« Fail2ban ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(6 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
[[Category:Ubuntu]]
[[Category:Ubuntu]]
= Principe =
Fail2ban analyse les logs et bannit les IPs.
= Liens =
= Liens =
* [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr]
* [https://doc.ubuntu-fr.org/fail2ban Ubuntu-fr]
* [https://github.com/fail2ban/fail2ban github]
* [https://github.com/fail2ban/fail2ban github]
* [https://www.fail2ban.org/wiki/index.php/Main_Page wiki]
* [https://www.fail2ban.org/wiki/index.php/Main_Page wiki]
= [https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server Principe] =
Fail2ban analyse les logs et bannit les IPs.


= [https://www.fail2ban.org/wiki/index.php/Commands Commandes] =
= [https://www.fail2ban.org/wiki/index.php/Commands Commandes] =
Ligne 34 : Ligne 34 :
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
# durée du bannissement
bantime = 30d
bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1 ban forever
bantime = -1 # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
maxretry = 2
Ligne 59 : Ligne 63 :
[postfix]
[postfix]
enabled = true
enabled = true
mode = aggressive


[postfix-rbl]
[dovecot]
enabled = true
enabled = true


[dovecot]
[myaction]
enabled = true
enabled = true
banaction = iptables-ipset-proto6-allports
</filebox>
</filebox>


Ligne 74 : Ligne 80 :
# afficher le log de fail2ban
# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log
sudo tail -f /var/log/fail2ban.log
# test bantime format
fail2ban-client --str2sec 1y2w1d12h
</kode>
</kode>


Ligne 168 : Ligne 177 :


{{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}}
{{warn | [https://github.com/fail2ban/fail2ban/issues/2378 Apache 404 errors are no longer in Apache 2.4.x error_log]}}
= Errors =
== invalid literal for int() with base 10 ==
<filebox fn='/etc/fail2ban/jail.local' lang='bash'>
bantime.multipliers = 1 5 30 60 300 720 1440 2880  # DO NOT PUT COMMENT AT THE END OF THE LINE
</filebox>


= Installation =
= Installation =

Dernière version du 22 novembre 2023 à 00:50

Liens

Principe

Fail2ban analyse les logs et bannit les IPs.

Commandes

Bash.svg
# list of active jails
sudo fail2ban-client status

# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]

# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.
/etc/fail2ban/jail.d/default.conf
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d  # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1  # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =
/etc/fail2ban/jail.d/enabled.conf
[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true
mode = aggressive

[dovecot]
enabled = true

[myaction]
enabled = true
banaction = iptables-ipset-proto6-allports

Test

Bash.svg
# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

# test bantime format
fail2ban-client --str2sec 1y2w1d12h

Filtres

/etc/fail2ban/filter.d/*.conf

Bash.svg
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed

Actions

Action Description
action_ ban ip
action_mw ban ip and send an email
action_mwl ban ip and send an email with the log lines
/etc/fail2ban/jail.d/default.conf
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

NGINX

/etc/fail2ban/jail.d/enabled.local
[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
/etc/fail2ban/filter.d/nginx-400.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"

ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 

ignoreregex =

Apache

Filtre Description
auth client denied by server configuration
badbots
botsearch
common common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript Got error 'Primary script unknown'
overflows
pass
shellshock
Apache 404 errors are no longer in Apache 2.4.x error_log

Errors

invalid literal for int() with base 10

/etc/fail2ban/jail.local
bantime.multipliers = 1 5 30 60 300 720 1440 2880  # DO NOT PUT COMMENT AT THE END OF THE LINE

Installation

Bash.svg
apt install fail2ban

systemctl status fail2ban