« Fail2ban ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 1 : Ligne 1 :
[[Category:Ubuntu]]
[[Category:Ubuntu]]
= Principe =
= [https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server Principe] =
Fail2ban analyse les logs et bannit les IPs.
Fail2ban analyse les logs et bannit les IPs.



Version du 20 septembre 2023 à 14:56

Principe

Fail2ban analyse les logs et bannit les IPs.

Liens

Commandes

Bash.svg
# list of active jails
sudo fail2ban-client status

# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]

# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.
/etc/fail2ban/jail.d/default.conf
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d
bantime = -1 ban forever
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =
/etc/fail2ban/jail.d/enabled.conf
[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true

[postfix-rbl]
enabled = true

[dovecot]
enabled = true

Test

Bash.svg
# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

Filtres

/etc/fail2ban/filter.d/*.conf

Bash.svg
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed

Actions

Action Description
action_ ban ip
action_mw ban ip and send an email
action_mwl ban ip and send an email with the log lines
/etc/fail2ban/jail.d/default.conf
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

NGINX

/etc/fail2ban/jail.d/enabled.local
[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
/etc/fail2ban/filter.d/nginx-400.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"

ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 

ignoreregex =

Apache

Filtre Description
auth client denied by server configuration
badbots
botsearch
common common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript Got error 'Primary script unknown'
overflows
pass
shellshock
Apache 404 errors are no longer in Apache 2.4.x error_log

Installation

Bash.svg
apt install fail2ban

systemctl status fail2ban