ban the brute-force attack ssh ip by fail2ban in frp client

[MikoyChinese]

Hi,

This is a tutorial about how to ban the ip whom try to brute force attack your frp client by fail2ban. update config from #2470.

requirements:

1. fail2ban
2. go-mmproxy

note: If you dont want to build the go-mmproxy, you can try this go-mmproxy.zip version. And for fail2ban, you can found the installation in their github project.

Here are the step:
As for me: All files will save in /home/ubuntu/frp/

1.create a frpc config file :

In this step, you can add proxy_protocol_version to turn on Proxy Protocol, and prepare a local port which using in go-mmproxy, not your real forward port.
For example, I want to proxy my ssh 22 port with frp with proxy protocol, you need a other port such as 12222, so:

frpc.toml

serverAddr = "<your frp server>"
serverPort = <frp server port>
user = "<your user name>"

log.to= "<log file path>"
log.level = "debug"
log.maxDays = 2

auth.method = "token"
auth.token = "<token>"

[[proxies]]
name = "ssh-go-mmproxy"
type = "tcp"
localIP = "127.0.0.1"
localPort = 12222
remotePort = 12345
transport.proxyProtocolVersion = "v2"

2. Set up for go-mmproxy:

You can build it from go-mmproxy github main page or download the x86_64 binary which I build on my Ubuntu 20.04 with go version go1.16.5 linux/amd64 from the following url: go-mmproxy.zip, and move it to somepath where you want. For me, I move it to /home/ubuntu/frp/.

3. Create go-mmproxy service file

You need to create a go-mmproxy.service in /home/ubuntu/frp/. The go-mmproxy will listen 12222 and forward to 22 which is the ssh port.

go-mmproxy.service

[Unit]
Description=go-mmproxy
After=network.target

[Service]
Type=simple
LimitNOFILE=65535
ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
ExecStart=/home/ubuntu/frp/go-mmproxy -4 127.0.0.1:22 -l 127.0.0.1:12222
ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target

4. Create frpc service file

frpc.service

[Unit]
Description=Frp Client Service
Requires=go-mmproxy.service
After=network.target syslog.target go-mmproxy.service
Wants=network.target

[Service]
Type=simple
Restart=always
RestartSec=5s
ExecStart=/home/ubuntu/frp/frpc -c /home/ubuntu/frp/frpc.toml
ExecStop=/bin/kill $MAINPID
RestartSec=1min
KillMode=control-group

[Install]
WantedBy=multi-user.target

If you have done, you can find in your directory, eg: /home/ubuntu/frp/:

1. frpc.toml
2. go-mmproxy
3. go-mmproxy.service
4. frpc.service

The link the services file to /etc/systemd/system/ and enable it.

sudo ln -s /home/ubuntu/frp/go-mmproxy.service /etc/systemd/system/go-mmproxy.service
sudo ln -s /home/ubuntu/frp/frpc.service /etc/systemd/system/frpc.service

sudo systemctl enable go-mmproxy.service
sudo systemctl enable frpc.service

sudo service start frpc.service

Add fail2ban

If your OS is Ubuntu, you can install it by sudo apt install fail2ban

Here is the config(you can find the config file in /etc/fail2ban/):

create a jail.local file in /etc/fail2ban

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
findtime = 600
bantime.increment = true
bantime.factor = 2
bantime = 300
bantime.overalljails = true
bantime.rndtime = 300

The you can find the remote ip in /var/log/auth.log and /var/log/fail2ban.log.

[MikoyChinese]

If you want to improve the security of your FRP server, you can use nft-blackhole to block specific countries. If your SSH service only accepts connections from your home country's IP addresses, give it a try—you'll notice how clean your host becomes.

[wuai1024]

Thank you very much

[wuai1024]

我看 go-mmproxy 没有编译，顺便编译了一个docker版本。

services:
  go-mmproxy-ssh:
    image: wuai1024/go-mmproxy
    container_name: go-mmproxy-ssh
    network_mode: host
    privileged: true
    restart: unless-stopped
    command: -4 127.0.0.1:22-l 127.0.0.1:12222

我是在群辉里面使用的，群辉没有 System 管理，就使用 Docker 也是可以。

现在效果很好：

[wuai1024]

测试出来了一个小问题。

环境： frps 部署在服务器A上，然后 frpc 和 go-mmproxy 部署在服务器B上。
访问： 其他机器访问服务器A上 frps 监听的端口，穿透到服务器B上可以正常获取到 客户端源公网ip，如上图显示。

但是有个特殊情况，不知道是不是环境的问题导致。

就是当我在服务器A中的内网访问这个地址，就会显示内网ip。