ban\.actions\s*\[[0-9]+\]: NOTICE\s+\[sshd\] (Ban|Unban) [[:xdigit:].:]{3,39}
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Request::Message::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::(Bulk|Spool)::store\(\)
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Spool::_create\(\) Creating directory /var/spool/sympa/auth
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: (info|notice) Sympa::Spindle::Process(Incoming|Message|Template|Digest)::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Spindle::Do(Command|Message)::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Request::Handler::(subscribe|confirm|reject|signoff|distribute)::_twist\(\)
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: (info|notice) Sympa::Spindle::To(List|Moderation|Auth|Held)::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Spindle::AuthorizeMessage::_twist\(\) Message Sympa::Message .* rejected\(\) because sender not allowed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: err main::#[0-9]+ > Sympa::Spindle::spin#[0-9]+ >
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: (info|notice) main::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: (info|notice) Sympa::(Spindle::ProcessTask|Spool)::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info main::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info Sympa::Ticket::load\(\) Ticket:
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: notice main:: Redirecting to\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: notice main::do_login\(\) Authentication failed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err main::#[0-9]+ > main::do_login#[0-9]+ > Sympa::WWW::Auth::check_auth#[0-9]+ > Sympa::WWW::Auth::authentication#[0-9]+ Incorrect password for user\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: notice Sympa::WWW::Tools::_get_css_url\(\) Template file /usr/share/sympa/default/web_tt2/css\.tt2 or configuration has changed; updating CSS file /var/lib/sympa/css/[.[:alnum:]-]+/style\.css$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info Sympa::WWW::Session::new\(\) Ignoring unknown session cookie
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err main::#[0-9]+ > main::get_parameters#[0-9]+ \[robot [.[:alnum:]-]+\] \[client [[:xdigit:].:]{3,39}\] Syntax error for parameter action value "(lists|search_list_request)#[^"]+" not conform to regexp:
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err main::#[0-9]+ > main::check_action_parameters#[0-9]+ \[robot [.[:alnum:]-]+\] \[session [[:xdigit:]]+\] \[client [[:xdigit:].:]{3,39}\] \[list [.[:alnum:]-]+\] User not logged in$
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
index e3e651f..b34d130 100644
--- a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -1,18 +1,21 @@
 [Unit]
 After=nftables.service
 
 [Service]
+ExecStartPre=
+ExecStart=
+ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+
 # Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
 SupplementaryGroups=adm
 
 # Hardening
 NoNewPrivileges=yes
 ProtectSystem=strict
-ReadWriteDirectories=/var/log/fail2ban
 RuntimeDirectory=fail2ban
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index e56deaf..563075f 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,39 +1,23 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-# Log into a dedicate directory so we can use ReadWriteDirectories in
-# the .service file
-- name: Create directory /var/log/fail2ban
-  file: path=/var/log/fail2ban
-        state=directory
-        owner=root group=adm
-        mode=0750
-
-- name: Fix fail2ban logrotate snippet
-  lineinfile: dest=/etc/logrotate.d/fail2ban
-              state=present
-              line="/var/log/fail2ban/*.log"
-              insertbefore="^[^#]*\\s{$"
-  tags:
-    - logrotate
-
 - name: Configure fail2ban (fail2ban.local)
   copy: src=etc/fail2ban/fail2ban.local
         dest=/etc/fail2ban/fail2ban.local
         owner=root group=root
         mode=0644
   register: r1
   notify:
     - Restart fail2ban
 
 - name: Configure fail2ban (jail.local)
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
   register: r2
   notify:
     - Restart fail2ban
 
 - name: Configure fail2ban (action.d/nftables-allports.local)
   copy: src=etc/fail2ban/action.d/nftables-allports.local
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index b01709a..3cd19cc 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -1,36 +1,38 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
 [DEFAULT]
 
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = admin@fripost.org
 
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
 ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }}
 
 banaction = nftables-allports
-logpath = /var/log/fail2ban/fail2ban.log
+
+# must match nftables.conf's blackholes timeouts
+bantime = 10m
 
 #
 # JAILS
 #
 
 [sshd]
 enabled = true
 
 [postfix]
 enabled = {{ 'MX' in group_names }}
 
 [dovecot]
 enabled = {{ 'IMAP' in group_names }}
 
 [postfix-sasl]
 enabled  = {{ 'MSA' in group_names }}
 
 [roundcube-auth]
 enabled = {{ 'webmail' in group_names }}
 logpath = /var/log/roundcube/errors.log
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 66b1f9d..805d1a8 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -128,83 +128,83 @@ table inet raw {
 
         # stateless filter for bogus TCP packets
         tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
         tcp flags & (fin|psh|urg) == fin|psh|urg     counter drop # XMAS packet
         tcp flags & (syn|rst) == syn|rst             counter drop
         tcp flags & (fin|rst) == fin|rst             counter drop
         tcp flags & (fin|syn) == fin|syn             counter drop
         tcp flags & (fin|psh|ack) == fin|psh         counter drop
     }
 
     chain PREROUTING {
         type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
         policy accept
 
         # stateful filter
         ct state invalid counter drop
     }
 }
 
 table inet filter {
-    # blackholes
+    # blackholes (timeout must match /etc/fail2ban/jail.local)
     set fail2ban  { type ipv4_addr; timeout 10m; }
     set fail2ban6 { type ipv6_addr; timeout 10m; }
 
     chain input {
         type filter hook input priority 0
         policy drop
 
         iif lo accept
 
         # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
         # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
         # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
         # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
         # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
         # encapsulation.)  We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
         # peers can't impersonate each other.
         meta l4proto esp accept
         # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
         ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
 
         # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
         meta l4proto { icmp, icmpv6 } counter accept
 
         # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
         udp sport 123 ct state related,established accept
 
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
         ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
-        meta l4proto tcp ip  saddr @fail2ban  counter drop
-        meta l4proto tcp ip6 saddr @fail2ban6 counter drop
+        ip  saddr @fail2ban  counter drop
+        ip6 saddr @fail2ban6 counter drop
 
         tcp dport $in-tcp-ports  ct state related,established accept
         tcp dport $in-tcp-ports  ct state new counter accept
         tcp sport $out-tcp-ports ct state related,established accept
     }
 
     chain output {
         type filter hook output priority 0
         policy drop
 
         oif lo accept
 
         # XXX Bullseye: unlike for input we can't use marks or test for
         # secpath existence here, because by the time we see a packet to
         # 172.16.0.0/24 we don't know if it'll be encapsulated
         meta l4proto esp accept
         # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
         ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
 
         meta l4proto { icmp, icmpv6 } counter accept