Fail2ban ubuntu
De Banane Atomic
Aller à la navigationAller à la recherche
Liens
Principe
Fail2ban analyse les logs et bannit les IPs.
Commandes
# list of active jails sudo fail2ban-client status # list of banned IPs for a jail sudo fail2ban-client status [jail-name] # unban ip x.x.x.x of the apache-auth filter sudo fail2ban-client set [jail-name] unbanip x.x.x.x # use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth) # reload the config files sudo fail2ban-client reload # reload a specific jail config sudo fail2ban-client reload <JAIL> |
Configuration
Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration. |
/etc/fail2ban/jail.d/default.conf |
[DEFAULT] # ip à ne pas bannir ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1 # durée du bannissement bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w bantime = -1 # ban forever # increment ban time, first time x1, second time x5 bantime.increment = true bantime.multipliers = 1 5 30 60 300 720 1440 2880 bantime.overalljails = true # conditions: bannissement si 2 erreurs en 10 minutes maxretry = 2 # maxretry = 1 ban at the first match findtime = 10m # do not send email on start/stop [Definition] actionstart = actionstop = |
/etc/fail2ban/jail.d/enabled.conf |
[nginx-http-auth] enabled = true [nginx-limit-req] enabled = true [nginx-botsearch] enabled = true [postfix] enabled = true mode = aggressive [dovecot] enabled = true [myaction] enabled = true banaction = iptables-ipset-proto6-allports |
Test
# lister les jails actives sudo fail2ban-client status # afficher le log de fail2ban sudo tail -f /var/log/fail2ban.log |
Filtres
/etc/fail2ban/filter.d/*.conf
# tester un filtre avec un fichier de log sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf # --print-all-matched # --print-all-missed |
Actions
Action | Description |
---|---|
action_ | ban ip |
action_mw | ban ip and send an email |
action_mwl | ban ip and send an email with the log lines |
/etc/fail2ban/jail.d/default.conf |
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf) action = %(action_mwl)s # email configuration destemail = admin@domain.fr sender = fail2ban@domain.fr mta = sendmail |
NGINX
/etc/fail2ban/jail.d/enabled.local |
[nginx-400] enabled = true logpath = /var/log/nginx/access.log bantime = -1 maxretry = 1 [nginx-404] enabled = true logpath = /var/log/nginx/access.log bantime = -1 maxretry = 1 |
/etc/fail2ban/filter.d/nginx-400.conf |
[Definition] failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$ # x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-" ignoreregex = |
/etc/fail2ban/filter.d/nginx-404.conf |
[Definition] failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 ignoreregex = |
Apache
Filtre | Description |
---|---|
auth | client denied by server configuration |
badbots | |
botsearch | |
common | common config used by the other filters |
fakegooglebot | |
modsecurity | |
nohome | |
noscript | Got error 'Primary script unknown' |
overflows | |
pass | |
shellshock |
Apache 404 errors are no longer in Apache 2.4.x error_log |
Errors
invalid literal for int() with base 10
/etc/fail2ban/jail.local |
bantime.multipliers = 1 5 30 60 300 720 1440 2880 # DO NOT PUT COMMENT AT THE END OF THE LINE |
Installation
apt install fail2ban systemctl status fail2ban |