Fix code blocks, add additional documentation

2023-01-09 14:50:52 +00:00 · 2023-01-09 14:50:52 +00:00 · 72f0e095ca
commit 72f0e095ca
parent 61869049a0
1 changed files with 66 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -7,18 +7,28 @@

 * Install uwsgi 

- sudo pkg install www/uwsgi
+    sudo pkg install www/uwsgi
+
+* Clone this repository
+
+## Configuration
+
+### rc.conf

 * Use the following for configuring uwsgi in rc.conf

-     sudo sysrc uwsgi\_enable="YES"
-     sudo sysrc uwsgi\_profiles="jail2ban\_pf"
-     sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"
+    sudo sysrc uwsgi\_enable="YES"
+    sudo sysrc uwsgi\_profiles="jail2ban\_pf"
+    sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"
+
+### jail2ban

 * Configure <installation root>/instance/config.py

-     SECRET\_KEY = os.urandom(32).hex()
-     AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'
+    SECRET\_KEY = os.urandom(32).hex()
+    AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'
+
+### nginx

 * Configure a nginx upstream and vhost

@ -42,8 +52,9 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f
        }
    }

-* Place anchors in pf for jail2ban to use
+### /etc/pf.conf

+* Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration

     anchor "f2b/*"
     anchor f2b-jail {
@ -55,25 +66,57 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f
 Having seperate anchors per jail makes it possible to have fine grained
 blocking: Something that is harmful to jail2 might be perfectly legit for jail2.

+#### Checking rules/tables made with fail2ban/jail2ban
 Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:

-     sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
-     192.0.2.66
-     2001:db8:abad:cafe:0bad:f00d
+    sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
+    192.0.2.66
+    2001:db8:abad:cafe:0bad:f00d

 And the rules referencing these tables

-     sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
-     block drop quick proto tcp from <f2b-dovecot> to any port = pop3
-     block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
-     block drop quick proto tcp from <f2b-dovecot> to any port = imap
-     block drop quick proto tcp from <f2b-dovecot> to any port = imaps
-     block drop quick proto tcp from <f2b-dovecot> to any port = submission
-     block drop quick proto tcp from <f2b-dovecot> to any port = smtps
-     block drop quick proto tcp from <f2b-dovecot> to any port = sieve
-     block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
-     block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
-     block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
-     block drop quick proto tcp from <f2b-sshd> to any port = ssh
-     block drop quick proto tcp from <f2b-recidive> to any
+    sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
+    block drop quick proto tcp from <f2b-dovecot> to any port = pop3
+    block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
+    block drop quick proto tcp from <f2b-dovecot> to any port = imap
+    block drop quick proto tcp from <f2b-dovecot> to any port = imaps
+    block drop quick proto tcp from <f2b-dovecot> to any port = submission
+    block drop quick proto tcp from <f2b-dovecot> to any port = smtps
+    block drop quick proto tcp from <f2b-dovecot> to any port = sieve
+    block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
+    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
+    block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
+    block drop quick proto tcp from <f2b-sshd> to any port = ssh
+    block drop quick proto tcp from <f2b-recidive> to any
    
+### fail2ban
+
+* Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban
+
+```
+cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null
+Definition]
+actionstart = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XPUT -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
+actionstart_on_demand = false
+actionstop = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XDELETE -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
+actionflush = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X GET http://localhost/flush/<name>
+actioncheck = 
+actionban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X PUT -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
+actionunban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X DELETE -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
+[Init]
+protocol = tcp
+actiontype = <multiport>
+allports = any
+multiport = any port {<port>}
+jail2ban_sock = /var/run/pf2ban/jail2ban.sock
+jail2ban_user = login as set in password file for jail2ban
+jail2ban_pass = password as set in password file for jail2ban
+```
+
+* Configure jail.local
+
+```
+cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null
+[DEFAULT]
+banaction = jail2ban-pf
+```