Fail2ban ubuntu

De Banane Atomic
Aller à la navigationAller à la recherche

Liens

Principe

Fail2ban analyse les logs et bannit les IPs.

Commandes

Bash.svg
# list of active jails
sudo fail2ban-client status

# list of banned IPs for a jail
sudo fail2ban-client status [jail-name]

# unban ip x.x.x.x of the apache-auth filter
sudo fail2ban-client set [jail-name] unbanip x.x.x.x
# use iptables -L -n to find the reject rule, then from the chain name (f2b-apache-auth) guess the jail name (apache-auth)

# reload the config files
sudo fail2ban-client reload
# reload a specific jail config
sudo fail2ban-client reload <JAIL>

Configuration

Ne pas modifier les fichiers /etc/fail2ban/fail2ban.conf et /etc/fail2ban/jail.conf
Utiliser les fichiers fail2ban.local jail.local fail2ban.d/*.conf jail.d/*.conf pour surcharger la configuration.
/etc/fail2ban/jail.d/default.conf
[DEFAULT]
# ip à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.0.0/24 ::1
# durée du bannissement
bantime = 30d  # default in seconds 60, 1m, 1h, 1d, 1w
bantime = -1  # ban forever
# increment ban time, first time x1, second time x5
bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = true
# conditions: bannissement si 2 erreurs en 10 minutes
maxretry = 2
# maxretry = 1 ban at the first match
findtime = 10m

# do not send email on start/stop
[Definition]
actionstart =
actionstop  =
/etc/fail2ban/jail.d/enabled.conf
[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true

[nginx-botsearch]
enabled = true

[postfix]
enabled = true
mode = aggressive

[dovecot]
enabled = true

[myaction]
enabled = true
banaction = iptables-ipset-proto6-allports

Test

Bash.svg
# lister les jails actives
sudo fail2ban-client status

# afficher le log de fail2ban
sudo tail -f /var/log/fail2ban.log

# test bantime format
fail2ban-client --str2sec 1y2w1d12h

Filtres

/etc/fail2ban/filter.d/*.conf

Bash.svg
# tester un filtre avec un fichier de log
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
# --print-all-matched
# --print-all-missed

Actions

Action Description
action_ ban ip
action_mw ban ip and send an email
action_mwl ban ip and send an email with the log lines
/etc/fail2ban/jail.d/default.conf
# ban & send an e-mail with whois report and relevant log lines to the destemail (cf jail.conf)
action = %(action_mwl)s

# email configuration
destemail = admin@domain.fr
sender = fail2ban@domain.fr
mta = sendmail

NGINX

/etc/fail2ban/jail.d/enabled.local
[nginx-400]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1

[nginx-404]
enabled = true
logpath = /var/log/nginx/access.log
bantime = -1
maxretry = 1
/etc/fail2ban/filter.d/nginx-400.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \".*?\" 400 \d+ \"-\" \"-\"$
# x.x.x.x - - [03/Sep/2023:13:37:32 +0200] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-"

ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf
[Definition]

failregex = ^<HOST> - - \[.*?\] \"(GET|POST) (/cgi-bin|/wp-|/boaform|/phpmyadmin|/\.git|/\.env|/xmlrpc).+?\" 404 

ignoreregex =

Apache

Filtre Description
auth client denied by server configuration
badbots
botsearch
common common config used by the other filters
fakegooglebot
modsecurity
nohome
noscript Got error 'Primary script unknown'
overflows
pass
shellshock
Apache 404 errors are no longer in Apache 2.4.x error_log

Errors

invalid literal for int() with base 10

/etc/fail2ban/jail.local
bantime.multipliers = 1 5 30 60 300 720 1440 2880  # DO NOT PUT COMMENT AT THE END OF THE LINE

Installation

Bash.svg
apt install fail2ban

systemctl status fail2ban