Objective:
Block Brute Force attacks on port 22 (SSH service) and on ports 40100/40101 (http/https administrative services) on Vircadia-Server
This how to assumes you already have Vircadia-Server-2022.1.1-Selene and Fail2Ban-0.11.2 installed and running on RockyLinux-8.4 (Other version not tested).
Links : Prerequisites Installations
-
RockyLinux : https://docs.rockylinux.org/guides/8_6_installation/
-
Vircadia-Server : (only 2 links allowed in a post for new user
) -
Fail2Ban : https://www.howtoforge.com/how-to-install-fail2ban-on-rocky-linux/
Once all prerequisites are installed and running, open a terminal on the server and connect as #root
Step 1 : Set the jail
The jail settings are done in the file /etc/fail2ban/jail.local
It is strongly discouraged to modify the main file etc/fail2ban/jail.conf
- Edit or Create the file jail.local
nano /etc/fail2ban/jail.local
- Add the following content inside the file
# File /etc/fail2ban/jail.local
[DEFAULT]
# Dont Ban local machine or known admin machine : replace with your own IP
ignoreip = 192.168.1.250, 127.0.0.1
# Ban hosts for 2 Minutes (=120 seconds):
bantime = 120
# Use the output of journalctl
#(https://unix.stackexchange.com/questions/268357/how-to-configure-fail2ban-with-systemd-journal)
backend = systemd
# Server use firewalld instead of iptables : comment the banaction line
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
# banaction = iptables-multiport
#Block connections on ssh default port
[sshd]
# enable the jail
enabled = true
# set the port where the service is listening
port = ssh
# Set Condition to ban : 5 unsuccessful attempts in 5 minutes
findtime = 300
maxretry = 5
#Block connexion http/https to vircadia web admin interface on port 40100/40101
#Need to create the filter vircadia.domain_server.auth.conf in /etc/fail2ban/filter.d
[vircadia.domain_server.auth]
# enable the jail
enabled = true
# set the port where the service is listening
port = 40100,40101
# define the filter to use (filter will be created at step2)
filter = vircadia.domain_server.auth
# Use the output of journalctl
backend = systemd
# Define the path of the log file to be scanned : replace with your own path
logpath = /var/log/journal/aa667cd1cffd42b8b04bfc648ebaf794/system.journal
#alternative log file available
#logpath = /var/log/messages
# Set Condition to ban : 6 unsuccessful attempts in 4 minutes
findtime = 240
maxretry = 6
- Save the file : CTRL+O and Exit from Nano : CTRL+X
Step 2 : Set the filter
Each jail need a filter.conf file to work. Those filters stored in the folder /etc/fail2ban/filter.d/
The filter /etc/fail2ban/filter.d/sshd.conf already exist and dont need to be modified to work with the [SSHD] jail set at step1
- The filter for the [vircadia.domain_server.auth] jail has to be created :
nano /etc/fail2ban/filter.d/vircadia.domain_server.auth.conf
- Add the following content inside the file
# File /etc/fail2ban/filter.d/vircadia.domain_server.auth.conf
### This is an exemple line of the system.journal file that must be watch by fail2ban :
# sept. 01 20:11:46 localhost.localdomain domain-server[1032]: [09/01 20:11:46] [WARNING] [vircadia.domain_server.auth] "192.168.1.100" - Basic auth failed for "0" - "GET" QUrl("/")
#### Here the IP 192.168.1.100 must be ban after 6 unsuccessful attempts in 4 minutes as define in jail.local
[INCLUDES]
# Read common prefixes : idk if its necessary
before = common.conf
[Definition]
# The regular expression that fail2ban will use to parse log files and capture the IP to ban
failregex = WARNING.*"<HOST>".*Basic auth failed
ignoreregex =
# One of the default datepattern use by fail2ban to apply the rules
# https://manpages.debian.org/testing/fail2ban/jail.conf.5.en.html#datepattern
datepattern = {^LN-BEG}
# Alternative datepattern written to catch specific timestamp in the log file
# https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes
# ^%%b. %%d %%H:%%M:%%S
# %%m/%%d %%H:%%M:%%S
# Filter the lines of the log file by service before applying the regex
journalmatch = _SYSTEMD_UNIT=vircadia-domain-server@default.service + _COMM=domain-server
- Save the file : CTRL+O and Exit from Nano : CTRL+X
Step 3 : Restart Fail2Ban
The service need to be restart to read the previous modification
systemctl restart fail2ban.service
Consider these to be the minimal parameters set on a test server.
More accurate filters and stricter rules are recommended for servers in production