consider enabling 'recidive' fail2ban filter by default

turnkeylinux / tracker

TurnKey Linux Tracker

https://www.turnkeylinux.org

70 stars 16 forks source link

consider enabling 'recidive' fail2ban filter by default #1474

Open deutrino opened 4 years ago

deutrino commented 4 years ago

tl;dr this is a very inexpensive way to drastically cut down on brute force log noise. it watches the output of the ssh filter and bans repeat offenders for much longer durations. with the numbers set conservatively, this will ban high-volume brute force sources with minimal impact to Turnkey users.

the 'findtime' and 'bantime' variables should be the subject of some discussion - I use 12 hours and 1 week respectively, which is more aggressive than is appropriate for defaults (maybe 12h / 24h would suffice)

let me know thoughts, and if interested I'll document the config changes necessary.

JedMeister commented 4 years ago

Sounds good! :+1:

JedMeister commented 4 years ago

Hi @deutrino - I'm just working back through the issue tracker (actually was over a week ago when I added and changed the milestone to v16.1) and noticed that this one never got applied (or further discussed, etc).

In essence, this sounds like a great idea, although I do still have some reservations re inexperienced users accidentally locking themselves out for extended periods of time.

Are there any ways that we can somewhat mitigate that? Or can you explain to me why you don't think that is a concern (if indeed that's the case)?

deutrino commented 4 years ago

It would require some work more than what comes "out of the box" with fail2ban, but I can imagine some combination of config work between the sshd & recidive filters, and fail2ban in general, that results in some combination of

loose tolerances, so as to avoid situations like the low auth retries limit for sshd in Turnkey 15
having recidive only pay attention to errors that are unlikely to be inexperienced users with the wrong password, e.g. nonexistent users or weird disconnects
perhaps a way of having fail2ban exempt whatever the local subnet happens to be

I have the very smallest beginnings of this in a cookbook I use on new TKL machines, I haven't gotten to the point of having much in TKLDev ready form yet. But eventually I can adapt this and have concrete changes to suggest which I hope will be appropriate for all users :)

JedMeister commented 4 years ago

@deutrino - ok sounds promising! I look forward to hearing more about this. :smile:

JedMeister commented 1 year ago

I've just moved this to the v18.1 milestone as I don't think we'll get to it for v18.0, but I think it would be a good thing to have!