From e4a0a469b386a4fc08321be039a93ceb37184b39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o?= <theo@le-filament.com>
Date: Wed, 28 Sep 2022 12:37:01 +0200
Subject: [PATCH] feat: fail2ban jail for Ubuntu 22
---
templates/jail.Ubuntu22.j2 | 353 +++++++++++++++++++++++++++++++++++++
1 file changed, 353 insertions(+)
create mode 100644 templates/jail.Ubuntu22.j2
diff --git a/templates/jail.Ubuntu22.j2 b/templates/jail.Ubuntu22.j2
new file mode 100644
index 0000000..b0d0770
--- /dev/null
+++ b/templates/jail.Ubuntu22.j2
@@ -0,0 +1,353 @@
+#
+# WARNING: heavily refactored in 0.9.0 release. Please review and
+# customize settings for your setup.
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in jail.local file,
+# or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 1h
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
+# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
+#bantime.increment = true
+
+# "bantime.rndtime" is the max number of seconds using for mixing with random time
+# to prevent "clever" botnets calculate exact time IP can be unbanned again:
+#bantime.rndtime =
+
+# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
+#bantime.maxtime =
+
+# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
+# default value of factor is 1 and with default value of formula, the ban time
+# grows by 1, 2, 4, 8, 16 ...
+#bantime.factor = 1
+
+# "bantime.formula" used by default to calculate next value of ban time, default value bellow,
+# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
+#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
+#
+# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
+#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
+
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
+# previously ban count and given "bantime.factor" (for multipliers default is 1);
+# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
+# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
+#bantime.multipliers = 1 2 4 8 16 32 64
+# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
+# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
+#bantime.multipliers = 1 5 30 60 300 720 1440 2880
+
+# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
+# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+#bantime.overalljails = false
+
+# --------------------
+
+# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
+# (default is true). Fail2ban will not ban a host which matches such addresses.
+#ignoreself = true
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8{% if inventory_hostname in groups.docker %} 172.16.0.0/12 192.168.0.0/16{% endif %}{% for host in groups.docker_nagios %} {{ hostvars[host].ansible_host }}/32{% endfor %}
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 86400 ; ban for 1 day
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 3600 ; search for 1 hour
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 3
+
+# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
+maxmatches = %(maxretry)s
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# systemd: uses systemd python library to access the systemd journal.
+# Specifying "logpath" is not valid for this backend.
+# See "journalmatch" in the jails associated filter config
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+#
+# Note: if systemd backend is chosen as the default but you enable a jail
+# for which logs are present only in its own log files, specify some other
+# backend for that jail (e.g. polling) and provide empty value for
+# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = polling
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a DNS lookup will be performed.
+# warn: if a hostname is encountered, a DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+# This is used to decode the lines from the log file.
+# Typical examples: "ascii", "utf-8"
+#
+# auto: will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+# By default all jails are disabled, and it should stay this way.
+# Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true: jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
+mode = normal
+
+# "filter" defines the filter to use by the jail.
+# By default jails have names matching their filter name
+#
+filter = %(__name__)s[mode=%(mode)s]
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = {{ default_maintenance_email }}
+
+# Sender email address used solely for some actions
+sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+#
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
+# corresponding jail.d/my-jail.local file).
+#
+action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via abuseipdb.com.
+#
+# See action.d/abuseipdb.conf for usage example and details.
+#
+action_abuseipdb = abuseipdb
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+backend = systemd
+enabled = true
+logpath = /var/log/auth.log
+mode = aggressive
+port = {{ default_sshd_port }}
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+# to maintain entries for failed logins for sufficient amount of time
+[recidive]
+banaction = %(banaction_allports)s
+bantime = 1w
+enabled = true
+findtime = 1d
+logpath = /var/log/fail2ban.log
+
+
+{% if inventory_hostname in groups.gitlab %}
+#
+# HTTP servers
+#
+
+[nginx-http-auth]
+enabled = true
+port = http,https
+logpath = /var/log/gitlab/nginx/*error.log
+
+[nginx-botsearch]
+enabled = true
+port = http,https
+logpath = /var/log/gitlab/nginx/*error.log
+maxretry = 3
+
+
+{% endif %}
+{% if inventory_hostname in groups.odoo_server or inventory_hostname in groups.owncloud_server %}
+#
+# HTTP servers
+#
+
+[nginx-http-auth]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/*error.log
+
+[nginx-botsearch]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/*error.log
+maxretry = 2
+
+
+{% endif %}
+{% if inventory_hostname in groups.docker and inventory_hostname not in groups.docker_nextcloud %}
+#
+# Docker containers
+#
+
+[docker-traefik-auth]
+chain = DOCKER-USER
+enabled = true
+filter = traefik-auth
+{% if docker_userns_remap %}
+logpath = /var/lib/docker/{{ dockremap_subuid | default("*") }}.{{ dockremap_subgid | default("*") }}/volumes/inverseproxy_logs/_data/access.log
+{% else %}
+logpath = /var/lib/docker/volumes/inverseproxy_logs/_data/access.log
+{% endif %}
+port = http,https
+
+{% endif %}
--
GitLab