ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
50 Commits 2 Branches 2 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Ruben van Staveren 39c3fc0342
Some checks failed
Flake8 / build (3.11) (push) Successful in 8s
Details
Pylint / build (3.11) (push) Failing after 15s
Details
Mypy / build (3.11) (push) Failing after 39s
Details
install types / be non interactive
2025-03-14 12:22:51 +01:00
.gitea/workflows
install types / be non interactive
2025-03-14 12:22:51 +01:00
jail2ban
lint fixes
2024-07-31 16:14:52 +02:00
tests
lint fixes (tests)
2024-07-31 16:30:43 +02:00
.gitignore
Exclude software testing reports
2023-01-09 14:50:03 +01:00
.gitlab-ci.yml
Switch to python 3.11
2024-07-31 15:50:29 +02:00
CHANGELOG
2023.1 release notes
2023-01-13 10:33:34 +01:00
README.md
lint fixes
2024-07-31 16:14:52 +02:00
setup.cfg
First tests!
2022-03-10 11:22:04 +01:00
setup.py
First tests!
2022-03-10 11:22:04 +01:00
wsgi.py
For use with the documented uwsgi
2023-01-09 15:08:02 +01:00

README.md

pipeline status coverage report

An API to remotely control a pf based fail2ban

Installation

  • Install uwsgi
sudo pkg install www/uwsgi
  • Clone this repository

Configuration

rc.conf

  • Use the following for configuring uwsgi in rc.conf
sudo sysrc uwsgi\_enable="YES"
sudo sysrc uwsgi\_profiles="jail2ban\_pf"
sudo sysrc uwsgi\_jail2ban\_pf\_flags="-L -M --uid \_jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"

jail2ban

  • Configure /instance/config.py
SECRET\_KEY = os.urandom(32).hex()
AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'

nginx

  • Configure a nginx upstream and vhost

Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes

upstream uwsgi_pf_jail2ban {
    server 127.0.0.1:3031;
}

server {
    listen       unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock;
    listen       unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock;
    listen       unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock;
    server_name  _;

    location / {
        index     index.html index.htm index.php;
        allow all;
        include /usr/local/etc/nginx/uwsgi_params-dist;
        uwsgi_pass uwsgi_pf_jail2ban;
    }
}

/etc/pf.conf

  • Place anchors in pf for jail2ban to use. You probably want to place the early in your existing pf configuration
anchor "f2b/*"
anchor f2b-jail {
    anchor "jail1_fqdn" to { <addr_jail1>, <addr_extra_jail1>, <addr_extra6_jail1> }
    anchor "jail2_fqdn" to { <addr_jail2>, <addr_extra_jail2>, <addr_extra6_jail2> }
    anchor "jail3_fqdn" to { <addr_jail3>, <addr_extra_jail3>, <addr_extra6_jail3> }
}

Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2.

Checking rules/tables made with fail2ban/jail2ban

Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:

sudo pfctl -a f2b-jail/jail1\_fqdn -T show -t f2b-recidive
192.0.2.66
2001:db8:abad:cafe:0bad:f00d

And the rules referencing these tables

sudo pfctl -a 'f2b-jail/jail1\_fqdn' -s rules
block drop quick proto tcp from <f2b-dovecot> to any port = pop3
block drop quick proto tcp from <f2b-dovecot> to any port = pop3s
block drop quick proto tcp from <f2b-dovecot> to any port = imap
block drop quick proto tcp from <f2b-dovecot> to any port = imaps
block drop quick proto tcp from <f2b-dovecot> to any port = submission
block drop quick proto tcp from <f2b-dovecot> to any port = smtps
block drop quick proto tcp from <f2b-dovecot> to any port = sieve
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any

fail2ban

  • Create the following action plugin for fail2ban on the jail desiring to use fail2ban/jail2ban
cat <<'EOT' | tee /usr/local/etc/fail2ban/action.d/jail2ban-pf.conf > /dev/null
Definition]
actionstart = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XPUT -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
actionstart_on_demand = false
actionstop = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -XDELETE -H 'Content-Type: application/json' -d '{"port":"<actiontype>","name":"<name>","protocol":"<protocol>"}' http://localhost/register
actionflush = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X GET http://localhost/flush/<name>
actioncheck = 
actionban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X PUT -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
actionunban = curl --unix-socket <jail2ban_sock> --basic -u '<jail2ban_user>:<jail2ban_pass>' -X DELETE -H 'Content-Type: application/json' -d '{"name":"<name>","ip":"<ip>"}' http://localhost/ban
[Init]
protocol = tcp
actiontype = <multiport>
allports = any
multiport = any port {<port>}
jail2ban_sock = /var/run/pf2ban/jail2ban.sock
jail2ban_user = login as set in password file for jail2ban
jail2ban_pass = password as set in password file for jail2ban
  • Configure jail.local
cat <<'EOT' | tee /usr/local/etc/fail2ban/jail.local > /dev/null
[DEFAULT]
banaction = jail2ban-pf
Description
A fail2ban action plugin handler for centralised pf(8) handling
Readme 177 KiB
Languages
Python 100%