Fail2ban ubuntu
Apparence
Liens
Principe
Fail2ban analyse les logs et bannit les IPs.
Commandes
# list of active jails
sudo fail2ban-client status
# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]
# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)
# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>
|
Configuration
![]() |
Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration. |
/etc/fail2ban/jail.d/default.conf |
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1 # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m
# do not send email on start/stop
[Definition]
actionstart =
actionstop =
|
/etc/fail2ban/jail.d/enabled.conf |
[nginx-http-auth]
enabled = true
[nginx-limit-req]
enabled = true
[nginx-botsearch]
enabled = true
[postfix]
enabled = true
mode = aggressive
[dovecot]
enabled = true
[myaction]
enabled = true
banaction = iptables-ipset-proto6-allports
|
Test
# lister les jails actives
sudo fail2ban-client status
# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log
# test bantime format
fail2ban-client --str2sec 1y2w1d12h
|
Filtres
/etc/fail2ban/filter.d/*.conf
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed
|
Actions
Action | Description |
---|---|
action_ | ban ip |
action_mw | ban ip and send an email |
action_mwl | ban ip and send an email with the log lines |
/etc/fail2ban/jail.d/default.conf |
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s
# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail
|
NGINX
/etc/fail2ban/jail.d/enabled.local |
[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
|
/etc/fail2ban/filter.d/nginx-400.conf |
[Definition]
failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"
ignoreregex =
|
/etc/fail2ban/filter.d/nginx-404.conf |
[Definition]
failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404
ignoreregex =
|
Apache
Filtre | Description |
---|---|
auth | client denied by server configuration |
badbots | |
botsearch | |
common | common config used by the other filters |
fakegooglebot | |
modsecurity | |
nohome | |
noscript | Got error 'Primary script unknown' |
overflows | |
pass | |
shellshock |
![]() |
Apache 404 errors are no longer in Apache 2.4.x error_log |
Errors
invalid literal for int() with base 10
/etc/fail2ban/jail.local |
bantime.multipliers = 1 5 30 60 300 720 1440 2880 # DO NOT PUT COMMENT AT THE END OF THE LINE
|
Installation
apt install fail2ban systemctl status fail2ban |