Difference between revisions of "OS4X Fail2Ban integration"
(Created page with "Since OS4X 2026-05-06, OS4X offers a capability to write a logfile compatible to [https://github.com/fail2ban/fail2ban Fail2Ban]. This system helps you to prevent attacks from...") |
|||
| Line 36: | Line 36: | ||
action = %(action_mwl)s | action = %(action_mwl)s | ||
</pre> | </pre> | ||
| − | Change the TCP port 6619 to your [[OS4X_Core_configuration#TCP.2FIP_port_of_OFTP_server_.28TLS.29|configured TLS listener port]] if necessary. | + | Keep an eye on the following parameters: |
| + | *<code>port</code>: Change the TCP port 6619 to your [[OS4X_Core_configuration#TCP.2FIP_port_of_OFTP_server_.28TLS.29|configured TLS listener port]] if necessary. | ||
| + | *<code>logpath</code>: This must be the same path as configured in OS4X. | ||
| + | |||
| + | In this default configuration, after three unsuccessful connections within ten minutes ("<code>findtime = 600</code>") the IP is being blocked on the given port for one hour ("<code>bantime = 3600</code>"). | ||
== Restart Fail2Ban service == | == Restart Fail2Ban service == | ||
Revision as of 10:58, 6 May 2026
Since OS4X 2026-05-06, OS4X offers a capability to write a logfile compatible to Fail2Ban. This system helps you to prevent attacks from externally.
Installation
On Debian based systems, it is very easy to install Fail2Ban:
apt update && apt -y install fail2ban
Configuration
Several configuration files and options must be set up for a working Fail2Ban environment.
OS4X Configuration
In Configuration -> Logging, define a path in Absolute path to Fail2ban logfile. This file must be writable by the OS4X daemon running user.
Fail2Ban filter
Create the following file:
/etc/fail2ban/filter.d/os4x.conf
with the following content:
[Definition] failregex = TLS error .+ during connect try from <HOST>: .* ignoreregex =
Fail2Ban jail
Create the following file:
/etc/fail2ban/jail.d/os4x.conf
with the following content:
[os4x] enabled = true port = 6619 filter = os4x logpath = /opt/os4x/tmp/fail2ban.log maxretry = 3 findtime = 600 bantime = 3600 action = %(action_mwl)s
Keep an eye on the following parameters:
port: Change the TCP port 6619 to your configured TLS listener port if necessary.logpath: This must be the same path as configured in OS4X.
In this default configuration, after three unsuccessful connections within ten minutes ("findtime = 600") the IP is being blocked on the given port for one hour ("bantime = 3600").
Restart Fail2Ban service
systemctl reload fail2ban