From 6fb234f85e6dc3db602e0ce0691b71fbc7109c33 Mon Sep 17 00:00:00 2001 From: Yves Rutschle Date: Sun, 30 Mar 2014 18:51:21 +0200 Subject: [PATCH] added fail2ban configuration examples --- ChangeLog | 3 +++ README.md | 12 ++++++++++++ scripts/fail2ban/jail.conf | 9 +++++++++ scripts/fail2ban/sslh-ssh.conf | 25 +++++++++++++++++++++++++ 4 files changed, 49 insertions(+) create mode 100644 scripts/fail2ban/jail.conf create mode 100644 scripts/fail2ban/sslh-ssh.conf diff --git a/ChangeLog b/ChangeLog index ca597bf..35cc2e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ vNEXT: privilege escalation). (Lars Vogdt) + Example configuration for fail2ban. + (Every Mouw) + v1.16: 11FEB2014 Probes made more resilient, to incoming data containing NULLs. Also made them behave properly diff --git a/README.md b/README.md index daef2e6..a731820 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,18 @@ This will not work: sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443 +Fail2ban +-------- + +If using transparent proxying, just use the standard ssh +rules. If you can't or don't want to use transparent +proxying, you can set `fail2ban` rules to block repeated ssh +connections from a same IP address (obviously this depends +on the site, there might be legimite reasons you would get +many connections to ssh from the same IP address...) + +See example files in scripts/fail2ban. + Comments? Questions? ==================== diff --git a/scripts/fail2ban/jail.conf b/scripts/fail2ban/jail.conf new file mode 100644 index 0000000..a90afcf --- /dev/null +++ b/scripts/fail2ban/jail.conf @@ -0,0 +1,9 @@ +# Add the following to your fail2ban jail.conf +# In Debian you'd append it to /etc/fail2ban/jail.local + +[sslh-ssh] +enabled = true +filter = sslh-ssh +action = iptables-multiport[name=sslh,port="443"] +logpath = /var/log/messages +maxretry = 5 diff --git a/scripts/fail2ban/sslh-ssh.conf b/scripts/fail2ban/sslh-ssh.conf new file mode 100644 index 0000000..65da48a --- /dev/null +++ b/scripts/fail2ban/sslh-ssh.conf @@ -0,0 +1,25 @@ +# Add the following to you fail2ban configuration file +# In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf + + +# Fail2Ban filter for sslh demultiplexed ssh +# +# Doesn't (and cannot) detect auth errors, +# but many connection attempts from the same +# origin is reason enough to block. +# +# Verion: 2014-03-28 + +[INCLUDES] + +# no includes + +[Definition] + +failregex = ^.+ sslh\[.+\]: connection from :.+ to .+ forwarded +from .+ to .+:ssh\s*$ + +ignoreregex = + +# Author: Evert Mouw +