Version du 20 septembre 2023 à 17:06

Liens

Principe

Fail2ban analyse les logs et bannit les IPs.

Commandes

# list of active jails
sudo fail2ban-client status

# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]

# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.

/etc/fail2ban/jail.d/default.conf

[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d  # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1  # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =

/etc/fail2ban/jail.d/enabled.conf

[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true

[postfix-rbl]
enabled = true

[dovecot]
enabled = true

Test

# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

Filtres

/etc/fail2ban/filter.d/*.conf

# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed

Actions

Action	Description
action_	ban ip
action_mw	ban ip and send an email
action_mwl	ban ip and send an email with the log lines

/etc/fail2ban/jail.d/default.conf

# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

NGINX

/etc/fail2ban/jail.d/enabled.local

[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

/etc/fail2ban/filter.d/nginx-400.conf

[Definition]

failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"

ignoreregex =

/etc/fail2ban/filter.d/nginx-404.conf

[Definition]

failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 

ignoreregex =

Apache

Filtre	Description
auth	client denied by server configuration
badbots
botsearch
common	common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript	Got error 'Primary script unknown'
overflows
pass
shellshock

Apache 404 errors are no longer in Apache 2.4.x error_log

Installation

apt install fail2ban

systemctl status fail2ban

« Fail2ban ubuntu » : différence entre les versions

Version du 20 septembre 2023 à 17:06

Sommaire

Liens

Principe

Commandes

Configuration

Test

Filtres

Actions

NGINX

Apache

Installation

Actions de la page

Actions de la page

Outils personnels

Menu de navigation

Navigation

Rechercher

Outils

« Fail2ban ubuntu » : différence entre les versions

Version du 20 septembre 2023 à 17:06

Liens

Principe

Commandes

Configuration

Test

Filtres

Actions

NGINX

Apache

Installation

Menu de navigation

Rechercher

« Fail2ban ubuntu » : différence entre les versions