« Fail2ban ubuntu » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(→Test) |
|||
(7 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 1 : | Ligne 1 : | ||
[[Category:Ubuntu]] | [[Category:Ubuntu]] | ||
= Liens = | = Liens = | ||
* [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr] | * [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr] | ||
* [https://github.com/fail2ban/fail2ban github] | * [https://github.com/fail2ban/fail2ban github] | ||
* [https://www.fail2ban.org/wiki/index.php/Main_Page wiki] | * [https://www.fail2ban.org/wiki/index.php/Main_Page wiki] | ||
= [https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server Principe] = | |||
Fail2ban analyse les logs et bannit les IPs. | |||
= [https://www.fail2ban.org/wiki/index.php/Commands Commandes] = | = [https://www.fail2ban.org/wiki/index.php/Commands Commandes] = | ||
Ligne 34 : | Ligne 34 : | ||
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1 | ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1 | ||
# durée du bannissement | # durée du bannissement | ||
bantime = 30d | bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w | ||
bantime = -1 ban forever | bantime = -1 # ban forever | ||
# increment ban time, first time x1, second time x5 | |||
bantime.increment = true | |||
bantime.multipliers = 1 5 30 60 300 720 1440 2880 | |||
bantime.overalljails = true | |||
# conditions: bannissement si 2 erreurs en 10 minutes | # conditions: bannissement si 2 erreurs en 10 minutes | ||
maxretry = 2 | maxretry = 2 | ||
Ligne 59 : | Ligne 63 : | ||
[postfix] | [postfix] | ||
enabled = true | enabled = true | ||
mode = aggressive | |||
[ | [dovecot] | ||
enabled = true | enabled = true | ||
[ | [myaction] | ||
enabled = true | enabled = true | ||
banaction = iptables-ipset-proto6-allports | |||
</filebox> | </filebox> | ||
Ligne 74 : | Ligne 80 : | ||
# afficher le log de fail2ban | # afficher le log de fail2ban | ||
sudo tail -f /var/log/fail2ban.log | sudo tail -f /var/log/fail2ban.log | ||
# test bantime format | |||
fail2ban-client --str2sec 1y2w1d12h | |||
</kode> | </kode> | ||
Ligne 105 : | Ligne 114 : | ||
sender = fail2ban@domain.fr | sender = fail2ban@domain.fr | ||
mta = sendmail | mta = sendmail | ||
</filebox> | |||
= NGINX = | |||
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'> | |||
[nginx-400] | |||
enabled = true | |||
logpath = /var/log/nginx/access.log | |||
bantime = -1 | |||
maxretry = 1 | |||
[nginx-404] | |||
enabled = true | |||
logpath = /var/log/nginx/access.log | |||
bantime = -1 | |||
maxretry = 1 | |||
</filebox> | |||
<filebox fn='/etc/fail2ban/filter.d/nginx-400.conf' lang='ini'> | |||
[Definition] | |||
failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$ | |||
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-" | |||
ignoreregex = | |||
</filebox> | |||
<filebox fn='/etc/fail2ban/filter.d/nginx-404.conf' lang='ini'> | |||
[Definition] | |||
failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 | |||
ignoreregex = | |||
</filebox> | </filebox> | ||
Ligne 136 : | Ligne 177 : | ||
{{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}} | {{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}} | ||
= Errors = | |||
== invalid literal for int() with base 10 == | |||
<filebox fn='/etc/fail2ban/jail.local' lang='bash'> | |||
bantime.multipliers = 1 5 30 60 300 720 1440 2880 # DO NOT PUT COMMENT AT THE END OF THE LINE | |||
</filebox> | |||
= Installation = | = Installation = |
Dernière version du 22 novembre 2023 à 00:50
Liens
Principe
Fail2ban analyse les logs et bannit les IPs.
Commandes
# list of active jails sudo fail2ban-client status # list of banned IPs for a jail sudo fail2ban-client status [jail-name] # unban ip x.x.x.x of the apache-auth filter sudo fail2ban-client set [jail-name] unbanip x.x.x.x # use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth) # reload the config files sudo fail2ban-client reload # reload a specific jail config sudo fail2ban-client reload <JAIL> |
Configuration
Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration. |
/etc/fail2ban/jail.d/default.conf |
[DEFAULT] # ip à ne pas bannir ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1 # durée du bannissement bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w bantime = -1 # ban forever # increment ban time, first time x1, second time x5 bantime.increment = true bantime.multipliers = 1 5 30 60 300 720 1440 2880 bantime.overalljails = true # conditions: bannissement si 2 erreurs en 10 minutes maxretry = 2 # maxretry = 1 ban at the first match findtime = 10m # do not send email on start/stop [Definition] actionstart = actionstop = |
/etc/fail2ban/jail.d/enabled.conf |
[nginx-http-auth] enabled = true [nginx-limit-req] enabled = true [nginx-botsearch] enabled = true [postfix] enabled = true mode = aggressive [dovecot] enabled = true [myaction] enabled = true banaction = iptables-ipset-proto6-allports |
Test
# lister les jails actives sudo fail2ban-client status # afficher le log de fail2ban sudo tail -f /var/log/fail2ban.log # test bantime format fail2ban-client --str2sec 1y2w1d12h |
Filtres
/etc/fail2ban/filter.d/*.conf
# tester un filtre avec un fichier de log sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf # --print-all-matched # --print-all-missed |
Actions
Action | Description |
---|---|
action_ | ban ip |
action_mw | ban ip and send an email |
action_mwl | ban ip and send an email with the log lines |
/etc/fail2ban/jail.d/default.conf |
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf) action = %(action_mwl)s # email configuration destemail = admin@domain.fr sender = fail2ban@domain.fr mta = sendmail |
NGINX
/etc/fail2ban/jail.d/enabled.local |
[nginx-400] enabled = true logpath = /var/log/nginx/access.log bantime = -1 maxretry = 1 [nginx-404] enabled = true logpath = /var/log/nginx/access.log bantime = -1 maxretry = 1 |
/etc/fail2ban/filter.d/nginx-400.conf |
[Definition] failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$ # x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-" ignoreregex = |
/etc/fail2ban/filter.d/nginx-404.conf |
[Definition] failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 ignoreregex = |
Apache
Filtre | Description |
---|---|
auth | client denied by server configuration |
badbots | |
botsearch | |
common | common config used by the other filters |
fakegooglebot | |
modsecurity | |
nohome | |
noscript | Got error 'Primary script unknown' |
overflows | |
pass | |
shellshock |
Apache 404 errors are no longer in Apache 2.4.x error_log |
Errors
invalid literal for int() with base 10
/etc/fail2ban/jail.local |
bantime.multipliers = 1 5 30 60 300 720 1440 2880 # DO NOT PUT COMMENT AT THE END OF THE LINE |
Installation
apt install fail2ban systemctl status fail2ban |