FAIL2BAN
INSTALLATION & RESSOURCES
- Installation de Fail2Ban
sudo apt-get install fail2ban
- Démarrage du service
sudo systemctl start fail2ban
- Démarrage auto du service
sudo systemctl enable fail2ban
- Vérification du statut
sudo systemctl status fail2ban
FICHIERS DE CONFIGURATION
- Configuration de Fail2ban
action.d fail2ban.d jail.conf paths-arch.conf paths-debian.conf
fail2ban.conf filter.d jail.d paths-common.conf paths-opensuse.conf
- "fail2ban.conf" et "jail.conf" : configuration du deamon, à ne pas modifier a priori.
- Ajouter les configurations personnelles dans le répertoire : jail.d".
- Fichier principal de configuration.
- On y déclare les régles de comportement par défaut puis par services surveillés.
- On y déclare les services surveillés paragraphe par paragraphe.
/etc/fail2ban/jail.d/defaults-debian.conf
- Les filtres, les conditions recherchées, sont configurés dans les fichiers services par services : /etc/fail2ban/filter.d
3proxy.conf domino-smtp.conf mysqld-auth.conf selinux-ssh.conf
apache-auth.conf dovecot.conf nagios.conf sendmail-auth.conf
apache-badbots.conf dropbear.conf named-refused.conf sendmail-reject.conf
apache-botsearch.conf drupal-auth.conf nginx-botsearch.conf sieve.conf
apache-common.conf ejabberd-auth.conf nginx-http-auth.conf slapd.conf
apache-fakegooglebot.conf exim-common.conf nginx-limit-req.conf softethervpn.conf
apache-modsecurity.conf exim-spam.conf nsd.conf sogo-auth.conf
apache-nohome.conf exim.conf openhab.conf solid-pop3d.conf
apache-noscript.conf freeswitch.conf openwebmail.conf squid.conf
apache-overflows.conf froxlor-auth.conf oracleims.conf squirrelmail.conf
apache-pass.conf gitlab.conf pam-generic.conf sshd.conf
apache-shellshock.conf grafana.conf perdition.conf stunnel.conf
assp.conf groupoffice.conf php-url-fopen.conf suhosin.conf
asterisk.conf gssftpd.conf phpmyadmin-syslog.conf tine20.conf
bitwarden.conf guacamole.conf portsentry.conf traefik-auth.conf
botsearch-common.conf haproxy-http-auth.conf postfix.conf uwimap-auth.conf
centreon.conf horde.conf proftpd.conf vsftpd.conf
common.conf ignorecommands pure-ftpd.conf webmin-auth.conf
counter-strike.conf kerio.conf qmail.conf wuftpd.conf
courier-auth.conf lighttpd-auth.conf recidive.conf xinetd-fail.conf
courier-smtp.conf mongodb-auth.conf roundcube-auth.conf znc-adminlog.conf
cyrus-imap.conf monit.conf screensharingd.conf zoneminder.conf
directadmin.conf murmur.conf selinux-common.conf
UTILISATION DES COMMANDES FAIL2BAN
- Dé-bannir une IP de l'un de vos jails
fail2ban-client set [nom du jail] unbanip [IP concerné]
- Bannir manuellement une IP sur l'un de vos jails
fail2ban-client set [nom du jail] banip [IP à bannir]
- Statut de votre Fail2Ban
sudo fail2ban-client status
- Statut de votre Fail2Ban pour un service
sudo fail2ban-client status sshd
CONFIGURATION BASIQUE AVEC SSH
- Fichier de configuration des filtres Fail2Ban
sudo vi /etc/fail2ban/jail.d/defaults-debian.conf
- Partie générale : DEFAULT
- Partie SSH : sshd
[DEFAULT]
ignoreip = 127.0.0.1 X.X.X.X
findtime = 10m
bantime = 240h
maxretry = 5
destemail = mail@xxxxx.io
sender = mail@xxxxx.io
action = %(action_mw)s
[sshd]
port = 2288
enabled = true
CONFIGURATION POSTFIX
- Configuration des deux services POSTFIX. Avec ou sans "sasl".
[postfix]
enabled = true
maxretry = 3
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 1
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 5w
CONFIGURATION APACHE et PHP
- Partie APACHE : apache, apache-badbots, apache-nohome, apache-noscript, apache-overflows, php-url-fopen
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error*.log
maxretry = 20
findtime = 600
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/error*.log
maxretry = 20
findtime = 600
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/error*.log
maxretry = 20
findtime = 600
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/error*.log
maxretry = 20
findtime = 600
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache2/error*.log
maxretry = 20
findtime = 600
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access*.log
maxretry = 20
findtime = 600
- Source : https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
CONFIGURATION NGINX
- Partie NGINX : nginx-4xx, nginx-botsearch, nginx-http-auth, nginx-req-limit
[nginx-4xx]
enabled = true
port = http,https
filter = nginx-4xx
logpath = %(nginx_error_log)s
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = %(nginx_error_log)s
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = %(nginx_access_log)s
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
- Fichier "filter.d/nginx-4xx.conf"
[Definition]
failregex = ^.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
- Fichier "filter.d/nginx-req-limit.conf"
# Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module
[Definition]
failregex = limiting requests, excess:.* by zone.*client:
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EXEMPLE DE BANNISSEMENT
- Commande : sudo fail2ban-client status sshd
└───sexton───$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 6
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 92.184.96.193
|
