SAC:fail2ban

Fail2ban blocks attacks on ssh, postfix, proftp, apache etc.

= General management =

Installation: apt-get install fail2ban update-rc.d fail2ban defaults /etc/init.d/fail2ban start

Check current state: fail2ban-client status Status |- Number of jail:     1 `- Jail list:          ssh

= Configuration =

Configuration is under /etc/fail2ban. On some systems it is kept in a git repository.

A filter is called "jail". To add more jails: vim /etc/fail2ban/jail.conf # activate several filters: [ssh-ddos] --> set "true" [proftpd] --> set "true" [postfix] --> set "true" [apache] --> set "true"

Note: Add own new jails to jail.local!

Now restart the daemon (resets blacklist in iptables): /etc/init.d/fail2ban restart Or (same effect): fail2ban-client reload

Verify that it runs iptables -nvL

See in action (Debian): tail -f /var/log/fail2ban.log

OSGeo jails
It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, and reference them from '/etc/fail2ban/jail.local'

Example jails
Extra: block "w00tw00t" scans:
 * 1) generate configuration file (not included in fail2ban package):

echo "# Get rid of w00tw00t scans [Definition] failregex = ^.*\[client \].*w00tw00t\.at\.* ignoreregex = " > /etc/fail2ban/filter.d/apache-w00tw00t.conf
 * 1) Option: failregex
 * 2) Notes.: regex to match the w00tw00t scan messages in the logfile.
 * 3) Values: TEXT
 * 4) FAILS - failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
 * 5) from http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/ - used error.log
 * 6) failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.*
 * 1) Option: ignoreregex
 * 2) Notes.: regex to ignore. If this regex matches, the line is ignored.
 * 3) Values: TEXT

Now edit the configuration of fail2ban and register this new "w00tw00t" jail: vim /etc/fail2ban/jail.local

add in the file (perhaps close to the existing apache definitions): [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports logpath = /var/log/apache*/*error.log maxretry = 1

Test the regex: fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf
 * 1) Debian

Restart the daemon (resets blacklist in iptables) /etc/init.d/fail2ban restart

See in action tail -f /var/log/fail2ban.log

Create similar jail for other bots just changing the failregex:

For: [Sat Feb 01 12:58:27 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php5 [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php-cgi [Sat Feb 01 12:58:30 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php.cgi [Sat Feb 01 12:58:36 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php4 Regex: failregex = ^.*\[client \].*\\/var\\/www\\/cgi-bin\\/php*

For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpTest Regex: failregex = ^.*\[client \].*\\/var\\/www\\/phpTest*

For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpMyAdmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/phpMyAdmin*

For: [Mon Feb 24 12:11:20 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/pma Regex: failregex = ^.*\[client \].*\\/var\\/www\\/pma*

For: [Mon Feb 24 12:11:21 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/myadmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/myadmin*

For: [Sun Mar 02 10:44:49 2014] [error] [client yy.xx.8.82] File does not exist: /var/www/mysqladmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/mysqladmin*

Protect wordpress:

Add in: /etc/fail2ban/jail.local [apache-wp-login] enabled = true port    = http,https filter  = apache-wp-login logpath = /var/log/apache2/other_vhosts_access.log maxretry = 10 findtime = 3600  # within of 1h in seconds
 * 1) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 2) note: whitelist own server IP
 * 3) /etc/fail2ban/jail.conf
 * 4) [DEFAULT]
 * 5) "ignoreip" can be an IP address, a CIDR mask or a DNS host
 * 6) ignoreip = 127.0.0.1/8 88.198.75.114
 * 1) action   = iptables[name=wplogin, port=http, protocol=tcp]
 * 1) bantime  = 43200  # block for 12h in seconds instead of 600s

and

/etc/fail2ban/filter.d/apache-wp-login.conf [Definition] failregex = .*] \"POST \/wp-login.php ignoreregex =
 * 1) Option:  failregex
 * 2) Notes.:  Regexp to catch Apache dictionary attacks on Wordpress wp-login
 * 3) Values:  TEXT
 * 4) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 1) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 1) Option: ignoreregex
 * 2) Notes.: regex to ignore. If this regex matches, the line is ignored.
 * 3) Values: TEXT

Test the regex: fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-wp-login.conf
 * 1) Debian

Restart the daemon (resets blacklist in iptables) /etc/init.d/fail2ban restart

See in action tail -f /var/log/fail2ban.log

Shellshock - bash hell:

/etc/fail2ban/jail.local [shellshock] enabled = true filter = shellshock action = iptables-allports logpath = /var/log/apache*/*error?log maxretry = 1
 * 1) MN 2014

/etc/fail2ban/filter.d/shellshock.conf [Definition] failregex = ^.*\[client \].*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+ ignoreregex =
 * 1) attempt to get rid of bash shellshock probing

Whitelisting IPs
Especially for SAC admins it might be needed to whitelist their IPs in order to not get blacklisted while modifying trac pages:

# add IPs here: /etc/fail2ban/jail.local ... ignoreip = ...