From 7f925aa93a50d4f34ed1c98c2029ab76eef22f4a Mon Sep 17 00:00:00 2001 From: partridge420x Date: Thu, 21 Jul 2022 18:52:51 -0400 Subject: [PATCH 1/3] Setup fail2ban to cover wings.md Hmm yes security tutorial Recently did it for myself and wanted to share it with the community as any layer of security is a good thing to have. Found the filter online linked here: https://github.com/Chewbaka69/fail2ban_pterodactyl --- community/Wings Fail2ban Setup.md | 66 +++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 community/Wings Fail2ban Setup.md diff --git a/community/Wings Fail2ban Setup.md b/community/Wings Fail2ban Setup.md new file mode 100644 index 000000000..3772e7696 --- /dev/null +++ b/community/Wings Fail2ban Setup.md @@ -0,0 +1,66 @@ +# Fail2ban wings configuration + +Fail2ban is a program that works with iptables to better secure your server and services from brute force login attempts + +### Step 1: if you havent already Using your preferred package manager +(to my best knowledge, iptables will come with fail2ban when you install it, but if not install that too) + +`apt-get install fail2ban` + +### Step 2: After you install Fail2Ban Copy some files, If you already have local files, skip these steps +#### We have to copy .conf to .local files, as .conf may be wiped with updates. Local files will persist + +`cd /etc/fail2ban` +`cp fail2ban.conf fail2ban.local` +`cp jail.conf jail.local` + +### Step 3 Copy some text into the new local files using your favorite text editor, here we're going to be using nano + +`nano /etc/fail2ban/jail.local` + +scroll down until you see the actual jail portion of the file, input this text below the [SSHD] block, save it and exit + + [wings] + enabled = true + port = 2022 + logpath = /var/log/pterodactyl/wings.log + maxretry = 4 + findtime = 3600 + bantime = -1 + backend = systemd + + +### Step 4: Create the filter file and copy some more text + + `cd /etc/fail2ban/conf.d/` + `touch wings.conf` + `nano wings.conf` + +Copy this text into the newly created file, Save then exit + + # Fail2Ban filter for wings (Pterodactyl daemon) + # + # + # + # "WARN: [Sep 8 18:51:00.414] failed to validate user credentials (invalid format) ip=:51782 subsystem=sftp username=logout" + # + + [INCLUDES] + + before = common.conf + + [Definition] + + _daemon = wings + + failregex = failed to validate user credentials \([^\)]+\) ip=:.* subsystem=sftp username=.*$ + + ignoreregex = + + [Init] + + datepattern = \[%%b %%d %%H:%%M:%%S.%%f\] + +### Step 5 enable the Fail2ban service to boot on startup and your done :D + +`systemctl enable fail2ban` From 6849c8bd34eb70b469642de99072e56ef760de4c Mon Sep 17 00:00:00 2001 From: Chronic-Reflexes Date: Fri, 22 Jul 2022 17:46:34 -0400 Subject: [PATCH 2/3] Update Wings Fail2ban Setup.md --- community/Wings Fail2ban Setup.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/community/Wings Fail2ban Setup.md b/community/Wings Fail2ban Setup.md index 3772e7696..a65e1adf4 100644 --- a/community/Wings Fail2ban Setup.md +++ b/community/Wings Fail2ban Setup.md @@ -2,7 +2,7 @@ Fail2ban is a program that works with iptables to better secure your server and services from brute force login attempts -### Step 1: if you havent already Using your preferred package manager +### Step 1: if you havent already Using your preferred package manager instal Fail2Ban (to my best knowledge, iptables will come with fail2ban when you install it, but if not install that too) `apt-get install fail2ban` @@ -64,3 +64,17 @@ Copy this text into the newly created file, Save then exit ### Step 5 enable the Fail2ban service to boot on startup and your done :D `systemctl enable fail2ban` + + +Notes: +The rules applied to wings are fairly strict so if you feel like you need to adjust them, the settings are as follows +Max retry is the number of failed attempts someone can do within the time defined in "findtime" before they are banned + +example: maxretry = 4 with findtime = 3600 with bantime = -1 +this will allow 4 failed login attempts within 3600 seconds (1 hour) before permanently banning someone + + + + + + From 7a3a81b7ebfd391135d5a3c18bc016a2566a72dd Mon Sep 17 00:00:00 2001 From: Chronic-Reflexes Date: Fri, 22 Jul 2022 18:01:53 -0400 Subject: [PATCH 3/3] Update Wings Fail2ban Setup.md --- community/Wings Fail2ban Setup.md | 71 +++++++++++++++++-------------- 1 file changed, 38 insertions(+), 33 deletions(-) diff --git a/community/Wings Fail2ban Setup.md b/community/Wings Fail2ban Setup.md index a65e1adf4..785fbb1b5 100644 --- a/community/Wings Fail2ban Setup.md +++ b/community/Wings Fail2ban Setup.md @@ -2,33 +2,33 @@ Fail2ban is a program that works with iptables to better secure your server and services from brute force login attempts -### Step 1: if you havent already Using your preferred package manager instal Fail2Ban +### Step 1: instal Fail2Ban (to my best knowledge, iptables will come with fail2ban when you install it, but if not install that too) `apt-get install fail2ban` -### Step 2: After you install Fail2Ban Copy some files, If you already have local files, skip these steps -#### We have to copy .conf to .local files, as .conf may be wiped with updates. Local files will persist +### Step 2: Copy some files, If you already have local files skip this +#### We have to copy .conf to .local files, as Local files will persist through updates `cd /etc/fail2ban` `cp fail2ban.conf fail2ban.local` `cp jail.conf jail.local` -### Step 3 Copy some text into the new local files using your favorite text editor, here we're going to be using nano +### Step 3 Copy some text into the new local files `nano /etc/fail2ban/jail.local` scroll down until you see the actual jail portion of the file, input this text below the [SSHD] block, save it and exit - - [wings] - enabled = true - port = 2022 - logpath = /var/log/pterodactyl/wings.log - maxretry = 4 - findtime = 3600 - bantime = -1 - backend = systemd - +``` +[wings] +enabled = true +port = 2022 +logpath = /var/log/pterodactyl/wings.log +maxretry = 4 +findtime = 3600 +bantime = -1 +backend = systemd +``` ### Step 4: Create the filter file and copy some more text @@ -37,41 +37,46 @@ scroll down until you see the actual jail portion of the file, input this text b `nano wings.conf` Copy this text into the newly created file, Save then exit +``` +# Fail2Ban filter for wings (Pterodactyl daemon) +# +# +# +# "WARN: [Sep 8 18:51:00.414] failed to validate user credentials (invalid format) ip=:51782 subsystem=sftp username=logout" +# - # Fail2Ban filter for wings (Pterodactyl daemon) - # - # - # - # "WARN: [Sep 8 18:51:00.414] failed to validate user credentials (invalid format) ip=:51782 subsystem=sftp username=logout" - # - - [INCLUDES] - - before = common.conf - - [Definition] +[INCLUDES] + +before = common.conf - _daemon = wings +[Definition] - failregex = failed to validate user credentials \([^\)]+\) ip=:.* subsystem=sftp username=.*$ +_daemon = wings - ignoreregex = +failregex = failed to validate user credentials \([^\)]+\) ip=:.* subsystem=sftp username=.*$ - [Init] +ignoreregex = - datepattern = \[%%b %%d %%H:%%M:%%S.%%f\] +[Init] + +datepattern = \[%%b %%d %%H:%%M:%%S.%%f\] +``` -### Step 5 enable the Fail2ban service to boot on startup and your done :D +### Step 5: Enable Fail2ban service `systemctl enable fail2ban` -Notes: +#### Notes: The rules applied to wings are fairly strict so if you feel like you need to adjust them, the settings are as follows Max retry is the number of failed attempts someone can do within the time defined in "findtime" before they are banned example: maxretry = 4 with findtime = 3600 with bantime = -1 + this will allow 4 failed login attempts within 3600 seconds (1 hour) before permanently banning someone +There are different time modifiers you can use, Most people will be using dd (day) mm (month) yy (year) +I do suggest you read up on fail2ban docs, you can get highly customised protection from custom configuration +https://manpages.debian.org/testing/fail2ban/jail.conf.5.en.html#TIME_ABBREVIATION_FORMAT