ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ruben:a64d17b2e8921783a7d2a81235d8d2db2956a320
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1
..
compare: ruben:9c6208f5c0f3310ec2cca8218a0735ff6873d8e9
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1

No commits in common. "a64d17b2e8921783a7d2a81235d8d2db2956a320" and "9c6208f5c0f3310ec2cca8218a0735ff6873d8e9" have entirely different histories.
a64d17b2e8 ... 9c6208f5c0

7 changed files with 2 additions and 159 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -12,6 +12,3 @@ htmlcov/
dist/ dist/
build/ build/
*.egg-info/ *.egg-info/
coverage.xml
report.xml

6
.gitlab-ci.yml
View File

@ -1,6 +1,6 @@
run tests: run tests:
stage: test stage: test
image: python:3.9 image: python:3.8
script: script:
- pip install pytest pytest-cov pytest-mock pytest-flask - pip install pytest pytest-cov pytest-mock pytest-flask
- pip install Flask-HTTPAuth - pip install Flask-HTTPAuth
@ -11,9 +11,7 @@ run tests:
artifacts: artifacts:
when: always when: always
reports: reports:
coverage_report: cobertura: coverage.xml
coverage_format: cobertura
path: coverage.xml
junit: report.xml junit: report.xml
tags: tags:
- docker - docker

3
CHANGELOG
View File

@ -1,3 +0,0 @@
- 2023.1
* Implement #3, a /ping health check endpoint

127
README.md
View File

@ -1,130 +1,3 @@
[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
## Installation
* Install uwsgi
```
sudo pkg install www/uwsgi
```
* Clone this repository
## Configuration
### rc.conf
* Use the following for configuring uwsgi in rc.conf
```
sudo sysrc uwsgi\_enable="YES"
sudo sysrc uwsgi\_profiles="jail2ban\_pf"
sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"
```
### jail2ban
* Configure <installation root>/instance/config.py
```
SECRET\_KEY = os.urandom(32).hex()
AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'
```
### nginx
* Configure a nginx upstream and vhost
_Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes_
upstream uwsgi_pf_jail2ban {
server 127.0.0.1:3031;
}
server {
listen unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock;
listen unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock;
listen unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock;
server_name _;
location / {
index index.html index.htm index.php;
allow all;
include /usr/local/etc/nginx/uwsgi_params-dist;
uwsgi_pass uwsgi_pf_jail2ban;
}
}
### /etc/pf.conf
* Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration
```
anchor "f2b/*"
anchor f2b-jail {
anchor "jail1_fqdn" to { <addr_jail1>, <addr_extra_jail1>, <addr_extra6_jail1> }
anchor "jail2_fqdn" to { <addr_jail2>, <addr_extra_jail2>, <addr_extra6_jail2> }
anchor "jail3_fqdn" to { <addr_jail3>, <addr_extra_jail3>, <addr_extra6_jail3> }
}
```
Having seperate anchors per jail makes it possible to have fine grained
blocking: Something that is harmful to jail2 might be perfectly legit for jail2.
#### Checking rules/tables made with fail2ban/jail2ban
Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:
sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
192.0.2.66
2001:db8:abad:cafe:0bad:f00d
And the rules referencing these tables
sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
block drop quick proto tcp from <f2b-dovecot> to any port = pop3
block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
block drop quick proto tcp from <f2b-dovecot> to any port = imap
block drop quick proto tcp from <f2b-dovecot> to any port = imaps
block drop quick proto tcp from <f2b-dovecot> to any port = submission
block drop quick proto tcp from <f2b-dovecot> to any port = smtps
block drop quick proto tcp from <f2b-dovecot> to any port = sieve
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any
### fail2ban
* Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban
```
cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null
Definition]
actionstart = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XPUT -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
actionstart_on_demand = false
actionstop = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XDELETE -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
actionflush = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X GET http://localhost/flush/<name>
actioncheck =
actionban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X PUT -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
actionunban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X DELETE -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
[Init]
protocol = tcp
actiontype = <multiport>
allports = any
multiport = any port {<port>}
jail2ban_sock = /var/run/pf2ban/jail2ban.sock
jail2ban_user = login as set in password file for jail2ban
jail2ban_pass = password as set in password file for jail2ban
```
* Configure jail.local
```
cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null
[DEFAULT]
banaction = jail2ban-pf
```

9
jail2ban/__init__.py
View File

@ -42,15 +42,6 @@ def create_app():
check_password_hash(users.get(username), password): check_password_hash(users.get(username), password):
return username return username
@app.route("/ping", methods=['GET'])
@auth.login_required
def ping():
remote_user = auth.username()
app.logger.info('Received ping for'
f' anchor f2b-jail/{remote_user}')
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'operation': 'ping',
'result': 'pong'})
@app.route("/flush/<name>", methods=['GET']) @app.route("/flush/<name>", methods=['GET'])
@auth.login_required @auth.login_required
def flush(name): def flush(name):

10
tests/test_ping.py
View File

@ -1,10 +0,0 @@
def test_ping(client, mocker, valid_credentials):
'''
Test application health check
'''
response = client.get("/ping",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.json['operation'] == 'ping'

3
wsgi.py
View File

@ -1,3 +0,0 @@
from jail2ban import create_app
app = create_app()