Plik /etc/fail2ban/jail.local
[sshd] mode = aggressive enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s findtime = 10m maxretry = 3 bantime = 1h banaction = iptables-multiport [hosting-auth] mode = agressive enabled = true port = http,https backend = auto filter = wp-auth logpath = /var/log/httpd/strony-access findtime = 10m maxretry = 5 bantime = 1h banaction = iptables-multiport [database-auth] mode = agressive enabled = true port = http,https backend = auto filter = myadmin-auth logpath = /var/log/httpd/strony-access findtime = 10m maxretry = 5 bantime = 1h banaction = iptables-multiport [hosting-notfound] mode = agressive enabled = true port = http,https backend = auto filter = 404notfound logpath = /var/log/httpd/strony-access findtime = 10m maxretry = 20 bantime = 1h banaction = iptables-multiport [hosting-recidive] enabled = true logpath = /var/log/fail2ban.log backend = auto filter = recidive findtime = 1d maxretry = 4 bantime = 366d banaction = iptables-multiport
Plik /etc/fail2ban/filter.d/
# ----------------------------------------------------- # Logowanie do witryn obejmujace: # - htpasswd, # - logowanie do kokpitu Worpressa. # Przykladowe linijki z access_log, ktore beda podbijaly licznik: #strona.pl ip.ip.ip.ip - - [21/Jun/2021:11:08:23 +0200] "POST /wp-login.php HTTP/1.1" 200 8993 "https://strona.pl/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" #strona.pl ip.ip.ip.ip - - [10/Aug/2021:15:33:37 +0200] "GET /wp-admin/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0" # ----------------------------------------------------- [Definition] failregex = ^mojastrona1\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$ ^mojastrona1\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$ ^mojastrona2\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$ ^mojastrona2\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$ ^mojastrona3\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$ ^mojastrona3\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$ ^mojastrona4\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$ ^mojastrona4\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$ # Wyjatki ignoreregex = .*(111\.111\.111\.111)
Plik /etc/fail2ban/filter.d/
# ----------------------------------------------------- # Powtarzajece sie bledy 404, wskazujace na szukanie: # - /.git/config, # - /phpmyadmin, # - itp... # # Przykladowe linijki z access_log, ktore beda podbijaly licznik: #strona.pl ip.ip.ip.ip - - [10/Aug/2021:16:01:09 +0200] "GET /.git/config HTTP/1.1" 404 29291 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0" # ----------------------------------------------------- [Definition] failregex = ^mojastrona1\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$ ^mojastrona2\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$ ^mojastrona3\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$ ^mojastrona4\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$ # Wyjatki ignoreregex = .*(111\.111\.111\.111)
# fail2ban-client status Status |- Number of jail: 5 `- Jail list: database-auth, hosting-auth, hosting-notfound, hosting-recidive, sshd # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 4 | |- Total failed: 5889 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 10 |- Total banned: 1791 `- Banned IP list: 106.75.141.160 190.1.203.180 168.196.96.37 118.100.180.76 116.98.160.162 115.76.175.127 116.110.219.121 116.110.159.168 116.98.160.255 138.68.185.126 # fail2ban unban 106.75.141.160 1
#blocktype = REJECT --reject-with icmp-port-unreachable blocktype = DROP
fail2ban-client status hosting-recidive | grep 'Currently banned:' | cut -d$'\t' -f2
# sqlite3 fail2ban.sqlite3 SQLite version 3.34.1 2021-01-20 14:10:07 Enter ".help" for usage hints. sqlite> .header on sqlite> .mode column sqlite> select * from bans limit 1; jail ip timeofban bantime bancount data ---- ------------- ---------- ------- -------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- sshd 49.146.34.185 1630592325 3600 1 {"matches": [["", "2021-09-02T16:18:44.257629", "vps-d7966fa2.vps.ovh.net sshd[85576]: Invalid user admin from 49.146.34.185 port 24981"], "2021-09-02T16:18:44.560856vps-d7966fa2.vps.ovh.net sshd[85576]: Failed none for invalid user admin from 49.146.34.185 port 24981 ssh2", "2021-09-02T16:18:44.869209vps-d7966fa2.vps.ovh.net sshd[85576]: Connection closed by invalid user admin 49.146.34.185 port 24981 [preauth]"], "failures": 3, "mlfid": "vps-d7966fa2.vps.ovh.net sshd[85576]: ", "user": "admin", "ip4": "49.146.34.185", "users": "['admin']"} sqlite>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
/etc/fail2ban/filter.d/srv01-proxmox.conf
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =
/etc/fail2ban/jail.local (tylko fragment dla Proxmoxa)
[srv01-proxmox] enabled = true port = 8006 logpath = /var/log/daemon.log findtime = 10m maxretry = 3 bantime = 1h banaction = iptables-multiport