SAC:fail2ban

From OSGeo
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Fail2ban blocks attacks on ssh, postfix, proftp, apache etc.

General management

Installation: 

 apt-get install fail2ban
 update-rc.d fail2ban defaults
 /etc/init.d/fail2ban start

Check current state: 

 fail2ban-client status
 Status
 |- Number of jail:      1
 `- Jail list:           ssh

Configuration

Configuration is under /etc/fail2ban. On some systems it is kept in a git repository.

A filter is called "jail". To add more jails: 

 vim /etc/fail2ban/jail.conf
 # activate several filters: 
 [ssh-ddos]
 --> set "true"

 [proftpd]
 --> set "true"

 [postfix]
 --> set "true"

 [apache]
 --> set "true"

Note: Add own new jails to jail.local!

Now restart the daemon (resets blacklist in iptables): 

 /etc/init.d/fail2ban restart

Or (same effect): 

 fail2ban-client reload

Verify that it runs 

 iptables -nvL

See in action (Debian): 

 tail -f /var/log/fail2ban.log

OSGeo jails

It is recommended to put OSGeo jail in files with 'osgeo' prefix under the '/etc/fail2ban/filter.d/' directory, and reference them from '/etc/fail2ban/jail.local'

Example jails

Extra: block "w00tw00t" scans: 

# generate configuration file (not included in fail2ban package):

echo "# Get rid of w00tw00t scans
[Definition]
# Option: failregex
# Notes.: regex to match the w00tw00t scan messages in the logfile.
# Values: TEXT
##FAILS - failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
# from http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/ - used error.log
#failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.ISC\.SANS\.*
failregex = ^.*\[client <HOST>\].*w00tw00t\.at\.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex = " > /etc/fail2ban/filter.d/apache-w00tw00t.conf

Now edit the configuration of fail2ban and register this new "w00tw00t" jail: 

 vim /etc/fail2ban/jail.local

add in the file (perhaps close to the existing apache definitions): 

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables-allports
logpath = /var/log/apache*/*error.log
maxretry = 1

Test the regex: 

# Debian
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

Restart the daemon (resets blacklist in iptables) 

/etc/init.d/fail2ban restart

See in action 

tail -f /var/log/fail2ban.log

Create similar jail for other bots just changing the failregex: 

For:
[Sat Feb 01 12:58:27 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php
[Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php5
[Sat Feb 01 12:58:28 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php-cgi
[Sat Feb 01 12:58:30 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php.cgi
[Sat Feb 01 12:58:36 2014] [error] [client yy.xx.154.80] script not found or unable to stat: /var/www/cgi-bin/php4
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/cgi-bin\\/php*

For:
[Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpTest
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpTest* 

For:
[Mon Feb 24 12:11:19 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/phpMyAdmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/phpMyAdmin*

For:
[Mon Feb 24 12:11:20 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/pma
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/pma* 

For:
[Mon Feb 24 12:11:21 2014] [error] [client yy.xx.182.60] File does not exist: /var/www/myadmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/myadmin*

For:
[Sun Mar 02 10:44:49 2014] [error] [client yy.xx.8.82] File does not exist: /var/www/mysqladmin
Regex:
failregex = ^.*\[client <HOST>\].*\\/var\\/www\\/mysqladmin*

Protect wordpress:

Add in: 

/etc/fail2ban/jail.local

# http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
## note: whitelist own server IP
### /etc/fail2ban/jail.conf
### [DEFAULT]
### "ignoreip" can be an IP address, a CIDR mask or a DNS host
### ignoreip = 127.0.0.1/8 88.198.75.114
[apache-wp-login]
enabled  = true
port     = http,https
# action   = iptables[name=wplogin, port=http, protocol=tcp]
filter   = apache-wp-login
logpath  = /var/log/apache2/other_vhosts_access.log
maxretry = 10
findtime = 3600   # within of 1h in seconds
# bantime  = 43200  # block for 12h in seconds instead of 600s

and 

/etc/fail2ban/filter.d/apache-wp-login.conf

[Definition]
# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wordpress wp-login
# Values:  TEXT
#
# http://www.galiator.de/wordpress/fail2ban-fuer-wordpress
failregex = <HOST>.*] \"POST \/wp-login.php
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Test the regex: 

# Debian
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-wp-login.conf


Restart the daemon (resets blacklist in iptables) 

/etc/init.d/fail2ban restart

See in action 

tail -f /var/log/fail2ban.log

Shellshock - bash hell:

/etc/fail2ban/jail.local 

# MN 2014
[shellshock]
enabled = true
filter = shellshock
action = iptables-allports
logpath = /var/log/apache*/*error?log
maxretry = 1

/etc/fail2ban/filter.d/shellshock.conf 

# attempt to get rid of bash shellshock probing
[Definition]
failregex = ^.*\[client <HOST>\].*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
ignoreregex =

Whitelisting IPs

Especially for SAC admins it might be needed to whitelist their IPs in order to not get blacklisted while modifying trac pages: 

 # add IPs here:
 /etc/fail2ban/jail.local
 ...
 ignoreip = ...
Retrieved from "http://wiki.osgeo.org/w/index.php?title=SAC:fail2ban&oldid=98760"