ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
jail2ban/README.md

3.1 KiB
Raw Blame History

pipeline status coverage report

Installation

  • Install uwsgi

sudo pkg install www/uwsgi

  • Use the following for configuring uwsgi in rc.conf

sudo sysrc uwsgi_enable="YES" sudo sysrc uwsgi_profiles="jail2ban_pf" sudo sysrc uwsgi_jail2ban_pf_flags="-L -M --uid _jail2ban --python-path /opt/jail2ban-pf --wsgi-file /opt/jail2ban-pf/wsgi.py --stats 127.0.0.1:9191 --socket 127.0.0.1:3031 --chdir /var/empty --callable app --manage-script-name"

  • Configure /instance/config.py

SECRET_KEY = os.urandom(32).hex() AUTHFILE = '/usr/local/etc/jail2ban-pf-users.txt'

  • Configure a nginx upstream and vhost

Of course you can listen on ipv4/ipv6 but you want to protect these addresses from inadvertent or malicious probes

upstream uwsgi_pf_jail2ban {
    server 127.0.0.1:3031;
}

server {
    listen       unix:/path/to/jail_1/var/run/pf2ban/pf_jail2ban.sock;
    listen       unix:/path/to/jail_2/var/run/pf2ban/pf_jail2ban.sock;
    listen       unix:/path/to/jail_3/var/run/pf2ban/pf_jail2ban.sock;
    server_name  _;

    location / {
        index     index.html index.htm index.php;
        allow all;
        include /usr/local/etc/nginx/uwsgi_params-dist;
        uwsgi_pass uwsgi_pf_jail2ban;
    }
}
  • Place anchors in pf for jail2ban to use

anchor "f2b/*" anchor f2b-jail { anchor "jail1_fqdn" to { <addr_jail1>, <addr_extra_jail1>, <addr_extra6_jail1> } anchor "jail2_fqdn" to { <addr_jail2>, <addr_extra_jail2>, <addr_extra6_jail2> } anchor "jail3_fqdn" to { <addr_jail3>, <addr_extra_jail3>, <addr_extra6_jail3> } }

Having seperate anchors per jail makes it possible to have fine grained blocking: Something that is harmful to jail2 might be perfectly legit for jail2.

Fail2ban will (re)create the per anchor rules on startup, and populate the designated address tables with offenders, e.g.:

sudo pfctl -a f2b-jail/jail1_fqdn -T show -t f2b-recidive 192.0.2.66 2001:db8:abad:cafe:0bad:f00d

And the rules referencing these tables

sudo pfctl -a 'f2b-jail/jail1_fqdn' -s rules block drop quick proto tcp from to any port = pop3 block drop quick proto tcp from to any port = pop3s block drop quick proto tcp from to any port = imap block drop quick proto tcp from to any port = imaps block drop quick proto tcp from to any port = submission block drop quick proto tcp from to any port = smtps block drop quick proto tcp from to any port = sieve block drop quick proto tcp from to any port = submission block drop quick proto tcp from to any port = smtps block drop quick proto tcp from to any port = smtp block drop quick proto tcp from to any port = ssh block drop quick proto tcp from to any