Code: Select all
sudo systemctl enable --now rsyslogCode: Select all
sudo vi /etc/rsyslog.d/10-receiver.confCode: Select all
# Load UDP input
module(load="imudp")
# A ruleset just for messages received via this UDP listener
ruleset(name="rs-from-udp") {
action(type="omfile" file="/var/log/remote.log")
# This ruleset is used only for the UDP input below.
# Local system logs continue to use the default distro config.
}
# Assign the UDP input to the ruleset above
input(type="imudp" port="514" ruleset="rs-from-udp")
Code: Select all
sudo rsyslogd -N1
sudo systemctl restart rsyslog
sudo systemctl status rsyslog
Code: Select all
sudo vi /etc/fail2ban/jail.localCode: Select all
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
# ipthreat.net integration (reporting plus local firewall action)
action_ipthreat = ipthreat
action = %(action_ipthreat)s[]
# "bantime" is the amount of time that a host is banned, integer in seconds or
# time abbreviation format (m - minutes, h - hours, d - days, w - weeks, mo - months, y - years).
# This is to consider as an initial time if bantime.increment gets enabled.
bantime = 7d
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds. Can use time abbreviation format (m - minutes, h - hours, d - days, w - weeks, mo - months, y - years).
findtime = 7d
[sshd]
enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = /var/log/remote.log
backend = auto
journalmatch =
maxretry = 2
[sshguard-attack]
enabled = true
filter = sshguard-attack
logpath = /var/log/remote.log
backend = auto
maxretry = 2
# Override the 'system' field to be 'sshd'
action = %(action_ipthreat)s[ipthreat_system="sshd"]
[sshguard-block]
enabled = true
filter = sshguard-block
logpath = /var/log/remote.log
backend = auto
maxretry = 1
# Override the 'system' field to be 'sshd'
action = %(action_ipthreat)s[ipthreat_system="sshd"]
Code: Select all
sudo vi /etc/fail2ban/filter.d/sshguard-attack.confCode: Select all
# Fail2Ban filter for sshguard attacks from pfSense
#
# Monitors sshguard attack detections only
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshguard
# Option: failregex
# Notes.: regex to match sshguard attack messages only
# Values: TEXT
failregex = ^Attack\s+from\s+"<HOST>"\s+on\s+service\s+SSH\s+with\s+danger\s+\d+\.\s*$
# Option: prefregex
# Notes.: Regex to match the log line prefix.
# Values: TEXT
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>\s*<F-CONTENT>.+</F-CONTENT>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Code: Select all
sudo vi /etc/fail2ban/filter.d/sshguard-block.confCode: Select all
# Fail2Ban filter for sshguard blocks from pfSense
#
# Monitors sshguard blocking decisions only
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshguard
# Option: failregex
# Notes.: regex to match sshguard blocking messages only
# Values: TEXT
failregex = ^Blocking\s+"<HOST>/\d+"\s+for\s+\d+\s+secs.*$
# Option: prefregex
# Notes.: Regex to match the log line prefix.
# Values: TEXT
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>\s*<F-CONTENT>.+</F-CONTENT>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Code: Select all
sudo vi /etc/fail2ban/action.d/ipthreat.conCode: Select all
[Init]
# Option: ipthreat_apikey
# Notes Your API key from ipthreat.net
# Values: STRING Default: None
# Register for ipthreat [https://ipthreat.net], get api key and set below.
# You will need to set the flags and system in the action call in jail.conf
ipthreat_apikey = YOUR_ACTUAL_API_KEY_HERE
Code: Select all
sudo systemctl restart fail2banCode: Select all
tail -n 50 /var/log/remote.log
sudo fail2ban-client status sshd
sudo fail2ban-client status sshguard-attack
sudo fail2ban-client status sshguard-block
sudo fail2ban-client banned