Fail2ban whitelist

From LUG
Revision as of 11:45, 11 January 2021 by Haars001 (talk | contribs) (Created page with "= Introduction = We use fail2ban to block IP addresses that try to log in to SSH servers. This works by blocking IP addresses from which too many failed attempts originate....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

We use fail2ban to block IP addresses that try to log in to SSH servers.

This works by blocking IP addresses from which too many failed attempts originate.

This works nicely, but the side effect is that if true users use the wrong credentials a couple of times (FileZilla retries failed logins), they are also blocked.

This leads to administrative load, as these users will then have to ask an administrator of the service to unblock their IP.

So the idea is to automatically whitelist IP addresses from which a successful login has occurred,

Pros:

  • People are no longer blocked if they use the wrong credentials a couple of times
  • This leads to lower administrator load

Cons:

  • An extra set of configuration files has to be maintained on the servers
  • There is a possibility that a bad actor uses this setup to whitelist an IP address, and uses that as a starting point of an attack. (This seems unlikely, someone with access to a good set of credentials has better ways to bruteforce account information.)

TODO

What still needs to be done, is check how to integrate this with puppet.


Implementation

To enable the automated whitelisting, we need 3 extra files (a filter, an action, and a config to enable both):

/etc/fail2ban/filter.d/sshd-whitelist.conf:

[INCLUDES]

before = common.conf

[DEFAULT]

_daemon = sshd

[Definition]

failregex  = ^%(__prefix_line)s\s*Accepted (publickey|password) for \S+ from <HOST>

mode = normal

ignoreregex =

maxlines = 1

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

datepattern = {^LN-BEG}