Difference between revisions of "SAC:fail2ban"
Line 38: | Line 38: | ||
Now restart the daemon (resets blacklist in iptables): | Now restart the daemon (resets blacklist in iptables): | ||
/etc/init.d/fail2ban restart | /etc/init.d/fail2ban restart | ||
+ | Or (same effect): | ||
+ | fail2ban-client reload | ||
Verify that it runs | Verify that it runs | ||
Line 44: | Line 46: | ||
See in action (Debian): | See in action (Debian): | ||
tail -f /var/log/fail2ban.log | tail -f /var/log/fail2ban.log | ||
+ | |||
+ | == OSGeo jails == | ||
+ | |||
+ | It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, | ||
+ | and reference them from '/etc/fail2ban/jail.local' | ||
+ | |||
+ | == Example jails == | ||
'''Extra''': block "w00tw00t" scans: | '''Extra''': block "w00tw00t" scans: |
Revision as of 07:10, 4 May 2016
Fail2ban blocks attacks on ssh, postfix, proftp, apache etc.
General management
Installation:
apt-get install fail2ban update-rc.d fail2ban defaults /etc/init.d/fail2ban start
Check current state:
fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh
Configuration
Configuration is under /etc/fail2ban. On some systems it is kept in a git repository.
A filter is called "jail". To add more jails:
vim /etc/fail2ban/jail.conf # activate several filters: [ssh-ddos] --> set "true" [proftpd] --> set "true" [postfix] --> set "true" [apache] --> set "true"
Note: Add own new jails to jail.local!
Now restart the daemon (resets blacklist in iptables):
/etc/init.d/fail2ban restart
Or (same effect):
fail2ban-client reload
Verify that it runs
iptables -nvL
See in action (Debian):
tail -f /var/log/fail2ban.log
OSGeo jails
It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, and reference them from '/etc/fail2ban/jail.local'
Example jails
Extra: block "w00tw00t" scans:
# generate configuration file (not included in fail2ban package): echo "# Get rid of w00tw00t scans [Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. # Values: TEXT ##FAILS - failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.* # from http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/ - used error.log #failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.ISC\.SANS\.* failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = " > /etc/fail2ban/filter.d/apache-w00tw00t.conf
Now edit the configuration of fail2ban and register this new "w00tw00t" jail:
vim /etc/fail2ban/jail.local
add in the file (perhaps close to the existing apache definitions):
[apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports logpath = /var/log/apache*/*error.log maxretry = 1
Test the regex:
# Debian fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf
Restart the daemon (resets blacklist in iptables)
/etc/init.d/fail2ban restart
See in action
tail -f /var/log/fail2ban.log
Create similar jail for other bots just changing the failregex:
For: [Sat Feb 01 12:58:27 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php5 [Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php-cgi [Sat Feb 01 12:58:30 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php.cgi [Sat Feb 01 12:58:36 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php4 Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/cgi-bin\\/php*
For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpTest Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpTest*
For: [Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpMyAdmin Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpMyAdmin*
For: [Mon Feb 24 12:11:20 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/pma Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/pma*
For: [Mon Feb 24 12:11:21 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/myadmin Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/myadmin*
For: [Sun Mar 02 10:44:49 2014] [error] [client yy.xx.8.82] File does not exist: /var/www/mysqladmin Regex: failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/mysqladmin*
Protect wordpress:
Add in:
/etc/fail2ban/jail.local
# http://www.galiator.de/wordpress/fail2ban-fuer-wordpress ## note: whitelist own server IP ### /etc/fail2ban/jail.conf ### [DEFAULT] ### "ignoreip" can be an IP address, a CIDR mask or a DNS host ### ignoreip = 127.0.0.1/8 88.198.75.114 [apache-wp-login] enabled = true port = http,https # action = iptables[name=wplogin, port=http, protocol=tcp] filter = apache-wp-login logpath = /var/log/apache2/other_vhosts_access.log maxretry = 10 findtime = 3600 # within of 1h in seconds # bantime = 43200 # block for 12h in seconds instead of 600s
and
/etc/fail2ban/filter.d/apache-wp-login.conf
[Definition] # Option: failregex # Notes.: Regexp to catch Apache dictionary attacks on Wordpress wp-login # Values: TEXT # # http://www.galiator.de/wordpress/fail2ban-fuer-wordpress failregex = <HOST>.*] \"POST \/wp-login.php # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
Test the regex:
# Debian fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-wp-login.conf
Restart the daemon (resets blacklist in iptables)
/etc/init.d/fail2ban restart
See in action
tail -f /var/log/fail2ban.log
Shellshock - bash hell:
/etc/fail2ban/jail.local
# MN 2014 [shellshock] enabled = true filter = shellshock action = iptables-allports logpath = /var/log/apache*/*error?log maxretry = 1
/etc/fail2ban/filter.d/shellshock.conf
# attempt to get rid of bash shellshock probing [Definition] failregex = ^.*\[client <HOST>\].*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+ ignoreregex =