« Fail2ban ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(13 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
[[Category:Ubuntu]]
[[Category:Ubuntu]]
= Principe =
Fail2ban analyse les logs et bannit les IPs qui ont essayées de se connecter sans succès.
= Liens =
= Liens =
* [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr]
* [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr]
* [https://github.com/fail2ban/fail2ban github]
* [https://github.com/fail2ban/fail2ban github]
* [https://www.fail2ban.org/wiki/index.php/Main_Page wiki]
* [https://www.fail2ban.org/wiki/index.php/Main_Page wiki]
= [https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server Principe] =
Fail2ban analyse les logs et bannit les IPs.
= [https://www.fail2ban.org/wiki/index.php/Commands Commandes] =
<kode lang='bash'>
# list of active jails
sudo fail2ban-client status
# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]
# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)
# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>
</kode>


= Configuration =
= Configuration =
Ligne 16 : Ligne 34 :
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
# durée du bannissement
bantime = 30d
bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w
# conditions: bannissement si 2 erreurs d'authentification en 10 minutes
bantime = -1  # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m
findtime = 10m


Ligne 39 : Ligne 63 :
[postfix]
[postfix]
enabled = true
enabled = true
mode = aggressive


[postfix-rbl]
[dovecot]
enabled = true
enabled = true


[dovecot]
[myaction]
enabled = true
enabled = true
banaction = iptables-ipset-proto6-allports
</filebox>
</filebox>


Ligne 54 : Ligne 80 :
# afficher le log de fail2ban
# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log
sudo tail -f /var/log/fail2ban.log
# test bantime format
fail2ban-client --str2sec 1y2w1d12h
</kode>
</kode>


Ligne 87 : Ligne 116 :
</filebox>
</filebox>


= [https://www.fail2ban.org/wiki/index.php/Commands Commandes] =
= NGINX =
<kode lang='bash'>
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'>
# list of active jails
[nginx-400]
sudo fail2ban-client status
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
 
[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
</filebox>
 
<filebox fn='/etc/fail2ban/filter.d/nginx-400.conf' lang='ini'>
[Definition]
 
failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"
 
ignoreregex =
</filebox>


# list of banned IPs for a jail
<filebox fn='/etc/fail2ban/filter.d/nginx-404.conf' lang='ini'>
sudo fail2ban-client status [jail-name]
[Definition]


# unban ip x.x.x.x of the apache-auth filter
failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404
fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)


# reload the config files
ignoreregex =
fail2ban-client reload
</filebox>
# reload a specific jail config
fail2ban-client reload <JAIL>
</kode>


= Apache =
= Apache =
Ligne 135 : Ligne 178 :
{{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}}
{{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}}


= Postfix =
= Errors =
<kode lang='bash'>
== invalid literal for int() with base 10 ==
sudo fail2ban-client status postfix-sasl
<filebox fn='/etc/fail2ban/jail.local' lang='bash'>
# Status for the jail: postfix-sasl
bantime.multipliers = 1 5 30 60 300 720 1440 2880 # DO NOT PUT COMMENT AT THE END OF THE LINE
# |- Filter
# |  |- Currently failed: 0
# |  |- Total failed: 2
# |  `- File list: /var/log/mail.log
# `- Actions
#    |- Currently banned: 1
#    |- Total banned: 1
#    `- Banned IP list: x.x.x.x
</kode>
 
== jails ==
<filebox fn='/etc/fail2ban/jails.conf' lang='ini'>
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
 
[postfix-rbl]
filter  = postfix[mode=rbl]
port    = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1
 
[postfix-sasl]
filter  = postfix[mode=auth]
port    = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
</filebox>
 
== filter ==
<filebox fn='/etc/fail2ban/jails.conf' lang='ini' collapsed>
# Fail2Ban filter for selected Postfix SMTP rejections
#
#
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
 
[Definition]
 
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?
 
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
 
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
            ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
            ^from [^[]*\[<HOST>\]%(_port)s:?
 
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
 
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
 
# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s
 
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
 
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
            %(mdre-normal)s
 
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
                  %(mdre-normal)s
 
 
 
failregex = <mdre-<mode>>
 
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
#  [postfix]
#  mode = aggressive
#  # or another jail (rewrite filter parameters of jail):
#  [postfix-rbl]
#  filter = postfix[mode=rbl]
#
mode = more
 
ignoreregex =
 
[Init]
 
journalmatch = _SYSTEMD_UNIT=postfix.service
 
# Author: Cyril Jaquier
</filebox>
 
== variables ==
<filebox fn='/etc/fail2ban/paths-debian.conf' lang='ini'>
syslog_mail = /var/log/mail.log
 
# control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).
# syslog_mail_warn = /var/log/mail.warn
syslog_mail_warn = %(syslog_mail)s
</filebox>
</filebox>



Dernière version du 22 novembre 2023 à 00:50

Liens

Principe

Fail2ban analyse les logs et bannit les IPs.

Commandes

Bash.svg
# list of active jails
sudo fail2ban-client status

# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]

# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.
/etc/fail2ban/jail.d/default.conf
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d  # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1  # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =
/etc/fail2ban/jail.d/enabled.conf
[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true
mode = aggressive

[dovecot]
enabled = true

[myaction]
enabled = true
banaction = iptables-ipset-proto6-allports

Test

Bash.svg
# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

# test bantime format
fail2ban-client --str2sec 1y2w1d12h

Filtres

/etc/fail2ban/filter.d/*.conf

Bash.svg
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed

Actions

Action Description
action_ ban ip
action_mw ban ip and send an email
action_mwl ban ip and send an email with the log lines
/etc/fail2ban/jail.d/default.conf
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

NGINX

/etc/fail2ban/jail.d/enabled.local
[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
/etc/fail2ban/filter.d/nginx-400.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"

ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 

ignoreregex =

Apache

Filtre Description
auth client denied by server configuration
badbots
botsearch
common common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript Got error 'Primary script unknown'
overflows
pass
shellshock
Apache 404 errors are no longer in Apache 2.4.x error_log

Errors

invalid literal for int() with base 10

/etc/fail2ban/jail.local
bantime.multipliers = 1 5 30 60 300 720 1440 2880  # DO NOT PUT COMMENT AT THE END OF THE LINE

Installation

Bash.svg
apt install fail2ban

systemctl status fail2ban