Principe
Fail2ban analyse les logs et bannit les IPs qui ont essayées de se connecter sans succès.
Liens
Configuration
 |
Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration. |
| /etc/fail2ban/jail.d/default.conf
|
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1 192.168.0.0/24
# durée du bannissement
bantime = 30d
# conditions: bannissement si 2 erreurs d'authentification en 10 minutes
maxretry = 2
findtime = 10m
# do not send email on start/stop
[Definition]
actionstart =
actionstop =
# activer la jail sshd
[sshd]
enabled = true
|
Test
|
# lister les jails actives
sudo fail2ban-client status
# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log
|
Filtres
/etc/fail2ban/filter.d/*.conf
|
|
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
|
Actions
| Action
|
Description
|
| action_ |
ban ip
|
| action_mw |
ban ip and send an email
|
| action_mwl |
ban ip and send an email with the log lines
|
| /etc/fail2ban/jail.d/default.conf
|
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s
# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail
|
|
|
# list of active jails
fail2ban-client status
# unban ip x.x.x.x of the apache-auth filter
fail2ban-client set apache-auth unbanip x.x.x.x
# reload the config files
fail2ban-client reload
# reload a specific jail config
fail2ban-client reload <JAIL>
|
Apache
| Filtre
|
Description
|
| auth |
client denied by server configuration
|
| badbots |
|
| botsearch |
|
| common |
common config used by the other filters
|
| fakegooglebot |
|
| modsecurity |
|
| nohome |
|
| noscript |
Got error 'Primary script unknown'
|
| overflows |
|
| pass |
|
| shellshock |
|
Postfix
|
|
sudo fail2ban-client status postfix-sasl
# Status for the jail: postfix-sasl
# |- Filter
# | |- Currently failed: 0
# | |- Total failed: 2
# | `- File list: /var/log/mail.log
# `- Actions
# |- Currently banned: 1
# |- Total banned: 1
# `- Banned IP list: x.x.x.x
|
jails
| /etc/fail2ban/jails.conf
|
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
filter = postfix[mode=rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[postfix-sasl]
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
|
filter
| /etc/fail2ban/jails.conf
|
# Fail2Ban filter for selected Postfix SMTP rejections
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
%(mdre-normal)s
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s
failregex = <mdre-<mode>>
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
# [postfix]
# mode = aggressive
# # or another jail (rewrite filter parameters of jail):
# [postfix-rbl]
# filter = postfix[mode=rbl]
#
mode = more
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Cyril Jaquier
|
variables
| /etc/fail2ban/paths-debian.conf
|
syslog_mail = /var/log/mail.log
# control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).
# syslog_mail_warn = /var/log/mail.warn
syslog_mail_warn = %(syslog_mail)s
|
Installation
|
|
apt install fail2ban
systemctl status fail2ban
|
