« Fail2ban ubuntu » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
Aucun résumé des modifications |
|||
Ligne 17 : | Ligne 17 : | ||
# unban ip x.x.x.x of the apache-auth filter | # unban ip x.x.x.x of the apache-auth filter | ||
fail2ban-client set [jail-name] unbanip x.x.x.x | sudo fail2ban-client set [jail-name] unbanip x.x.x.x | ||
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth) | # use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth) | ||
# reload the config files | # reload the config files | ||
fail2ban-client reload | sudo fail2ban-client reload | ||
# reload a specific jail config | # reload a specific jail config | ||
fail2ban-client reload <JAIL> | sudo fail2ban-client reload <JAIL> | ||
</kode> | </kode> | ||
Version du 3 septembre 2023 à 21:54
Principe
Fail2ban analyse les logs et bannit les IPs.
Liens
Commandes
# list of active jails sudo fail2ban-client status # list of banned IPs for a jail sudo fail2ban-client status [jail-name] # unban ip x.x.x.x of the apache-auth filter sudo fail2ban-client set [jail-name] unbanip x.x.x.x # use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth) # reload the config files sudo fail2ban-client reload # reload a specific jail config sudo fail2ban-client reload <JAIL> |
Configuration
Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration. |
/etc/fail2ban/jail.d/default.conf |
[DEFAULT] # ip à ne pas bannir ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1 # durée du bannissement bantime = 30d bantime = -1 ban forever # conditions: bannissement si 2 erreurs en 10 minutes maxretry = 2 # maxretry = 1 ban at the first match findtime = 10m # do not send email on start/stop [Definition] actionstart = actionstop = |
/etc/fail2ban/jail.d/enabled.conf |
[nginx-http-auth] enabled = true [nginx-limit-req] enabled = true [nginx-botsearch] enabled = true [postfix] enabled = true [postfix-rbl] enabled = true [dovecot] enabled = true |
Test
# lister les jails actives sudo fail2ban-client status # afficher le log de fail2ban sudo tail -f /var/log/fail2ban.log |
Filtres
/etc/fail2ban/filter.d/*.conf
# tester un filtre avec un fichier de log sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf # --print-all-matched # --print-all-missed |
Actions
Action | Description |
---|---|
action_ | ban ip |
action_mw | ban ip and send an email |
action_mwl | ban ip and send an email with the log lines |
/etc/fail2ban/jail.d/default.conf |
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf) action = %(action_mwl)s # email configuration destemail = admin@domain.fr sender = fail2ban@domain.fr mta = sendmail |
Apache
Filtre | Description |
---|---|
auth | client denied by server configuration |
badbots | |
botsearch | |
common | common config used by the other filters |
fakegooglebot | |
modsecurity | |
nohome | |
noscript | Got error 'Primary script unknown' |
overflows | |
pass | |
shellshock |
Apache 404 errors are no longer in Apache 2.4.x error_log |
Postfix
sudo fail2ban-client status postfix-sasl # Status for the jail: postfix-sasl # |- Filter # | |- Currently failed: 0 # | |- Total failed: 2 # | `- File list: /var/log/mail.log # `- Actions # |- Currently banned: 1 # |- Total banned: 1 # `- Banned IP list: x.x.x.x |
jails
/etc/fail2ban/jails.conf |
[postfix] # To use another modes set filter parameter "mode" in jail.local: mode = more port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [postfix-sasl] filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s backend = %(postfix_backend)s |
filter
/etc/fail2ban/jails.conf |
# Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? _port = (?::\d+)? prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+) mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-auth = warning: mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) # todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: mdpr-rbl = %(mdpr-normal)s mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b # Mode "rbl" currently included in mode "normal" (within 1st rule) mdpr-more = %(mdpr-normal)s mdre-more = %(mdre-normal)s mdpr-ddos = lost connection after(?! DATA) [A-Z]+ mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) mdre-extra = %(mdre-auth)s %(mdre-normal)s mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s failregex = <mdre-<mode>> # Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) # Usage example (for jail.local): # [postfix] # mode = aggressive # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # mode = more ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Cyril Jaquier |
variables
/etc/fail2ban/paths-debian.conf |
syslog_mail = /var/log/mail.log # control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins). # syslog_mail_warn = /var/log/mail.warn syslog_mail_warn = %(syslog_mail)s |
Installation
apt install fail2ban systemctl status fail2ban |