SAC:fail2ban

Fail2ban blocks attacks on ssh, postfix, proftp, apache etc.

= General management =

Installation: apt-get install fail2ban update-rc.d fail2ban defaults /etc/init.d/fail2ban start

Check current state: fail2ban-client status Status |- Number of jail:     1 `- Jail list:          ssh

= Configuration =

Configuration is under /etc/fail2ban. On some systems it is kept in a git repository.

A filter is called "jail". To add more jails: vim /etc/fail2ban/jail.conf # activate several filters: [ssh-ddos] --> set "true" [proftpd] --> set "true" [postfix] --> set "true" [apache] --> set "true"

Note: Add own new jails to jail.local!

Now restart the daemon (resets blacklist in iptables): /etc/init.d/fail2ban restart Or (same effect): fail2ban-client reload

Verify that it runs iptables -nvL

See in action (Debian): tail -f /var/log/fail2ban.log

OSGeo jails
It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, and reference them from '/etc/fail2ban/jail.local'

Example jails
Extra: block "w00tw00t" scans:
 * 1) generate configuration file (not included in fail2ban package):

echo "# Get rid of w00tw00t scans [Definition] failregex = ^.*\[client \].*w00tw00t\.at\.* ignoreregex = " > /etc/fail2ban/filter.d/apache-w00tw00t.conf
 * 1) Option: failregex
 * 2) Notes.: regex to match the w00tw00t scan messages in the logfile.
 * 3) Values: TEXT
 * 4) FAILS - failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
 * 5) from http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/ - used error.log
 * 6) failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.*
 * 1) Option: ignoreregex
 * 2) Notes.: regex to ignore. If this regex matches, the line is ignored.
 * 3) Values: TEXT

Now edit the configuration of fail2ban and register this new "w00tw00t" jail: vim /etc/fail2ban/jail.local

add in the file (perhaps close to the existing apache definitions): [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports logpath = /var/log/apache*/*error.log maxretry = 1

Test the regex: fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf
 * 1) Debian

Restart the daemon (resets blacklist in iptables) /etc/init.d/fail2ban restart

See in action tail -f /var/log/fail2ban.log

Create similar jail for other bots just changing the failregex:

For: [Sat Feb 01 12:58:27 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php5 [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php-cgi [Sat Feb 01 12:58:30 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php.cgi [Sat Feb 01 12:58:36 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php4 Regex: failregex = ^.*\[client \].*\\/var\\/www\\/cgi-bin\\/php*

For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpTest Regex: failregex = ^.*\[client \].*\\/var\\/www\\/phpTest*

For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpMyAdmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/phpMyAdmin*

For: [Mon Feb 24 12:11:20 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/pma Regex: failregex = ^.*\[client \].*\\/var\\/www\\/pma*

For: [Mon Feb 24 12:11:21 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/myadmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/myadmin*

For: [Sun Mar 02 10:44:49 2014] [error] [client yy.xx.8.82] File does not exist: /var/www/mysqladmin Regex: failregex = ^.*\[client \].*\\/var\\/www\\/mysqladmin*

Protect wordpress:

Add in: /etc/fail2ban/jail.local [apache-wp-login] enabled = true port    = http,https filter  = apache-wp-login logpath = /var/log/apache2/other_vhosts_access.log maxretry = 10 findtime = 3600  # within of 1h in seconds
 * 1) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 2) note: whitelist own server IP
 * 3) /etc/fail2ban/jail.conf
 * 4) [DEFAULT]
 * 5) "ignoreip" can be an IP address, a CIDR mask or a DNS host
 * 6) ignoreip = 127.0.0.1/8 88.198.75.114
 * 1) action   = iptables[name=wplogin, port=http, protocol=tcp]
 * 1) bantime  = 43200  # block for 12h in seconds instead of 600s

and

/etc/fail2ban/filter.d/apache-wp-login.conf [Definition] failregex = .*] \"POST \/wp-login.php ignoreregex =
 * 1) Option:  failregex
 * 2) Notes.:  Regexp to catch Apache dictionary attacks on Wordpress wp-login
 * 3) Values:  TEXT
 * 4) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 1) http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
 * 1) Option: ignoreregex
 * 2) Notes.: regex to ignore. If this regex matches, the line is ignored.
 * 3) Values: TEXT

Test the regex: fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-wp-login.conf
 * 1) Debian

Restart the daemon (resets blacklist in iptables) /etc/init.d/fail2ban restart

See in action tail -f /var/log/fail2ban.log

Shellshock - bash hell:

/etc/fail2ban/jail.local [shellshock] enabled = true filter = shellshock action = iptables-allports logpath = /var/log/apache*/*error?log maxretry = 1
 * 1) MN 2014

/etc/fail2ban/filter.d/shellshock.conf [Definition] failregex = ^.*\[client \].*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+ ignoreregex =
 * 1) attempt to get rid of bash shellshock probing