SAC:fail2ban

From OSGeo
Jump to: navigation, search

Fail2ban blocks attacks on ssh, postfix, proftp, apache etc.

General management

Installation:

 apt-get install fail2ban
 update-rc.d fail2ban defaults
 /etc/init.d/fail2ban start

Check current state:

 fail2ban-client status
 Status
 |- Number of jail:      1
 `- Jail list:           ssh

Configuration

Configuration is under /etc/fail2ban. On some systems it is kept in a git repository.

A filter is called "jail". To add more jails:

 vim /etc/fail2ban/jail.conf
 # activate several filters: 
 [ssh-ddos]
 --> set "true"

 [proftpd]
 --> set "true"

 [postfix]
 --> set "true"

 [apache]
 --> set "true"

Note: Add own new jails to jail.local!

Now restart the daemon (resets blacklist in iptables):

 /etc/init.d/fail2ban restart

Or (same effect):

 fail2ban-client reload

Verify that it runs

 iptables -nvL

See in action (Debian):

 tail -f /var/log/fail2ban.log

OSGeo jails

It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, and reference them from '/etc/fail2ban/jail.local'

Example jails

Extra: block "w00tw00t" scans:

# generate configuration file (not included in fail2ban package):

echo "# Get rid of w00tw00t scans
[Definition]
# Option: failregex
# Notes.: regex to match the w00tw00t scan messages in the logfile.
# Values: TEXT
##FAILS - failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
# from http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/ - used error.log
#failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.ISC\.SANS\.*
failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex = " > /etc/fail2ban/filter.d/apache-w00tw00t.conf

Now edit the configuration of fail2ban and register this new "w00tw00t" jail:

 vim /etc/fail2ban/jail.local

add in the file (perhaps close to the existing apache definitions):

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables-allports
logpath = /var/log/apache*/*error.log
maxretry = 1

Test the regex:

# Debian
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

Restart the daemon (resets blacklist in iptables)

/etc/init.d/fail2ban restart

See in action

tail -f /var/log/fail2ban.log

Create similar jail for other bots just changing the failregex:

For:
[Sat Feb 01 12:58:27 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php
[Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php5
[Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php-cgi
[Sat Feb 01 12:58:30 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php.cgi
[Sat Feb 01 12:58:36 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php4
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/cgi-bin\\/php*
For:
[Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpTest
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpTest* 
For:
[Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpMyAdmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpMyAdmin*
For:
[Mon Feb 24 12:11:20 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/pma
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/pma* 
For:
[Mon Feb 24 12:11:21 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/myadmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/myadmin*
For:
[Sun Mar 02 10:44:49 2014] [error] [client yy.xx.8.82] File does not exist: /var/www/mysqladmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/mysqladmin*

Protect wordpress:

Add in:

/etc/fail2ban/jail.local
# http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
## note: whitelist own server IP
### /etc/fail2ban/jail.conf
### [DEFAULT]
### "ignoreip" can be an IP address, a CIDR mask or a DNS host
### ignoreip = 127.0.0.1/8 88.198.75.114
[apache-wp-login]
enabled  = true
port     = http,https
# action   = iptables[name=wplogin, port=http, protocol=tcp]
filter   = apache-wp-login
logpath  = /var/log/apache2/other_vhosts_access.log
maxretry = 10
findtime = 3600   # within of 1h in seconds
# bantime  = 43200  # block for 12h in seconds instead of 600s

and

/etc/fail2ban/filter.d/apache-wp-login.conf
[Definition]
# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wordpress wp-login
# Values:  TEXT
#
# http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
failregex = <HOST>.*] \"POST \/wp-login.php
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Test the regex:

# Debian
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-wp-login.conf


Restart the daemon (resets blacklist in iptables)

/etc/init.d/fail2ban restart

See in action

tail -f /var/log/fail2ban.log

Shellshock - bash hell:

/etc/fail2ban/jail.local

# MN 2014
[shellshock]
enabled = true
filter = shellshock
action = iptables-allports
logpath = /var/log/apache*/*error?log
maxretry = 1

/etc/fail2ban/filter.d/shellshock.conf

# attempt to get rid of bash shellshock probing
[Definition]
failregex = ^.*\[client <HOST>\].*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
ignoreregex =

Whitelisting IPs

Especially for SAC admins it might be needed to whitelist their IPs in order to not get blacklisted while modifying trac pages:

 # add IPs here:
 /etc/fail2ban/jail.local
 ...
 ignoreip = ...