jeena/home-assistant.github.io
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions
home-assistant.github.io/cookbook/fail2ban/index.html
Travis CI a6fbc15960 Site updated at 2017-10-21 23:33:52 UTC
2017-10-21 23:33:53 +00:00

228 lines
13 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> <html> <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>fail2ban - Home Assistant</title>
<meta name="author" content="Home Assistant">
<meta name="description" content="Setting up fail2ban to read Home Assistant's log files to improve security.">
<meta name="viewport" content="width=device-width">
<link rel="canonical" href="https://home-assistant.io/cookbook/fail2ban/">
<meta property="fb:app_id" content="338291289691179">
<meta property="og:title" content="fail2ban">
<meta property="og:site_name" content="Home Assistant">
<meta property="og:url" content="https://home-assistant.io/cookbook/fail2ban/">
<meta property="og:type" content="article">
<meta property="og:description" content="Setting up fail2ban to read Home Assistant's log files to improve security.">
<meta property="og:image" content="https://home-assistant.io/images/default-social.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@home_assistant">
<meta name="twitter:title" content="fail2ban">
<meta name="twitter:description" content="Setting up fail2ban to read Home Assistant's log files to improve security.">
<meta name="twitter:image" content="https://home-assistant.io/images/default-social.png">
<link href="/stylesheets/screen.css" media="screen, projection, print" rel="stylesheet">
<link href="/atom.xml" rel="alternate" title="Home Assistant" type="application/atom+xml">
<link rel='shortcut icon' href='/images/favicon.ico' />
<link rel='icon' type='image/png' href='/images/favicon-192x192.png' sizes='192x192' />
</head>
<body >
<header class='site-header'>
<div class="grid-wrapper">
<div class="grid">
<div class="grid__item three-tenths lap-two-sixths palm-one-whole ha-title">
<a href="/" class="site-title">
<img width='40' src='/demo/favicon-192x192.png'>
<span>Home Assistant</span>
</a>
</div>
<div class="grid__item seven-tenths lap-four-sixths palm-one-whole">
<nav>
<input type="checkbox" id="toggle">
<label for="toggle" class="toggle" data-open="Main Menu" data-close="Close Menu"></label>
<ul class="menu pull-right">
<li><a href="/getting-started/">Getting started</a></li>
<li><a href="/components/">Components</a></li>
<li><a href="/docs/">Docs</a></li>
<li><a href="/cookbook/">Examples</a></li>
<li><a href="/developers/">Developers</a></li>
<li><a href="/blog/">Blog</a></li>
<li><a href="/help/">Need help?</a></li>
<li><a href='#' class='show-search'><i class="icon-search"></i></a></li>
</ul>
</nav>
<div class='search-container' style='display: none'>
<div class='search'>
<i class="icon-search"></i>
<input id='search' placeholder='Search the docs…'>
<a href='#' class='close'><i class="icon-remove-sign"></i></a>
</div>
</div>
</div>
</div>
</div>
</header>
<div class="grid-wrapper">
<div class="grid grid-center">
<div class="grid__item two-thirds lap-one-whole palm-one-whole">
<article class="page">
<header>
<h1 class="title indent">
fail2ban
</h1>
</header>
<hr class="divider">
<p>This is a quick guide on how to setup fail2ban for Home Assistant. This was originally in the <a href="https://community.home-assistant.io/t/is-there-a-log-file-for-invalid-logins-blocking-hackers/2892">forum</a> but I created this here for people.</p>
<p>First install <code class="highlighter-rouge">fail2ban</code>. On Debian/Ubuntu this would be <code class="highlighter-rouge">apt-get install fail2ban</code>. On other distros you can google it.</p>
<p>Then make sure logging is enabled in your <code class="highlighter-rouge">configuration.yaml</code> file for your Home Assistant instance:</p>
<div class="language-yaml highlighter-rouge"><pre class="highlight"><code><span class="s">logger</span><span class="pi">:</span>
<span class="s">default</span><span class="pi">:</span> <span class="s">critical</span>
<span class="s">logs</span><span class="pi">:</span>
<span class="s">homeassistant.components.http.ban</span><span class="pi">:</span> <span class="s">warning</span>
</code></pre>
</div>
<p>Next we will be creating these three files :</p>
<ul>
<li><code class="highlighter-rouge">/etc/fail2ban/fail2ban.local</code></li>
<li><code class="highlighter-rouge">/etc/fail2ban/filter.d/hass.local</code></li>
<li><code class="highlighter-rouge">/etc/fail2ban/jail.local</code></li>
</ul>
<p>Contents of <code class="highlighter-rouge">/etc/fail2ban/fail2ban.local</code>:</p>
<div class="language-text highlighter-rouge"><pre class="highlight"><code>[Definition]
logtarget = SYSLOG
</code></pre>
</div>
<p>Contents of <code class="highlighter-rouge">/etc/fail2ban/filter.d/hass.local</code>:</p>
<div class="language-text highlighter-rouge"><pre class="highlight"><code>[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from &lt;HOST&gt;.*$
ignoreregex =
</code></pre>
</div>
<p>Contents of <code class="highlighter-rouge">/etc/fail2ban/jail.local</code> (Note that youll need to change the <code class="highlighter-rouge">logpath</code> to match your logfile which will be different from the path listed.):</p>
<div class="language-text highlighter-rouge"><pre class="highlight"><code>[hass-iptables]
enabled = true
filter = hass
action = iptables-allports[name=HASS]
logpath = /home/homeassistant/.homeassistant/home-assistant.log
maxretry = 5
</code></pre>
</div>
<p>Finally restart fail2ban : <code class="highlighter-rouge">sudo systemctl restart fail2ban</code></p>
<p>Check your log to make sure it read in your settings : <code class="highlighter-rouge">tail -100 /var/log/syslog|grep fail</code></p>
<p>If all is well you should see this from your syslog:</p>
<div class="language-bash highlighter-rouge"><pre class="highlight"><code>May 24 20:58:01 homeauto fail2ban.server[14997]: INFO Stopping all jails
May 24 20:58:02 homeauto fail2ban.jail[14997]: INFO Jail <span class="s1">'sshd'</span> stopped
May 24 20:58:02 homeauto fail2ban-client[15206]: Shutdown successful
May 24 20:58:02 homeauto fail2ban.server[14997]: INFO Exiting Fail2ban
May 24 20:58:02 homeauto fail2ban-client[15213]: 2017-05-24 20:58:02,342 fail2ban.server <span class="o">[</span>15215]: INFO Starting Fail2ban v0.9.6
May 24 20:58:02 homeauto fail2ban-client[15213]: 2017-05-24 20:58:02,343 fail2ban.server <span class="o">[</span>15215]: INFO Starting <span class="k">in </span>daemon mode
May 24 20:58:02 homeauto fail2ban.server[15217]: INFO Changed logging target to SYSLOG <span class="o">(</span>/dev/log<span class="o">)</span> <span class="k">for </span>Fail2ban v0.9.6
May 24 20:58:02 homeauto fail2ban.database[15217]: INFO Connected to fail2ban persistent database <span class="s1">'/var/lib/fail2ban/fail2ban.sqlite3'</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Creating new jail <span class="s1">'sshd'</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Jail <span class="s1">'sshd'</span> uses pyinotify <span class="o">{}</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Initiated <span class="s1">'pyinotify'</span> backend
May 24 20:58:02 homeauto fail2ban.actions[15217]: INFO Set banTime <span class="o">=</span> 600
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set findtime <span class="o">=</span> 600
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set maxRetry <span class="o">=</span> 5
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Added logfile <span class="o">=</span> /var/log/auth.log
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set jail log file encoding to UTF-8
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set maxlines <span class="o">=</span> 10
May 24 20:58:02 homeauto fail2ban.server[15217]: INFO Jail sshd is not a JournalFilter instance
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Creating new jail <span class="s1">'hass-iptables'</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Jail <span class="s1">'hass-iptables'</span> uses pyinotify <span class="o">{}</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Initiated <span class="s1">'pyinotify'</span> backend
May 24 20:58:02 homeauto fail2ban.actions[15217]: INFO Set banTime <span class="o">=</span> 600
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set findtime <span class="o">=</span> 600
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set maxRetry <span class="o">=</span> 5
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Added logfile <span class="o">=</span> /opt/hass-prod-cfg/home-assistant.log
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Set jail log file encoding to UTF-8
May 24 20:58:02 homeauto fail2ban.filter[15217]: INFO Date pattern <span class="nb">set </span>to <span class="sb">`</span><span class="s1">'^%y-%m-%d %H:%M:%S'</span><span class="sb">`</span>: <span class="sb">`</span>^Year2-Month-Day 24hour:Minute:Second<span class="sb">`</span>
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Jail <span class="s1">'sshd'</span> started
May 24 20:58:02 homeauto fail2ban.jail[15217]: INFO Jail <span class="s1">'hass-iptables'</span> started
</code></pre>
</div>
<p>Thats it!</p>
<p>If you want to read more about fail2ban, some links are below:</p>
<ul>
<li><a href="http://www.fail2ban.org/wiki/index.php/FEATURE_Split_config">fail2ban Split config</a></li>
<li><a href="https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04">How To Protect SSH with Fail2Ban on Ubuntu 14.04</a></li>
</ul>
</article>
</div>
<aside id="sidebar" class="grid__item one-third lap-one-whole palm-one-whole">
<div class="grid">
<section class="aside-module grid__item one-whole lap-one-half">
<div class='edit-github'><a href='https://github.com/home-assistant/home-assistant.github.io/tree/current/source/_cookbook/fail2ban.markdown'>Edit this page on GitHub</a></div>
<div class='section'>
<a href='/cookbook'>Back to the cookbook</a>
</div>
<div class='section'>
<h1 class="title delta">Infrastructure</h1>
<ul class='divided'>
<li>
<a href='/cookbook/owntracks_two_mqtt_broker/'>OwnTracks with two MQTT brokers</a>
</li>
<li>
fail2ban
</li>
</ul>
</div>
</section>
</div>
</aside>
</div>
</div>
<footer>
<div class="grid-wrapper">
<div class="grid">
<div class="grid__item">
<div class="copyright">
<a rel="me" href='https://twitter.com/home_assistant'><i class="icon-twitter"></i></a>
<a rel="me" href='https://facebook.com/homeassistantio'><i class="icon-facebook"></i></a>
<a rel="me" href='https://plus.google.com/110560654828510104551'><i class="icon-google-plus"></i></a>
<a rel="me" href='https://github.com/home-assistant/home-assistant'><i class="icon-github"></i></a>
<div class="credit">
Contact us at <a href='mailto:hello@home-assistant.io'>hello@home-assistant.io</a> (no support!).<br>
Website powered by <a href='http://jekyllrb.com/'>Jekyll</a> and the <a href='https://github.com/coogie/oscailte'>Oscalite theme</a>.<br />
Hosted by <a href='https://pages.github.com/'>GitHub</a> and served by <a href='https://cloudflare.com'>CloudFlare</a>.
</div>
<a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" property="dct:title">home-assistant.io</span> is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/">Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License</a>.
</div>
</div>
</div>
</div>
</footer>
<script>
var _gaq=[['_setAccount','UA-57927901-1'],['_trackPageview']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
</script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/docsearch.js/2/docsearch.min.css" />
<script type="text/javascript" src="https://cdn.jsdelivr.net/docsearch.js/2/docsearch.min.js"></script>
<script type="text/javascript">
docsearch({
apiKey: 'ae96d94b201c5444c8a443093edf3efb',
indexName: 'home-assistant',
inputSelector: '#search',
debug: false // Set debug to true if you want to inspect the dropdown
});
document.querySelector('.search .close').addEventListener('click', function(ev) {
ev.preventDefault();
document.querySelector('.search-container').style.display = 'none';
});
document.querySelector('.show-search').addEventListener('click', function(ev) {
ev.preventDefault();
document.querySelector('.search-container').style.display = 'block';
document.getElementById('toggle').checked = false;
document.querySelector('.search-container input').focus();
});
</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink