From 72f0e095ca41b43127258d9b5fa2687edaaced7b Mon Sep 17 00:00:00 2001 From: Ruben van Staveren Date: Mon, 9 Jan 2023 14:50:52 +0000 Subject: [PATCH] Fix code blocks, add additional documentation --- README.md | 89 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 1a63a47..104a48f 100644 --- a/README.md +++ b/README.md @@ -7,18 +7,28 @@ * Install uwsgi - sudo pkg install www/uwsgi + sudo pkg install www/uwsgi + +* Clone this repository + +## Configuration + +### rc.conf * Use the following for configuring uwsgi in rc.conf - sudo sysrc uwsgi\_enable="YES" - sudo sysrc uwsgi\_profiles="jail2ban\_pf" - sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + sudo sysrc uwsgi\_enable="YES" + sudo sysrc uwsgi\_profiles="jail2ban\_pf" + sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name" + +### jail2ban * Configure /instance/config.py - SECRET\_KEY = os.urandom(32).hex() - AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + SECRET\_KEY = os.urandom(32).hex() + AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt' + +### nginx * Configure a nginx upstream and vhost @@ -42,8 +52,9 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f } } -* Place anchors in pf for jail2ban to use +### /etc/pf.conf +* Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration anchor "f2b/*" anchor f2b-jail { @@ -55,25 +66,57 @@ _Of course you can listen on ipv4/ipv6 but you want to protect these addresses f Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2. +#### Checking rules/tables made with fail2ban/jail2ban Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.: - sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive - 192.0.2.66 - 2001:db8:abad:cafe:0bad:f00d + sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive + 192.0.2.66 + 2001:db8:abad:cafe:0bad:f00d And the rules referencing these tables - sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules - block drop quick proto tcp from to any port = pop3 - block drop quick proto tcp from to any port = pop3s - block drop quick proto tcp from to any port = imap - block drop quick proto tcp from to any port = imaps - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = sieve - block drop quick proto tcp from to any port = submission - block drop quick proto tcp from to any port = smtps - block drop quick proto tcp from to any port = smtp - block drop quick proto tcp from to any port = ssh - block drop quick proto tcp from to any + sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules + block drop quick proto tcp from to any port = pop3 + block drop quick proto tcp from to any port = pop3s + block drop quick proto tcp from to any port = imap + block drop quick proto tcp from to any port = imaps + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = sieve + block drop quick proto tcp from to any port = submission + block drop quick proto tcp from to any port = smtps + block drop quick proto tcp from to any port = smtp + block drop quick proto tcp from to any port = ssh + block drop quick proto tcp from to any +### fail2ban + +* Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban + +``` +cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null +Definition] +actionstart = curl --unix-socket --basic -u ':' -XPUT -H 'Content-Type: application/json' -d '{"port":"","name":"","protocol":""}' http://localhost/register +actionstart_on_demand = false +actionstop = curl --unix-socket --basic -u ':' -XDELETE -H 'Content-Type: application/json' -d '{"port":"","name":"","protocol":""}' http://localhost/register +actionflush = curl --unix-socket --basic -u ':' -X GET http://localhost/flush/ +actioncheck = +actionban = curl --unix-socket --basic -u ':' -X PUT -H 'Content-Type: application/json' -d '{"name":"","ip":""}' http://localhost/ban +actionunban = curl --unix-socket --basic -u ':' -X DELETE -H 'Content-Type: application/json' -d '{"name":"","ip":""}' http://localhost/ban +[Init] +protocol = tcp +actiontype = +allports = any +multiport = any port {} +jail2ban_sock = /var/run/pf2ban/jail2ban.sock +jail2ban_user = login as set in password file for jail2ban +jail2ban_pass = password as set in password file for jail2ban +``` + +* Configure jail.local + +``` +cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null +[DEFAULT] +banaction = jail2ban-pf +```