doc/fail2ban.md

66 lines
2.7 KiB
Markdown
Raw Normal View History

2020-04-23 22:05:11 +02:00
# Fail2Ban
**Fail2Ban** is an intrusion prevention software that protects computer servers against brute-force attacks. It monitors certain logs and will ban IP addresses that show brute-force-like behavior.
2020-04-24 13:40:13 +02:00
In particular, **Fail2Ban** monitors `SSH` connection attempts. After 5 failed SSH connection attempts, Fail2Ban will ban the IP address from connecting via SSH for 10 minutes. If this address fails several times, it might get banned for a week.
2020-04-23 22:05:11 +02:00
## Unban an IP address
2019-01-07 16:55:18 +01:00
2020-09-30 18:19:44 +02:00
To unblock an IP address, you must first access your server by some means (for example from another IP address or from another internet connection than the banned one).
2019-01-07 16:55:18 +01:00
2020-04-24 17:48:47 +02:00
Then, look at the **Fail2Bans log** to identify in which `jail` the IP address has been banned:
```bash
sudo tail /var/log/fail2ban.log
2019-01-07 16:55:18 +01:00
2019-01-07 16:24:47 fail2ban.filter [1837]: INFO [sshd] Found 11.22.33.44
2019-01-07 16:24:49 fail2ban.filter [1837]: INFO [sshd] Found 11.22.33.44
2019-01-07 16:24:51 fail2ban.filter [1837]: INFO [sshd] Found 11.22.33.44
2019-01-07 16:24:54 fail2ban.filter [1837]: INFO [sshd] Found 11.22.33.44
2019-01-07 16:24:57 fail2ban.filter [1837]: INFO [sshd] Found 11.22.33.44
2019-01-07 16:24:57 fail2ban.actions [1837]: NOTICE [sshd] Ban 11.22.33.44
2019-01-07 16:24:57 fail2ban.filter [1837]: NOTICE [recidive] Ban 11.22.33.44
```
2020-04-24 13:40:13 +02:00
Here, the `11.22.33.44` IP address has been banned in the `sshd` and `recidive` jails.
2019-01-07 16:55:18 +01:00
Then deban the IP address with the following commands:
```bash
sudo fail2ban-client set sshd unbanip 11.22.33.44
sudo fail2ban-client set recidive unbanip 11.22.33.44
```
2020-04-24 17:48:47 +02:00
## Whitelist an IP address
2020-04-24 13:40:13 +02:00
If you dont want a "legitimate" IP address to be blocked by **YunoHost** anymore, then you have to fill it in the whitelist of the `jail` configuration file.
2020-09-15 13:26:36 +02:00
When updating the **Fail2Ban** software, the original `/etc/fail2ban/jail.conf` file is overwritten. So it is on a new dedicated file that we will store the changes. They will thus be preserved over time.
1. Start by creating the new jail configuration file which will be called `yunohost-whitelist.conf`:
```bash
sudo touch /etc/fail2ban/jail.d/yunohost-whitelist.conf
```
2. Edit this new file with your favorite editor:
```bash
sudo nano /etc/fail2ban/jail.d/yunohost-whitelist.conf
```
2020-09-22 21:51:19 +02:00
3. Paste the following content into the file and adapt the IP address `XXX.XXX.XXX.XXX`:
```bash
[DEFAULT]
ignoreip = 127.0.0.1/8 XXX.XXX.XXX.XXX #<= the IP address (you can put more than one, separated by a space) that you want to whitelist
```
2020-04-24 13:40:13 +02:00
4. Save the file and reload the Fail2Ban configuration:
```bash
sudo fail2ban-client reload
```
Congratulations, no more risks of banning yourself from your own YunoHost server!