If you find yourself spending a lot of time working with/on web-facing servers, you have probably heard of or used this awesome little thing called fail2ban. I am not going to get in to what it is or what it does, if you have never heard of it, you should look into it, as it is a pretty helpful tool for protecting your web-connected machines. I have been using it for some time on my AWS and personal boxes, and considered myself fairly adept at it up until the other day, when I discovered a few little tricks to slimming my jail configurations considerably.
Now, the gist of this is not new, it is well known that you can set default directives for your jails, but what I didn’t know is just how far you can go, and that the directives can be used as substitutions. If you, like me, use yum to manage your packages, you may have missed this as well, as yum (for AMI’s, anyway, or every AMI I have used so far at least) are locked at the pre-v9 version of fail2ban, and as such, lack a lot a really great examples of shortcutting your jail configs, and pre-configured shortcuts.
As you may know, when configuring fail2ban on your server, it is possible to shortcut the action directive to maintain slightly cleaner, and less verbose config files. But what you may not have known is that you can, by use of substitutions, shortcut portions of directives as well. It is fairly simple in practice, and can reduce some of your jails to just three lines (enabled, filter, and logpath), which is hard to argue with.
Since all jail configurations work by first inheriting [DEFAULT], you can place the following in your [DEFAULT] block in your jail.local and be pretty much set:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
### Mail Action Variables # Mail Transit Authority mta = sendmail # Destination Email Address destemail = "user@domain.com" # From Email Address senderemail = "root@server.com" sendername = "Fail2Ban" # Email Lines (only send after this many lines) lines = 100 ### Ban Action Variables # Default Ban Action banaction = iptables-multiport # Ban Action Port port = all # Ban Action Protocol protocol = tcp # Jail Name banjailname = "%(__name__)s" emailjailname = "%(__name__)s" ### Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] # Ban and send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] %(mta)s-whois[name="%(emailjailname)s", dest="%(destemail)s", sender="%(senderemail)s", sendername="%(sendername)s"] # Ban and send Buffered Email (send after N lines) action_mb = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] %(mta)s-buffered[name="%(emailjailname)s", lines="%(lines)s", dest="%(destemail)s", sender="%(senderemail)s", sendername="%(sendername)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mb)s |
If you have worked with fail2ban version 9 or higher, this will look very familiar to you. It is about the same as the current version [DEFAULT] block, with the exception of some variable name changes (banjailname and emailjailname) and some additions (sendername, senderemail, etc). I also have a default banaction of iptables-multiport, and I added action_mb, because I prefer buffering of emails.
With that set, you can now reduce jail configurations from:
|
1 2 3 4 5 6 |
[sshd] enabled = true filter = sshd action = iptables[name=sshd, port=ssh, protocol=tcp] sendmail-whois[name=sshd, dest=user@domain.com, sender=root@server.com, sendername="Fail2Ban"] logpath = /var/log/secure |
To
|
1 2 3 4 |
[sshd] enabled = true filter = sshd logpath = /var/log/secure |
Which may not seem like a whole lot, but when you have a slew of jails, and really hate repeating yourself, it makes a difference. Also, if you configure multiple servers, or have to change any variable, it becomes really quick when the bulk is in one location.
Also, if you, like me, keep very few disabled jails in your configuration, frequently name them the same as your filters, and want to lean it even more, you can even do this (also in master of the current release):
|
1 2 3 4 5 |
# Always Enabled, unless specified otherwise. enabled = true # Filter Name same as Jail Name, unless specified otherwise. filter = %(__name__)s |
Which leaves your more basic filters at just TWO lines, or one, if you do not consider the Jail Name to be a “line.”
|
1 2 |
[sshd] logpath = /var/log/secure |
I know of some of my peers that will poo poo this practice, under the premise that coding is for developers, not for machines, and, as such, we should emphasize readability over being concise. However, I feel this is very readable, and much more portable, easy to re-configure, and manageable when working in vim. My status emails let me know exactly where to look, and if I want to share this with a client/peer, I can just tell them to set the email addresses and go (all other things being equal).
My resulting additions to my [DEFAULT] block look like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
[DEFAULT] ### # ... pre-existing [DEFAULT] directives ... ### # Always Enabled, unless specified otherwise. enabled = true # Filter Name same as Jail Name, unless specified otherwise. filter = %(__name__)s # Mail Transit Authority mta = sendmail # Destination Email Address destemail = "user@server.com" # From Email Address senderemail = "root@server.com" sendername = "Fail2Ban" # Email Lines (only send after this many lines) lines = 100 ### Ban Action Variables # Default Ban Action banaction = iptables-multiport # Ban Action Port port = all # Ban Action Protocol protocol = tcp # Jail Name banjailname = "%(__name__)s" emailjailname = "%(__name__)s" ### Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] # Ban and send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] %(mta)s-whois[name="%(emailjailname)s", lines="%(lines)s", dest="%(destemail)s", sender="%(senderemail)s", sendername="%(sendername)s"] # Ban and send Buffered Email (send after N lines) action_mb = %(banaction)s[name="%(banjailname)s", port="%(port)s", protocol="%(protocol)s"] %(mta)s-buffered[name="%(emailjailname)s", lines="%(lines)s", dest="%(destemail)s", sender="%(senderemail)s", sendername="%(sendername)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mb)s |
And that makes me exceedingly happy.
Again, most all of this is in the current release of fail2ban, but is not in the version yum supports by default in most Amazon AMIs. That said, you can drop the above into the head of your jail.local and you will be good to go.
Happy hacking.