On Thu, Aug 16, 2018 at 02:07:02PM -0400, cyaiplexys wrote: > See, that all is way over my head. I don't understand this stuff as I'm > pretty much a total beginner in this.
OK, fair enough. Let's see what help I can offer. > Does Debian and Debian based systems have the firewall installed and > running by default? No. For general-purpose firewalling, I would suggest installing ufw (`sudo apt-get install ufw`), as it's much simpler to manage than using iptables (the underlying firewall control scheme used by both ufw and fail2ban to communicate with the kernel) directly. After installing ufw, the following commands should get you started (all of them need to be run with sudo or from a root shell): ufw allow to any port 22 from [your IP address] proto tcp (If you're using ssh to connect to the server, you *must* do this one before enabling the firewall, or else you'll lock yourself out. If you need to connect with ssh from multiple addresses, you can either run it multiple times with different addresses, or specify a network in CIDR notation.) ufw enable (Starts the firewall.) ufw logging off (...because it will otherwise flood your logs with reports of pretty much every packet recieved on the network interface.) ufw allow 80,443/tcp (Opens port 80 (http) and 443 (https) for connections from anywhere on the internet.) Repeat the last one with the appropriate port numbers for any other service that you want to make publicly available. > I hvae no idea how to jail or whatever in fail2ban. Sounds that's what I > want to do. Detect IP addresses hitting the server 1000 times in an hour and > then ban those for a good long while (week sounds good). That's pretty much exactly what fail2ban is intended to do. A "jail" is just fail2ban's term for a rule for what activities aren't allowed and how to handle IP addresses which break the rule. Unfortunately, adding a custom jail requires changes to multiple files, but I can at least give you specific details on how to create this particular one. Again, these files need to be created or edited using sudo or from a root shell. First, you need to create a filter definition. Create the file /etc/fail2ban/filter.d/apache-missing-local.conf containing: --- [Definition] failregex = <HOST> [^ ]+ [^ ]+ \[[^]]+\] "[^"]+" 40[04] [0-9]+ --- Lines matching the failregex (an apache log line for a 404 error) count as "failures". Next, you need to define a jail which uses that filter. Create the file /etc/fail2ban/jail.local (or edit it if it exists, but I don't think it exists by default) and add: --- [apache-missing-local] enabled = true port = http,https filter = apache-missing-local logpath = /var/log/apache2/*access*.log maxretry = 1000 findtime = 3600 bantime = 604800 ignoreip = 127.0.0.1 --- 'port' is the list of ports to block when an address is put in the jail. 'logpath' is the list of logfiles to monitor for offending entries (in this case, all log files in /var/log/apache2 with "access" in their names). 'maxretry' is the number of times an address can break the rule before getting jailed. 'findtime' is how long (in seconds, 3600 = 1 hour) the retries are remembered. And 'bantime' is how long (in seconds again, 604800 = 1 week) the address should remain jailed before it is released and allowed to access your service again. 'ignoreip' is a list of IP addresses which should never be blocked. After setting up these files, you can either restart fail2ban or run `sudo fail2ban-client reload` to activate the new jail. > I wish there was an easy tutorial for doing these things. It would be nice, yes. I've figured out everything in this mail by reading man pages and examining the existing config files. Good tutorials would have made that a lot easier. -- Dave Sherohman