« Fail2ban ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 14 : Ligne 14 :
[DEFAULT]
[DEFAULT]
# ip à ne pas bannir
# ip à ne pas bannir
ignoreip = 127.0.0.1 192.168.0.0/24
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
# durée du bannissement
bantime = 30d
bantime = 30d

Version du 3 septembre 2023 à 17:40

Principe

Fail2ban analyse les logs et bannit les IPs qui ont essayées de se connecter sans succès.

Liens

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.
/etc/fail2ban/jail.d/default.conf
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d
# conditions: bannissement si 2 erreurs d'authentification en 10 minutes
maxretry = 2
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =
/etc/fail2ban/jail.d/enabled.conf
[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true

[postfix-rbl]
enabled = true

[dovecot]
enabled = true

Test

Bash.svg
# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

Filtres

/etc/fail2ban/filter.d/*.conf

Bash.svg
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

Actions

Action Description
action_ ban ip
action_mw ban ip and send an email
action_mwl ban ip and send an email with the log lines
/etc/fail2ban/jail.d/default.conf
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

Commandes

Bash.svg
# list of active jails
fail2ban-client status

# unban ip x.x.x.x of the apache-auth filter
fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
fail2ban-client reload
# reload a specific jail config
fail2ban-client reload <JAIL>

Apache

Filtre Description
auth client denied by server configuration
badbots
botsearch
common common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript Got error 'Primary script unknown'
overflows
pass
shellshock
Apache 404 errors are no longer in Apache 2.4.x error_log

Postfix

Bash.svg
sudo fail2ban-client status postfix-sasl
# Status for the jail: postfix-sasl
# |- Filter
# |  |- Currently failed:	0
# |  |- Total failed:	2
# |  `- File list:	/var/log/mail.log
# `- Actions
#    |- Currently banned:	1
#    |- Total banned:	1
#    `- Banned IP list:	x.x.x.x

jails

/etc/fail2ban/jails.conf
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s

[postfix-rbl]
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

filter

/etc/fail2ban/jails.conf
# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$

mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
            ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
            ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).

# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b

# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s

mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
            %(mdre-normal)s

mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
                  %(mdre-normal)s



failregex = <mdre-<mode>>

# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
#   [postfix]
#   mode = aggressive
#   # or another jail (rewrite filter parameters of jail):
#   [postfix-rbl]
#   filter = postfix[mode=rbl]
#
mode = more

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Cyril Jaquier

variables

/etc/fail2ban/paths-debian.conf
syslog_mail = /var/log/mail.log

# control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).
# syslog_mail_warn = /var/log/mail.warn
syslog_mail_warn = %(syslog_mail)s

Installation

Bash.svg
apt install fail2ban

systemctl status fail2ban