Apologies if this is a simple request. I have installed fail2ban and not quite sure how I should be setting it up. I would like to activate it for SSH and luci login. I have edited the jail.conf file in the following areas:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = normal
port = ssh
logpath = /var/log/auth.log
[dropbear]
port = ssh
logpath = /var/log/auth.log
After resetting fail2ban, fail2ban-client status shows the number of jails as 0. I haven't made any changes to fail2ban.conf
Not quite sure how to proceed. Also, not certain if this is also covering luci login. Any help would be really appreciated!
Thanks for replying. I understand this is not the best place, but I thought that there may be specific configs for openwrt? Still now working by entering that. Do you have it set up yourself? What were the steps you took, if you don't mind me asking?
it's (in my case) because the log file the ssh jail is supposed to read doesn't exist,
if I create an empty file (by touch), the jail will get enabled.
Thanks for that - I had to enable the log to be written to a file. Then created a jail.local file, and I have SSH protection by enabling the dropbear jail.
Is there a way to also protect against LUCI logins? It doesn't seem to support uhttpd, but I just want to check I'm not missing anything.
And to setup the regexes for the current version of OpenWRT /etc/fail2ban/filter.d/dropbear.local
[Definition]
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
^[Ee]xit before auth from <<HOST>:\d+>:\s.*$
I added only the last regex to the default set in dropbear.conf
This then sets up a new table and blocks
$ nft list ruleset
...
table inet f2b-table {
set addr-set-dropbear {
type ipv4_addr
elements = { 20.228.150.123, 20.235.121.96 }
}
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
tcp dport 22 ip saddr @addr-set-dropbear reject with icmp port-unreachable
}
}
For those that are doing this, I understand (sort of - see below) fail2ban for SSH, but for it to be relevant for Luci you have to be exposing your Luci interface to the outside world. This, especially if you have SSH set up right, should never be necessary.
As far as ssh goes, I also expose mine to the outside world, but only when all password logins are disabled. After that is done, I would suggest that trying to use fail2ban to ban the IPs where login attempts are coming from is about as useful as urinating into the wind. The number of zombie machine IP addresses these people have exceeds the netfilter table space in your device. You will just end up clogging your netfilter tables, wasting your device's ram, and reducing its performance for no actual gain in security.
Is it necessary to choose nftables-multiport on 22.03 release?
I've set iptables-multiport on another jail and iptables-allports on dropbear at IP adresses gets banned.
I only have public key enabled, so I'm not too worried about access violations, but it is more just to reduce it.
I have set mine up also to use recidive and wrote another script to take all the dropbear and recidive ip addresses, get their prefixes and AS numbers, and I ban the prefix if there are two or more IP bans for a prefix, or all prefixes from an AS if there is more than 1 prefix for that AS.
I end up with more hits on the prefix block list than I do on the ip specific ones. That said, I am currently blocking 280 odd prefixes, this is the distribution: