Fail2ban to protect player logins

Post Reply
User avatar
lag01
Member
Posts: 321
Joined: Sun Mar 16, 2014 03:41
GitHub: AndrejIT
IRC: lag01
In-game: lag
Contact:

Fail2ban to protect player logins

by lag01 » Post

I use fail2ban script to prevent players from guessing each-other passwords.

(Ubuntu 20.04 - /etc/fail2ban/filter.d/minetest.conf)

minetest.conf

Code: Select all

# Fail2Ban configuration file
#
# Author: Andrey Petrov
#
# 0.0.1
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^: ACTION\[Server\]: Server: User \w+ at <HOST> supplied wrong password \(auth mechanism: SRP\)\.$
            ^: ACTION\[Server\]: Server: Player with the name "\w+" tried to connect from <HOST> but it was disallowed for the following reason: $
(Second failregex is optional)

(Ubuntu 20.04 - /etc/fail2ban/jail.local)

jail.local

Code: Select all

[minetest]
enabled = true
port = 30000
protocol = udp
filter = minetest
logpath = /home/minetestuser/.minetest/debug.txt
findtime = 6000
bantime = 30000
maxretry = 12
Ubuntu default Minetest log path is /var/log/minetest/minetest.log, but i usually compile and install from source so it is in user folder. Need debug_log_level = action in minetest.conf.

ronoaldo
Member
Posts: 177
Joined: Mon Dec 07, 2020 01:04
GitHub: ronoaldo
IRC: ronoaldo
In-game: RonoaldoKakashi
Location: São Paulo, Brasil
Contact:

Re: Fail2ban to protect player logins

by ronoaldo » Post

I liked that one!!! Thanks for sharing!
Servers: Mercurio | Tools: ContentDB CLI | Mods: minenews

User avatar
Komodo
Member
Posts: 163
Joined: Tue Jan 11, 2022 13:33
GitHub: MeseCraft
In-game: Komodo
Location: God Bless America
Contact:

Re: Fail2ban to protect player logins

by Komodo » Post

Summary
Fail2ban is a service that monitors logs and manages bans to network services. You can use it with minetest to prevent bruteforcing, Denail of service attacks, and just prevent bad actors from interacting with server authentication.

Requirements
  • fail2ban installed and enabled
  • Minetest installed and running
  • Knowing where the logs for Minetest are stored: by default /var/log/minetest/minetest.log for servers but they can be elsewhere if you compile from source and specify them elsewhere.
To Install:

Code: Select all

sudo apt-get update && sudo apt-get install fail2ban
Enable fail2ban service at system startup

Code: Select all

sudo systemctl enable fail2ban
Step one: create the jail
You need to create a jail for Fail2ban. If you're on Ubuntu and use nano as editor, run:

Code: Select all

sudo nano /etc/fail2ban/jail.d/minetest.conf
Add the text:

Code: Select all

[minetest]
enabled = true
port = 30000
protocol = udp
filter = minetest
logpath = /var/log/minetest/minetest.log*
logencoding = utf-8
findtime = 43200
bantime = 86400
maxretry = 10

Step 2: Create the filter

sudo nano /etc/fail2ban/filter.d/minetest.conf

Code: Select all

# Fail2Ban configuration file for Minetest
[Definition]
failregex = ^: ACTION\[Server\]: Server: User \w+ at <HOST> supplied wrong password \(auth mechanism: SRP\)\.$
            ^: ACTION\[Server\]: Server: Player with the name "\w+" tried to connect from <HOST> but it was disallowed for the following reason: $
Save and exit nano.

Then restart fail2ban

Code: Select all

sudo systemctl restart fail2ban
To test (requires at least one failed authentication failure in the logs):

Code: Select all

fail2ban-regex /var/log/minetest/minetest.log /etc/fail2ban/filter.d/minetest.conf --print-all-matched
Will return a summary after scanning lines.
Fail2ban logs can be seen at /var/log/fail2ban.log or a status can be seen with

Code: Select all

sudo service fail2ban status
Last edited by Komodo on Wed Apr 05, 2023 16:56, edited 1 time in total.
🌎 Website | 🌲 MeseCraft Game | 📰 News | 🖌️ ContentDB

User avatar
Blockhead
Member
Posts: 1622
Joined: Wed Jul 17, 2019 10:14
GitHub: Montandalar
IRC: Blockhead256
In-game: Blockhead Blockhead256
Location: Land Down Under
Contact:

Re: Fail2ban to protect player logins

by Blockhead » Post

This is a good security measure to have on any Minetest server, to prevent users from trying to brute force password attempts. Be sure to assess whether the settings are appropriate for your server, but I think the ban time and maximum number of retries are sensible from the above two posts. "Nobody" (okay, maybe a few people) is getting their password wrong 10 times in a row.

Installing this will protect you against people who want to try to get into admin/moderator/other privileged accounts, and people who are also potentially ban evaders (account-ban rather than IP-ban).

The jail given also provides a single port & protocol for banning. It won't ban people from e.g. visiting a web server that might be running on the same host as your Minetest server.
/˳˳_˳˳]_[˳˳_˳˳]_[˳˳_˳˳\ Advtrains enthusiast | My map: Noah's Railyard | My Content on ContentDB ✝️♂

User avatar
Komodo
Member
Posts: 163
Joined: Tue Jan 11, 2022 13:33
GitHub: MeseCraft
In-game: Komodo
Location: God Bless America
Contact:

Re: Fail2ban to protect player logins

by Komodo » Post

update: added logencoding=utf-8 to jail.conf configuration to enable .gz log files being properly read.
🌎 Website | 🌲 MeseCraft Game | 📰 News | 🖌️ ContentDB

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: Fail2ban to protect player logins

by bosapara » Post

lag01 wrote:
Fri Sep 10, 2021 07:35
I use fail2ban script to prevent players from guessing each-other passwords.
Lag1, thank you for sharing.
Currently we can use other, more simple method: minetest.register_on_authplayer + minetest.register_on_prejoinplayer
An example 3 login fails - block player's name and IP within next 10 mins.

User avatar
Blockhead
Member
Posts: 1622
Joined: Wed Jul 17, 2019 10:14
GitHub: Montandalar
IRC: Blockhead256
In-game: Blockhead Blockhead256
Location: Land Down Under
Contact:

Re: Fail2ban to protect player logins

by Blockhead » Post

bosapara wrote:
Sat Apr 08, 2023 05:39
Lag1, thank you for sharing.
Currently we can use other, more simple method: minetest.register_on_authplayer + minetest.register_on_prejoinplayer
An example 3 login fails - block player's name and IP within next 10 mins.
That's not simpler, but it is within Minetest, which can make it easier to deploy. Do you have source code or are you just making a suggestion?
/˳˳_˳˳]_[˳˳_˳˳]_[˳˳_˳˳\ Advtrains enthusiast | My map: Noah's Railyard | My Content on ContentDB ✝️♂

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: Fail2ban to protect player logins

by bosapara » Post

Blockhead wrote:
Sat Apr 08, 2023 11:49
That's not simpler, but it is within Minetest, which can make it easier to deploy. Do you have source code or are you just making a suggestion?
Works very simple. Here you can test already finished version, don't forget to setup it correctly.

https://github.com/Emojigit/ban_hacker/

User avatar
Komodo
Member
Posts: 163
Joined: Tue Jan 11, 2022 13:33
GitHub: MeseCraft
In-game: Komodo
Location: God Bless America
Contact:

Re: Fail2ban to protect player logins

by Komodo » Post

It's worth mentioning that fail2ban is useful for handling bans for SSH and other administrative protocols and applications. So if you have a online server, it's recommended to run something to stop brute forcing and DoS anyways. The application level software you've shared is something I'll check out later and follow up with. It may be worth incorporating too.
🌎 Website | 🌲 MeseCraft Game | 📰 News | 🖌️ ContentDB

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests