FAIL2BAN

INSTALLATION & RESSOURCES

• Ressources
• URL : https://www.fail2ban.org
• Documentation Ubuntu : https://doc.ubuntu-fr.org/fail2ban

• Installation de Fail2Ban

  sudo apt-get install fail2ban

• Démarrage du service

  sudo systemctl start fail2ban

• Démarrage auto du service

  sudo systemctl enable fail2ban

• Vérification du statut

  sudo systemctl status fail2ban

FICHIERS DE CONFIGURATION

• Configuration de Fail2ban

  action.d       fail2ban.d  jail.conf  paths-arch.conf    paths-debian.conf
  fail2ban.conf  filter.d    jail.d     paths-common.conf  paths-opensuse.conf
  

• "fail2ban.conf" et "jail.conf" : configuration du deamon, à ne pas modifier a priori.
• Ajouter les configurations personnelles dans le répertoire : jail.d".
• Fichier principal de configuration.
• On y déclare les régles de comportement par défaut puis par services surveillés.
• On y déclare les services surveillés paragraphe par paragraphe.

  /etc/fail2ban/jail.d/defaults-debian.conf

• Les filtres, les conditions recherchées, sont configurés dans les fichiers services par services : /etc/fail2ban/filter.d

  3proxy.conf                domino-smtp.conf        mysqld-auth.conf        selinux-ssh.conf
  apache-auth.conf           dovecot.conf            nagios.conf             sendmail-auth.conf
  apache-badbots.conf        dropbear.conf           named-refused.conf      sendmail-reject.conf
  apache-botsearch.conf      drupal-auth.conf        nginx-botsearch.conf    sieve.conf
  apache-common.conf         ejabberd-auth.conf      nginx-http-auth.conf    slapd.conf
  apache-fakegooglebot.conf  exim-common.conf        nginx-limit-req.conf    softethervpn.conf
  apache-modsecurity.conf    exim-spam.conf          nsd.conf                sogo-auth.conf
  apache-nohome.conf         exim.conf               openhab.conf            solid-pop3d.conf
  apache-noscript.conf       freeswitch.conf         openwebmail.conf        squid.conf
  apache-overflows.conf      froxlor-auth.conf       oracleims.conf          squirrelmail.conf
  apache-pass.conf           gitlab.conf             pam-generic.conf        sshd.conf
  apache-shellshock.conf     grafana.conf            perdition.conf          stunnel.conf
  assp.conf                  groupoffice.conf        php-url-fopen.conf      suhosin.conf
  asterisk.conf              gssftpd.conf            phpmyadmin-syslog.conf  tine20.conf
  bitwarden.conf             guacamole.conf          portsentry.conf         traefik-auth.conf
  botsearch-common.conf      haproxy-http-auth.conf  postfix.conf            uwimap-auth.conf
  centreon.conf              horde.conf              proftpd.conf            vsftpd.conf
  common.conf                ignorecommands          pure-ftpd.conf          webmin-auth.conf
  counter-strike.conf        kerio.conf              qmail.conf              wuftpd.conf
  courier-auth.conf          lighttpd-auth.conf      recidive.conf           xinetd-fail.conf
  courier-smtp.conf          mongodb-auth.conf       roundcube-auth.conf     znc-adminlog.conf
  cyrus-imap.conf            monit.conf              screensharingd.conf     zoneminder.conf
  directadmin.conf           murmur.conf             selinux-common.conf
  

UTILISATION DES COMMANDES FAIL2BAN

• Dé-bannir une IP de l'un de vos jails

  fail2ban-client set [nom du jail] unbanip [IP concerné]

• Bannir manuellement une IP sur l'un de vos jails

  fail2ban-client set [nom du jail] banip [IP à bannir]

• Statut de votre Fail2Ban

  sudo fail2ban-client status

• Statut de votre Fail2Ban pour un service

  sudo fail2ban-client status sshd

CONFIGURATION BASIQUE AVEC SSH

• Fichier de configuration des filtres Fail2Ban

  sudo vi /etc/fail2ban/jail.d/defaults-debian.conf

• Partie générale : DEFAULT
• Partie SSH : sshd

  [DEFAULT]
  ignoreip = 127.0.0.1 X.X.X.X
  findtime = 10m
  bantime = 240h
  maxretry = 5
  destemail = mail@xxxxx.io
  sender = mail@xxxxx.io
  action = %(action_mw)s
  
  [sshd]
  port = 2288
  enabled = true
  
  

CONFIGURATION POSTFIX

• Configuration des deux services POSTFIX. Avec ou sans "sasl".

  [postfix]
  enabled  = true
  maxretry = 3
  
  [postfix-sasl]
  enabled = true
  filter   = postfix[mode=auth]
  port = smtp,submission,imap,imaps,pop3,pop3s
  maxretry = 1
  bantime.increment = true
  bantime.factor = 2
  bantime.maxtime = 5w
  

CONFIGURATION APACHE et PHP

• Partie APACHE : apache, apache-badbots, apache-nohome, apache-noscript, apache-overflows, php-url-fopen

  [apache]
  enabled  = true
  port     = http,https
  filter   = apache-auth
  logpath  = /var/log/apache2/error*.log
  maxretry = 20
  findtime = 600
  
  [apache-noscript]
  enabled  = true
  port     = http,https
  filter   = apache-noscript
  logpath  = /var/log/apache2/error*.log
  maxretry = 20
  findtime = 600
  
  [apache-overflows]
  enabled  = true
  port     = http,https
  filter   = apache-overflows
  logpath  = /var/log/apache2/error*.log
  maxretry = 20
  findtime = 600
  
  [apache-badbots]
  enabled  = true
  port     = http,https
  filter   = apache-badbots
  logpath  = /var/log/apache2/error*.log
  maxretry = 20
  findtime = 600
  
  [apache-nohome]
  enabled  = true
  port     = http,https
  filter   = apache-nohome
  logpath  = /var/log/apache2/error*.log
  maxretry = 20
  findtime = 600
  
  [php-url-fopen]
  enabled  = true
  port     = http,https
  filter   = php-url-fopen
  logpath  = /var/log/apache2/access*.log
  maxretry = 20
  findtime = 600
  

• Source : https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

EXEMPLE DE BANNISSEMENT

• Commande : sudo fail2ban-client status sshd

  └───sexton───$ sudo fail2ban-client status sshd
  Status for the jail: sshd
  |- Filter
  |  |- Currently failed:	1
  |  |- Total failed:	6
  |  `- File list:	/var/log/auth.log
  `- Actions
     |- Currently banned:	1
     |- Total banned:	1
     `- Banned IP list:	92.184.96.193