====== Fail2ban ======
==== Konfiguracja jaili ====
Plik /etc/fail2ban/jail.local
[sshd]
mode = aggressive
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
findtime = 10m
maxretry = 3
bantime = 1h
banaction = iptables-multiport
[hosting-auth]
mode = agressive
enabled = true
port = http,https
backend = auto
filter = wp-auth
logpath = /var/log/httpd/strony-access
findtime = 10m
maxretry = 5
bantime = 1h
banaction = iptables-multiport
[database-auth]
mode = agressive
enabled = true
port = http,https
backend = auto
filter = myadmin-auth
logpath = /var/log/httpd/strony-access
findtime = 10m
maxretry = 5
bantime = 1h
banaction = iptables-multiport
[hosting-notfound]
mode = agressive
enabled = true
port = http,https
backend = auto
filter = 404notfound
logpath = /var/log/httpd/strony-access
findtime = 10m
maxretry = 20
bantime = 1h
banaction = iptables-multiport
[hosting-recidive]
enabled = true
logpath = /var/log/fail2ban.log
backend = auto
filter = recidive
findtime = 1d
maxretry = 4
bantime = 366d
banaction = iptables-multiport
==== Konfiguracja filtrów ====
Plik /etc/fail2ban/filter.d/
# -----------------------------------------------------
# Logowanie do witryn obejmujace:
# - htpasswd,
# - logowanie do kokpitu Worpressa.
# Przykladowe linijki z access_log, ktore beda podbijaly licznik:
#strona.pl ip.ip.ip.ip - - [21/Jun/2021:11:08:23 +0200] "POST /wp-login.php HTTP/1.1" 200 8993 "https://strona.pl/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"
#strona.pl ip.ip.ip.ip - - [10/Aug/2021:15:33:37 +0200] "GET /wp-admin/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
# -----------------------------------------------------
[Definition]
failregex = ^mojastrona1\.baszarek\.pl .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
^mojastrona1\.baszarek\.pl .* "POST \/wp-login\.php HTTP.*" 200 .*$
^mojastrona2\.baszarek\.pl .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
^mojastrona2\.baszarek\.pl .* "POST \/wp-login\.php HTTP.*" 200 .*$
^mojastrona3\.baszarek\.pl .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
^mojastrona3\.baszarek\.pl .* "POST \/wp-login\.php HTTP.*" 200 .*$
^mojastrona4\.baszarek\.pl .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
^mojastrona4\.baszarek\.pl .* "POST \/wp-login\.php HTTP.*" 200 .*$
# Wyjatki
ignoreregex = .*(111\.111\.111\.111)
Plik /etc/fail2ban/filter.d/
# -----------------------------------------------------
# Powtarzajece sie bledy 404, wskazujace na szukanie:
# - /.git/config,
# - /phpmyadmin,
# - itp...
#
# Przykladowe linijki z access_log, ktore beda podbijaly licznik:
#strona.pl ip.ip.ip.ip - - [10/Aug/2021:16:01:09 +0200] "GET /.git/config HTTP/1.1" 404 29291 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
# -----------------------------------------------------
[Definition]
failregex = ^mojastrona1\.baszarek\.pl .* "GET .* HTTP.*" 404 .*$
^mojastrona2\.baszarek\.pl .* "GET .* HTTP.*" 404 .*$
^mojastrona3\.baszarek\.pl .* "GET .* HTTP.*" 404 .*$
^mojastrona4\.baszarek\.pl .* "GET .* HTTP.*" 404 .*$
# Wyjatki
ignoreregex = .*(111\.111\.111\.111)
----
==== Odbanowanie ====
# fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: database-auth, hosting-auth, hosting-notfound, hosting-recidive, sshd
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 4
| |- Total failed: 5889
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 10
|- Total banned: 1791
`- Banned IP list: 106.75.141.160 190.1.203.180 168.196.96.37 118.100.180.76 116.98.160.162 115.76.175.127 116.110.219.121 116.110.159.168 116.98.160.255 138.68.185.126
# fail2ban unban 106.75.141.160
1
----
==== Różne dodatkowe rzeczy: ====
* W pliku /etc/fail2ban/action.d/iptables-common.conf warto zmienić REJECT na DROP:
#blocktype = REJECT --reject-with icmp-port-unreachable
blocktype = DROP
* wypisanie ilości banów na jailu:
fail2ban-client status hosting-recidive | grep 'Currently banned:' | cut -d$'\t' -f2
* baza danych znajduje się w pliku /var/lib/fail2ban/fail2ban.sqlite3
# sqlite3 fail2ban.sqlite3
SQLite version 3.34.1 2021-01-20 14:10:07
Enter ".help" for usage hints.
sqlite> .header on
sqlite> .mode column
sqlite> select * from bans limit 1;
jail ip timeofban bantime bancount data
---- ------------- ---------- ------- -------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
sshd 49.146.34.185 1630592325 3600 1 {"matches": [["", "2021-09-02T16:18:44.257629", "vps-d7966fa2.vps.ovh.net sshd[85576]: Invalid user admin from 49.146.34.185 port 24981"], "2021-09-02T16:18:44.560856vps-d7966fa2.vps.ovh.net sshd[85576]: Failed none for invalid user admin from 49.146.34.185 port 24981 ssh2", "2021-09-02T16:18:44.869209vps-d7966fa2.vps.ovh.net sshd[85576]: Connection closed by invalid user admin 49.146.34.185 port 24981 [preauth]"], "failures": 3, "mlfid": "vps-d7966fa2.vps.ovh.net sshd[85576]: ", "user": "admin", "ip4": "49.146.34.185", "users": "['admin']"}
sqlite>
* format logów, jakiego używam w Apache
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
==== Zabezpieczenie Proxmoxa ====
/etc/fail2ban/filter.d/srv01-proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost= user=.* msg=.*
ignoreregex =
/etc/fail2ban/jail.local (tylko fragment dla Proxmoxa)
[srv01-proxmox]
enabled = true
port = 8006
logpath = /var/log/daemon.log
findtime = 10m
maxretry = 3
bantime = 1h
banaction = iptables-multiport