New: fail2ban.sql.html.
This commit is contained in:
parent
fc4953b7df
commit
d1c1ea76ac
|
@ -0,0 +1,316 @@
|
|||
# Fail2ban: Store banned IP addresses in SQL database
|
||||
|
||||
[TOC]
|
||||
|
||||
## Summary
|
||||
|
||||
Since iRedMail-1.2, Fail2ban is configured to store banned IP addresses in
|
||||
SQL database. If you run iRedAdmin-Pro or your own web admin panel, it will be
|
||||
very easy to check and manage banned IP addresses. But if you don't run
|
||||
iRedAdmin-Pro or don't have custom web admin panel, this integration is totally
|
||||
optional.
|
||||
|
||||
With this SQL integration, to unban an IP address from web admin panel, you can
|
||||
simply update value of column `banned.remove` to `1`, then wait for up to one
|
||||
minute, a cron job will call `fail2ban-client` to actually unban it.
|
||||
|
||||
With iRedAdmin-Pro, you can login as global admin, go to
|
||||
`Activities -> Banned IP Addresses`, then click the `Unban` button to unban it.
|
||||
|
||||
![](./images/iredadmin/activity_banned_ip_addresses.png){: width="900px" }
|
||||
|
||||
## How it works
|
||||
|
||||
When some client triggers the ban, Fail2ban will perform actions defined in
|
||||
`action =` parameter in jail config file. For example, in jail `sshd`
|
||||
(`/etc/fail2ban/jail.d/sshd.local`):
|
||||
|
||||
```
|
||||
[sshd]
|
||||
enabled = ...
|
||||
filter = ...
|
||||
logpath = ...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
```
|
||||
|
||||
Action name `iptables-multipart` maps to commands defined in
|
||||
`/etc/fail2ban/action.d/iptables-multiport.conf` for different fail2ban actions.
|
||||
For example:
|
||||
|
||||
```
|
||||
[Definition]
|
||||
|
||||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
actionstart = ...
|
||||
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
actionstop = ...
|
||||
|
||||
# Notes.: command executed once before each actionban command
|
||||
actioncheck = ...
|
||||
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
actionban = ...
|
||||
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
|
||||
```
|
||||
|
||||
In this tutorial, we will add a custom action config file and update jail
|
||||
config files to use this action.
|
||||
|
||||
## Create required SQL database
|
||||
|
||||
### For OpenLDAP backend and MySQL/MariaDB backends
|
||||
|
||||
We will create a new database named `fail2ban` to store banned IP addresses,
|
||||
also a SQL user `fail2ban`.
|
||||
|
||||
* Run commands below as `root` user:
|
||||
|
||||
```
|
||||
cd /tmp
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.mysql
|
||||
```
|
||||
|
||||
* Run __SQL commands__ below as __MySQL `root` user__:
|
||||
|
||||
!!! warning
|
||||
|
||||
Please replace `<my-secret-password>` by your own strong password.
|
||||
|
||||
```
|
||||
CREATE DATABASE fail2ban DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
|
||||
GRANT ALL ON fail2ban.* TO 'fail2ban'@'localhost' IDENTIFIED BY '<my-secret-password>';
|
||||
|
||||
USE fail2ban;
|
||||
SOURCE /tmp/fail2ban.mysql;
|
||||
```
|
||||
|
||||
* Create required file: `/root/.my.cnf-fail2ban`. Script will read MySQL
|
||||
credential from this file instead of storing plain password in script.
|
||||
|
||||
```
|
||||
[client]
|
||||
host="127.0.0.1"
|
||||
port="3306"
|
||||
user="fail2ban"
|
||||
password="<my-secret-password>"
|
||||
```
|
||||
|
||||
### For PostgreSQL backend
|
||||
|
||||
We will create a new database named `fail2ban` to store banned IP addresses,
|
||||
also a SQL user `fail2ban`.
|
||||
|
||||
* Run commands below as `root` user, then switch to PostgreSQL daemon user
|
||||
`postgres` and connect to SQL server:
|
||||
|
||||
```
|
||||
cd /tmp
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.pgsql
|
||||
su - postgres
|
||||
psql -d template1
|
||||
```
|
||||
|
||||
* Run __SQL commands__ below:
|
||||
|
||||
!!! warning
|
||||
|
||||
Please replace `<my-secret-password>` by your own strong password.
|
||||
|
||||
```
|
||||
CREATE DATABASE fail2ban WITH TEMPLATE template0 ENCODING 'UTF8';
|
||||
CREATE USER fail2ban WITH ENCRYPTED PASSWORD '<my-secret-password>' NOSUPERUSER NOCREATEDB NOCREATEROLE;
|
||||
ALTER DATABASE fail2ban OWNER TO fail2ban;
|
||||
|
||||
-- PostgreSQL will prompt to input password for user "fail2ban" with command below.
|
||||
\c fail2ban fail2ban;
|
||||
\i /tmp/fail2ban.pgsql;
|
||||
```
|
||||
|
||||
* Now append line below to file `~/.pgpass` under PostgreSQL daemon user's
|
||||
HOME directory. Script will read SQL credential from this file.
|
||||
|
||||
```
|
||||
*:*:*:fail2ban:<my-secret-password>
|
||||
```
|
||||
|
||||
## Add required Fail2ban config file and script
|
||||
|
||||
On Linux, run commands below as `root` user:
|
||||
|
||||
```
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/action.d/banned_db.conf
|
||||
mv banned_db.conf /etc/fail2ban/action.d/
|
||||
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/bin/fail2ban_banned_db
|
||||
mv fail2ban_banned_db /usr/local/bin/
|
||||
chmod 0550 /usr/local/bin/fail2ban_banned_db
|
||||
```
|
||||
|
||||
File `/etc/fail2ban/action.d/banned_db.conf` indicates we now have a new action
|
||||
named `banned_db` (it's file name without extension). Feel free to open this
|
||||
file and check what it does.
|
||||
|
||||
Script `/usr/local/bin/fail2ban_banned_db` will read `/root/.my.cnf-fail2ban`
|
||||
(OpenLDAP/MySQL/MariaDB backends) or `~postgresql/.pgpass` (PostgreSQL backend)
|
||||
to read SQL credential.
|
||||
|
||||
## Enable the new action `banned_db`
|
||||
|
||||
Now go to `/etc/fail2ban/jail.d/` and update config files for the jails you
|
||||
want to store banned IP in SQL db. Let's take `sshd.local` for example.
|
||||
|
||||
* The `action =` line in original file looks like this:
|
||||
|
||||
```
|
||||
[sshd]
|
||||
...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
```
|
||||
|
||||
* Add our new action under existing action:
|
||||
|
||||
```
|
||||
[sshd]
|
||||
...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
banned_db[name=sshd, port="22", protocol=tcp]
|
||||
```
|
||||
|
||||
That's it. It's recommend to enable this new action `banned_db` for all jails.
|
||||
|
||||
Now restart `fail2ban` service to load modified config files.
|
||||
|
||||
## Add required cron job to query SQL database and unban IP addresses
|
||||
|
||||
Now add a cron job for `root` user:
|
||||
|
||||
```
|
||||
* * * * * /bin/bash /usr/local/bin/fail2ban_banned_db unban_db
|
||||
```
|
||||
|
||||
It runs every minute and query SQL database to get IP addresses which are
|
||||
pending for removal.
|
||||
|
||||
## Optional: Add GeoIP database to look up location of banned IP address
|
||||
|
||||
Script `/usr/local/bin/fail2ban_banned_db` detects whether commands
|
||||
`geoiplookup` and `geoiplookup6` exist, if exist, it runs the command to query
|
||||
country of banned IP address and store it in SQL database.
|
||||
|
||||
* On RHEL/CentOS 7:
|
||||
|
||||
```
|
||||
yum -y install GeoIP GeoIP-data
|
||||
```
|
||||
|
||||
* On RHEL/CentOS 8:
|
||||
|
||||
```
|
||||
yum -y install GeoIP GeoIP-GeoLite-data
|
||||
```
|
||||
|
||||
* On Debian/Ubuntu:
|
||||
|
||||
```
|
||||
apt -y install geoip-bin geoip-database
|
||||
```
|
||||
|
||||
* On OpenBSD 6.6:
|
||||
|
||||
```
|
||||
pkg_add GeoIP geolite-country
|
||||
```
|
||||
|
||||
## Tests
|
||||
|
||||
!!! attention
|
||||
|
||||
We use MySQL for example here.
|
||||
|
||||
Run `fail2ban-client` command as `root` user to ban 2 IP addresses like below:
|
||||
|
||||
```
|
||||
fail2ban-client set sshd banip 1.1.1.1
|
||||
fail2ban-client set sshd banip 1.1.1.2
|
||||
```
|
||||
|
||||
You can see the banned IP address with command `fail2ban-client status <jail>`:
|
||||
|
||||
```
|
||||
fail2ban-client status sshd
|
||||
```
|
||||
|
||||
Command output:
|
||||
|
||||
```
|
||||
Status for the jail: sshd
|
||||
|- Filter
|
||||
| |- Currently failed: 0
|
||||
| |- Total failed: 0
|
||||
| `- File list: ...
|
||||
`- Actions
|
||||
|- Currently banned: 2
|
||||
|- Total banned: 2
|
||||
`- Banned IP list: 1.1.1.2 1.1.1.1
|
||||
```
|
||||
|
||||
Now run command below to query SQL table `fail2ban.banned` as `root` user:
|
||||
|
||||
```
|
||||
mysql fail2ban -e "SELECT * FROM banned"
|
||||
```
|
||||
|
||||
You should see the command output like below:
|
||||
|
||||
```
|
||||
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
| id | ip | ports | protocol | jail | hostname | country | timestamp | remove |
|
||||
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
| 3 | 1.1.1.1 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:57 | 0 |
|
||||
| 4 | 1.1.1.2 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:58 | 0 |
|
||||
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
```
|
||||
|
||||
Now run `fail2ban-client` command to unban IP and query SQL table
|
||||
`fail2ban.banned` again, you should see unbanned IP is gone:
|
||||
|
||||
```
|
||||
fail2ban-client set sshd unbanip 1.1.1.1
|
||||
```
|
||||
|
||||
Now run command as `root` user to update SQL column `banned.remove=1` to
|
||||
simulate the unban triggered by iRedAdmin-Pro:
|
||||
|
||||
```
|
||||
mysql fail2ban -e "UPDATE banned SET remove=1 WHERE ip='1.1.1.2'"
|
||||
```
|
||||
|
||||
Run script `/usr/local/bin/fail2ban_banned_db` with argument `unban_db` as `root` user:
|
||||
|
||||
```
|
||||
/usr/local/bin/fail2ban_banned_db unbandb
|
||||
```
|
||||
|
||||
Again, query SQL table `fail2ban.banned` as `root` user, you should see the IP
|
||||
stored in SQL db with `remove=1` is gone, and unbanned in fail2ban too:
|
||||
|
||||
```
|
||||
mysql fail2ban -e "SELECT * FROM banned"
|
||||
fail2ban-client status sshd
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
If there's something, you should see related log in syslog log file or Fail2ban
|
||||
log file:
|
||||
|
||||
- syslog: `/var/log/syslog` or `/var/log/messages`
|
||||
- Fail2ban: `/var/log/fail2ban.log` or `/var/log/fail2ban/fail2ban.log`
|
||||
|
||||
If you can not solve the error, feel free to create a new
|
||||
[forum topic](https://forum.iredmail.org) and paste related log in your post.
|
|
@ -27,24 +27,25 @@ To disable iRedAPD service:
|
|||
|
||||
## How to enable or disable iRedAPD plugins
|
||||
|
||||
iRedAPD plugin is Python file under `/opt/iredapd/plugins/` directory. To
|
||||
iRedAPD plugins are Python files under `/opt/iredapd/plugins/` directory. To
|
||||
enable a plugin, please find line `plugins =` in iRedAPD config file
|
||||
`/opt/iredapd/settings.py`, for example:
|
||||
|
||||
```
|
||||
plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle']
|
||||
plugins = ['greylisting', 'throttle']
|
||||
```
|
||||
|
||||
If you want to enable plugin `reject_sender_login_mismatch` (file
|
||||
`/opt/iredapd/plugins/reject_sender_login_mismatch.py`), please add the plugin
|
||||
name in `plugins =` like below, and restart iRedAPD service:
|
||||
name without extension `.py` in `plugins =` like below, then restart iRedAPD
|
||||
service:
|
||||
|
||||
```
|
||||
plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle', 'reject_sender_login_mismatch']
|
||||
plugins = ['greylisting', 'throttle', 'reject_sender_login_mismatch']
|
||||
```
|
||||
|
||||
The priorities of plugins shipped in iRedAPD are hard-coded, so the order of
|
||||
plugin name in `plugins =` doesn't matter.
|
||||
plugin names doesn't matter.
|
||||
|
||||
To disable a plugin, just remove the plugin name and restart iRedAPD service.
|
||||
|
||||
|
|
|
@ -0,0 +1,315 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>Fail2ban: Store banned IP addresses in SQL database</title>
|
||||
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<div id="navigation">
|
||||
<a href="https://www.iredmail.org" target="_blank">
|
||||
<img alt="iRedMail web site"
|
||||
src="./images/logo-iredmail.png"
|
||||
style="vertical-align: middle; height: 30px;"
|
||||
/>
|
||||
<span>iRedMail</span>
|
||||
</a>
|
||||
// <a href="./index.html">Document Index</a></div><h1 id="fail2ban-store-banned-ip-addresses-in-sql-database">Fail2ban: Store banned IP addresses in SQL database</h1>
|
||||
<div class="toc">
|
||||
<ul>
|
||||
<li><a href="#fail2ban-store-banned-ip-addresses-in-sql-database">Fail2ban: Store banned IP addresses in SQL database</a><ul>
|
||||
<li><a href="#summary">Summary</a></li>
|
||||
<li><a href="#how-it-works">How it works</a></li>
|
||||
<li><a href="#create-required-sql-database">Create required SQL database</a><ul>
|
||||
<li><a href="#for-openldap-backend-and-mysqlmariadb-backends">For OpenLDAP backend and MySQL/MariaDB backends</a></li>
|
||||
<li><a href="#for-postgresql-backend">For PostgreSQL backend</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#add-required-fail2ban-config-file-and-script">Add required Fail2ban config file and script</a></li>
|
||||
<li><a href="#enable-the-new-action-banned_db">Enable the new action banned_db</a></li>
|
||||
<li><a href="#add-required-cron-job-to-query-sql-database-and-unban-ip-addresses">Add required cron job to query SQL database and unban IP addresses</a></li>
|
||||
<li><a href="#optional-add-geoip-database-to-look-up-location-of-banned-ip-address">Optional: Add GeoIP database to look up location of banned IP address</a></li>
|
||||
<li><a href="#tests">Tests</a></li>
|
||||
<li><a href="#troubleshooting">Troubleshooting</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<h2 id="summary">Summary</h2>
|
||||
<p>Since iRedMail-1.2, Fail2ban is configured to store banned IP addresses in
|
||||
SQL database. If you run iRedAdmin-Pro or your own web admin panel, it will be
|
||||
very easy to check and manage banned IP addresses. But if you don't run
|
||||
iRedAdmin-Pro or don't have custom web admin panel, this integration is totally
|
||||
optional.</p>
|
||||
<p>With this SQL integration, to unban an IP address from web admin panel, you can
|
||||
simply update value of column <code>banned.remove</code> to <code>1</code>, then wait for up to one
|
||||
minute, a cron job will call <code>fail2ban-client</code> to actually unban it.</p>
|
||||
<p>With iRedAdmin-Pro, you can login as global admin, go to
|
||||
<code>Activities -> Banned IP Addresses</code>, then click the <code>Unban</code> button to unban it.</p>
|
||||
<p><img alt="" src="./images/iredadmin/activity_banned_ip_addresses.png" width="900px" /></p>
|
||||
<h2 id="how-it-works">How it works</h2>
|
||||
<p>When some client triggers the ban, Fail2ban will perform actions defined in
|
||||
<code>action =</code> parameter in jail config file. For example, in jail <code>sshd</code>
|
||||
(<code>/etc/fail2ban/jail.d/sshd.local</code>):</p>
|
||||
<pre><code>[sshd]
|
||||
enabled = ...
|
||||
filter = ...
|
||||
logpath = ...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
</code></pre>
|
||||
|
||||
<p>Action name <code>iptables-multipart</code> maps to commands defined in
|
||||
<code>/etc/fail2ban/action.d/iptables-multiport.conf</code> for different fail2ban actions.
|
||||
For example:</p>
|
||||
<pre><code>[Definition]
|
||||
|
||||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
actionstart = ...
|
||||
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
actionstop = ...
|
||||
|
||||
# Notes.: command executed once before each actionban command
|
||||
actioncheck = ...
|
||||
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
actionban = ...
|
||||
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
|
||||
</code></pre>
|
||||
|
||||
<p>In this tutorial, we will add a custom action config file and update jail
|
||||
config files to use this action.</p>
|
||||
<h2 id="create-required-sql-database">Create required SQL database</h2>
|
||||
<h3 id="for-openldap-backend-and-mysqlmariadb-backends">For OpenLDAP backend and MySQL/MariaDB backends</h3>
|
||||
<p>We will create a new database named <code>fail2ban</code> to store banned IP addresses,
|
||||
also a SQL user <code>fail2ban</code>.</p>
|
||||
<ul>
|
||||
<li>Run commands below as <code>root</code> user:</li>
|
||||
</ul>
|
||||
<pre><code>cd /tmp
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.mysql
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p>Run <strong>SQL commands</strong> below as <strong>MySQL <code>root</code> user</strong>:</p>
|
||||
<div class="admonition warning">
|
||||
<p class="admonition-title">Warning</p>
|
||||
<p>Please replace <code><my-secret-password></code> by your own strong password.</p>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
<pre><code>CREATE DATABASE fail2ban DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
|
||||
GRANT ALL ON fail2ban.* TO 'fail2ban'@'localhost' IDENTIFIED BY '<my-secret-password>';
|
||||
|
||||
USE fail2ban;
|
||||
SOURCE /tmp/fail2ban.mysql;
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Create required file: <code>/root/.my.cnf-fail2ban</code>. Script will read MySQL
|
||||
credential from this file instead of storing plain password in script.</li>
|
||||
</ul>
|
||||
<pre><code>[client]
|
||||
host="127.0.0.1"
|
||||
port="3306"
|
||||
user="fail2ban"
|
||||
password="<my-secret-password>"
|
||||
</code></pre>
|
||||
|
||||
<h3 id="for-postgresql-backend">For PostgreSQL backend</h3>
|
||||
<p>We will create a new database named <code>fail2ban</code> to store banned IP addresses,
|
||||
also a SQL user <code>fail2ban</code>.</p>
|
||||
<ul>
|
||||
<li>Run commands below as <code>root</code> user, then switch to PostgreSQL daemon user
|
||||
<code>postgres</code> and connect to SQL server:</li>
|
||||
</ul>
|
||||
<pre><code>cd /tmp
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.pgsql
|
||||
su - postgres
|
||||
psql -d template1
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p>Run <strong>SQL commands</strong> below:</p>
|
||||
<div class="admonition warning">
|
||||
<p class="admonition-title">Warning</p>
|
||||
<p>Please replace <code><my-secret-password></code> by your own strong password.</p>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
<pre><code>CREATE DATABASE fail2ban WITH TEMPLATE template0 ENCODING 'UTF8';
|
||||
CREATE USER fail2ban WITH ENCRYPTED PASSWORD '<my-secret-password>' NOSUPERUSER NOCREATEDB NOCREATEROLE;
|
||||
ALTER DATABASE fail2ban OWNER TO fail2ban;
|
||||
|
||||
-- PostgreSQL will prompt to input password for user "fail2ban" with command below.
|
||||
\c fail2ban fail2ban;
|
||||
\i /tmp/fail2ban.pgsql;
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Now append line below to file <code>~/.pgpass</code> under PostgreSQL daemon user's
|
||||
HOME directory. Script will read SQL credential from this file.</li>
|
||||
</ul>
|
||||
<pre><code>*:*:*:fail2ban:<my-secret-password>
|
||||
</code></pre>
|
||||
|
||||
<h2 id="add-required-fail2ban-config-file-and-script">Add required Fail2ban config file and script</h2>
|
||||
<p>On Linux, run commands below as <code>root</code> user:</p>
|
||||
<pre><code>wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/action.d/banned_db.conf
|
||||
mv banned_db.conf /etc/fail2ban/action.d/
|
||||
|
||||
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/bin/fail2ban_banned_db
|
||||
mv fail2ban_banned_db /usr/local/bin/
|
||||
chmod 0550 /usr/local/bin/fail2ban_banned_db
|
||||
</code></pre>
|
||||
|
||||
<p>File <code>/etc/fail2ban/action.d/banned_db.conf</code> indicates we now have a new action
|
||||
named <code>banned_db</code> (it's file name without extension). Feel free to open this
|
||||
file and check what it does.</p>
|
||||
<p>Script <code>/usr/local/bin/fail2ban_banned_db</code> will read <code>/root/.my.cnf-fail2ban</code>
|
||||
(OpenLDAP/MySQL/MariaDB backends) or <code>~postgresql/.pgpass</code> (PostgreSQL backend)
|
||||
to read SQL credential.</p>
|
||||
<h2 id="enable-the-new-action-banned_db">Enable the new action <code>banned_db</code></h2>
|
||||
<p>Now go to <code>/etc/fail2ban/jail.d/</code> and update config files for the jails you
|
||||
want to store banned IP in SQL db. Let's take <code>sshd.local</code> for example.</p>
|
||||
<ul>
|
||||
<li>The <code>action =</code> line in original file looks like this:</li>
|
||||
</ul>
|
||||
<pre><code>[sshd]
|
||||
...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Add our new action under existing action:</li>
|
||||
</ul>
|
||||
<pre><code>[sshd]
|
||||
...
|
||||
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
|
||||
banned_db[name=sshd, port="22", protocol=tcp]
|
||||
</code></pre>
|
||||
|
||||
<p>That's it. It's recommend to enable this new action <code>banned_db</code> for all jails.</p>
|
||||
<p>Now restart <code>fail2ban</code> service to load modified config files.</p>
|
||||
<h2 id="add-required-cron-job-to-query-sql-database-and-unban-ip-addresses">Add required cron job to query SQL database and unban IP addresses</h2>
|
||||
<p>Now add a cron job for <code>root</code> user:</p>
|
||||
<pre><code>* * * * * /bin/bash /usr/local/bin/fail2ban_banned_db unban_db
|
||||
</code></pre>
|
||||
|
||||
<p>It runs every minute and query SQL database to get IP addresses which are
|
||||
pending for removal.</p>
|
||||
<h2 id="optional-add-geoip-database-to-look-up-location-of-banned-ip-address">Optional: Add GeoIP database to look up location of banned IP address</h2>
|
||||
<p>Script <code>/usr/local/bin/fail2ban_banned_db</code> detects whether commands
|
||||
<code>geoiplookup</code> and <code>geoiplookup6</code> exist, if exist, it runs the command to query
|
||||
country of banned IP address and store it in SQL database.</p>
|
||||
<ul>
|
||||
<li>On RHEL/CentOS 7:</li>
|
||||
</ul>
|
||||
<pre><code>yum -y install GeoIP GeoIP-data
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>On RHEL/CentOS 8:</li>
|
||||
</ul>
|
||||
<pre><code>yum -y install GeoIP GeoIP-GeoLite-data
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>On Debian/Ubuntu:</li>
|
||||
</ul>
|
||||
<pre><code>apt -y install geoip-bin geoip-database
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>On OpenBSD 6.6:</li>
|
||||
</ul>
|
||||
<pre><code>pkg_add GeoIP geolite-country
|
||||
</code></pre>
|
||||
|
||||
<h2 id="tests">Tests</h2>
|
||||
<div class="admonition attention">
|
||||
<p class="admonition-title">Attention</p>
|
||||
<p>We use MySQL for example here.</p>
|
||||
</div>
|
||||
<p>Run <code>fail2ban-client</code> command as <code>root</code> user to ban 2 IP addresses like below:</p>
|
||||
<pre><code>fail2ban-client set sshd banip 1.1.1.1
|
||||
fail2ban-client set sshd banip 1.1.1.2
|
||||
</code></pre>
|
||||
|
||||
<p>You can see the banned IP address with command <code>fail2ban-client status <jail></code>:</p>
|
||||
<pre><code>fail2ban-client status sshd
|
||||
</code></pre>
|
||||
|
||||
<p>Command output:</p>
|
||||
<pre><code>Status for the jail: sshd
|
||||
|- Filter
|
||||
| |- Currently failed: 0
|
||||
| |- Total failed: 0
|
||||
| `- File list: ...
|
||||
`- Actions
|
||||
|- Currently banned: 2
|
||||
|- Total banned: 2
|
||||
`- Banned IP list: 1.1.1.2 1.1.1.1
|
||||
</code></pre>
|
||||
|
||||
<p>Now run command below to query SQL table <code>fail2ban.banned</code> as <code>root</code> user:</p>
|
||||
<pre><code>mysql fail2ban -e "SELECT * FROM banned"
|
||||
</code></pre>
|
||||
|
||||
<p>You should see the command output like below:</p>
|
||||
<pre><code>+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
| id | ip | ports | protocol | jail | hostname | country | timestamp | remove |
|
||||
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
| 3 | 1.1.1.1 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:57 | 0 |
|
||||
| 4 | 1.1.1.2 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:58 | 0 |
|
||||
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
|
||||
</code></pre>
|
||||
|
||||
<p>Now run <code>fail2ban-client</code> command to unban IP and query SQL table
|
||||
<code>fail2ban.banned</code> again, you should see unbanned IP is gone:</p>
|
||||
<pre><code>fail2ban-client set sshd unbanip 1.1.1.1
|
||||
</code></pre>
|
||||
|
||||
<p>Now run command as <code>root</code> user to update SQL column <code>banned.remove=1</code> to
|
||||
simulate the unban triggered by iRedAdmin-Pro:</p>
|
||||
<pre><code>mysql fail2ban -e "UPDATE banned SET remove=1 WHERE ip='1.1.1.2'"
|
||||
</code></pre>
|
||||
|
||||
<p>Run script <code>/usr/local/bin/fail2ban_banned_db</code> with argument <code>unban_db</code> as <code>root</code> user:</p>
|
||||
<pre><code>/usr/local/bin/fail2ban_banned_db unbandb
|
||||
</code></pre>
|
||||
|
||||
<p>Again, query SQL table <code>fail2ban.banned</code> as <code>root</code> user, you should see the IP
|
||||
stored in SQL db with <code>remove=1</code> is gone, and unbanned in fail2ban too:</p>
|
||||
<pre><code>mysql fail2ban -e "SELECT * FROM banned"
|
||||
fail2ban-client status sshd
|
||||
</code></pre>
|
||||
|
||||
<h2 id="troubleshooting">Troubleshooting</h2>
|
||||
<p>If there's something, you should see related log in syslog log file or Fail2ban
|
||||
log file:</p>
|
||||
<ul>
|
||||
<li>syslog: <code>/var/log/syslog</code> or <code>/var/log/messages</code></li>
|
||||
<li>Fail2ban: <code>/var/log/fail2ban.log</code> or <code>/var/log/fail2ban/fail2ban.log</code></li>
|
||||
</ul>
|
||||
<p>If you can not solve the error, feel free to create a new
|
||||
<a href="https://forum.iredmail.org">forum topic</a> and paste related log in your post.</p><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
</div>
|
||||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||||
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
||||
<script>
|
||||
window.dataLayer = window.dataLayer || [];
|
||||
function gtag(){dataLayer.push(arguments);}
|
||||
gtag('js', new Date());
|
||||
|
||||
gtag('config', 'UA-3293801-21');
|
||||
</script>
|
||||
</body></html>
|
Binary file not shown.
After Width: | Height: | Size: 162 KiB |
|
@ -118,6 +118,7 @@
|
|||
<li><a href="dovecot.master.user.html">Dovecot Master User: Access user's mailbox without owner's password.</a></li>
|
||||
<li><a href="enable.dnsbl.html">Enable DNSBL service in Postfix to reduce spam</a></li>
|
||||
<li><a href="enable.postscreen.html">Enable postscreen service</a></li>
|
||||
<li><a href="fail2ban.sql.html">Fail2ban: Store banned IP addresses in SQL database</a></li>
|
||||
<li><a href="force.user.to.change.password.html">Force mail user to change password in 90 days</a></li>
|
||||
<li><a href="ignore.trash.folder.in.quota.html">Ignore Trash folder in mailbox quota</a></li>
|
||||
<li><a href="ldap.add.alias.domain.html">LDAP: Add an alias domain</a></li>
|
||||
|
|
|
@ -71,20 +71,21 @@ user <code>iredapd</code>.</p>
|
|||
<li>Disable iredapd service.</li>
|
||||
</ol>
|
||||
<h2 id="how-to-enable-or-disable-iredapd-plugins">How to enable or disable iRedAPD plugins</h2>
|
||||
<p>iRedAPD plugin is Python file under <code>/opt/iredapd/plugins/</code> directory. To
|
||||
<p>iRedAPD plugins are Python files under <code>/opt/iredapd/plugins/</code> directory. To
|
||||
enable a plugin, please find line <code>plugins =</code> in iRedAPD config file
|
||||
<code>/opt/iredapd/settings.py</code>, for example:</p>
|
||||
<pre><code>plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle']
|
||||
<pre><code>plugins = ['greylisting', 'throttle']
|
||||
</code></pre>
|
||||
|
||||
<p>If you want to enable plugin <code>reject_sender_login_mismatch</code> (file
|
||||
<code>/opt/iredapd/plugins/reject_sender_login_mismatch.py</code>), please add the plugin
|
||||
name in <code>plugins =</code> like below, and restart iRedAPD service:</p>
|
||||
<pre><code>plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle', 'reject_sender_login_mismatch']
|
||||
name without extension <code>.py</code> in <code>plugins =</code> like below, then restart iRedAPD
|
||||
service:</p>
|
||||
<pre><code>plugins = ['greylisting', 'throttle', 'reject_sender_login_mismatch']
|
||||
</code></pre>
|
||||
|
||||
<p>The priorities of plugins shipped in iRedAPD are hard-coded, so the order of
|
||||
plugin name in <code>plugins =</code> doesn't matter.</p>
|
||||
plugin names doesn't matter.</p>
|
||||
<p>To disable a plugin, just remove the plugin name and restart iRedAPD service.</p>
|
||||
<h2 id="how-to-add-custom-settings">How to add custom settings</h2>
|
||||
<p>iRedAPD has some default settings in file
|
||||
|
|
Loading…
Reference in New Issue