I nailed this.
I created a cron job that, every ten minutes or so, runs "journalctl -u
bacula-dir > /opt/bacula/log/bacula-dir-journal.log" (since I opened
bacula-dir's firewall port up to the public internet).
I then created a fail2ban jail that scanned for authentication failure patterns
and banned (via temporary firewall rules) users who repeatedly failed to log in
successfully.
root:/etc/fail2ban/jail.d# cat bacula.conf
[bacula]
enabled = true
port = 9101
filter = bacula
logpath = /opt/bacula/log/bacula-dir-journal.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
root:/etc/fail2ban/filter.d# cat /etc/fail2ban/filter.d/bacula.conf
# Fail2Ban filter for Bacula Director
[Definition]
failregex = Hello from client:<HOST> is invalid
ignoreregex =
root:/etc/fail2ban/filter.d#
Best,
<Myles>
On 2023-12-04 12:22 p.m., MylesDearBusiness wrote:
> Hello,
>
> I just installed Bacula director on one of my cloud servers.
>
> I have set the firewall to allow traffic in/out of port 9101 to allow it to
> be utilized to orchestrate remote backups as well.
>
> What I want to do is to identify the potential attack surface and create a
> fail2ban jail configuration.
>
> Does anybody have an exemplar that I can work with?
>
> Also, is there a way to simulate a failed login attempt with a tool such as
> netcat? I could possibly use PostMan and dig into the REST API spec, but I
> was hoping the community would be able to shortcut this effort.
>
> What say you?
>
> Thanks,
>
> <Myles>
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
