Difference between revisions of "OS4X Fail2Ban integration"
| Line 18: | Line 18: | ||
[Definition] | [Definition] | ||
failregex = | failregex = | ||
| − | ^TLS error .+ during connect try from <HOST>: .* | + | ^TLS error .+ during connect try from <HOST>: .*$ |
| − | ^TLS error .+ during connect try from <HOST> (.+): .* | + | ^TLS error .+ during connect try from <HOST> (.+): .*$ |
ignoreregex = | ignoreregex = | ||
</pre> | </pre> | ||
Revision as of 11:11, 6 May 2026
Since OS4X 2026-05-06, OS4X offers a capability to write a logfile compatible to Fail2Ban. This system helps you to prevent attacks from externally.
Installation
On Debian based systems, it is very easy to install Fail2Ban:
apt update && apt -y install fail2ban
Configuration
Several configuration files and options must be set up for a working Fail2Ban environment.
OS4X Configuration
In Configuration -> Logging, define a path in Absolute path to Fail2ban logfile. This file must be writable by the OS4X daemon running user.
Fail2Ban filter
Create the following file:
/etc/fail2ban/filter.d/os4x.conf
with the following content:
[Definition]
failregex =
^TLS error .+ during connect try from <HOST>: .*$
^TLS error .+ during connect try from <HOST> (.+): .*$
ignoreregex =
Fail2Ban jail
Create the following file:
/etc/fail2ban/jail.d/os4x.conf
with the following content:
[os4x] enabled = true port = 6619 filter = os4x logpath = /opt/os4x/tmp/fail2ban.log maxretry = 3 findtime = 600 bantime = 3600 action = %(action_mwl)s
Keep an eye on the following parameters:
port: Change the TCP port 6619 to your configured TLS listener port if necessary.logpath: This must be the same path as configured in OS4X.
In this default configuration, after three unsuccessful connections within ten minutes ("findtime = 600") the IP is being blocked on the given port for one hour ("bantime = 3600").
Restart Fail2Ban service
systemctl reload fail2ban
Test
With the TLS server configured to check the TLS client certificate, connect from an external host to your TLS listener port without a TLS client certificate:
openssl s_client -connect 192.168.40.24:6619 -tls1_2
(with "tls1_2" for TLS 1.2, adopt to another version if required).
The configured Fail2Ban log file should state something like this:
TLS error 167772359 during connect try from 10.10.14.7: peer did not return a certificate. Your communication partner must configure a TLS client certificate (or you may lower your security settings globally by disabling 'Configuration' -> 'TLS' -> 'TLS server: check client certificate validity'). If your partner is Seeburger, he must enable the checkbox '2-way authentication' in the partner settings, tab 'Connection'.
Retry this three times within ten minutes, succeeding connection tries must fail with a "connection refused" error from client side.