Narzędzia użytkownika

Narzędzia witryny


wiki:fail2ban

Fail2ban

Konfiguracja jaili

Plik /etc/fail2ban/jail.local

[sshd]
mode      = aggressive
enabled   = true
port      = ssh
logpath   = %(sshd_log)s
backend   = %(sshd_backend)s
findtime  = 10m
maxretry  = 3
bantime   = 1h
banaction = iptables-multiport

[hosting-auth]
mode      = agressive
enabled   = true
port      = http,https
backend   = auto
filter    = wp-auth
logpath   = /var/log/httpd/strony-access
findtime  = 10m
maxretry  = 5
bantime   = 1h
banaction = iptables-multiport

[database-auth]
mode      = agressive
enabled   = true
port      = http,https
backend   = auto
filter    = myadmin-auth
logpath   = /var/log/httpd/strony-access
findtime  = 10m
maxretry  = 5
bantime   = 1h
banaction = iptables-multiport

[hosting-notfound]
mode      = agressive
enabled   = true
port      = http,https
backend   = auto
filter    = 404notfound
logpath   = /var/log/httpd/strony-access
findtime  = 10m
maxretry  = 20
bantime   = 1h
banaction = iptables-multiport

[hosting-recidive]
enabled = true
logpath = /var/log/fail2ban.log
backend   = auto
filter = recidive
findtime = 1d
maxretry = 4
bantime = 366d
banaction = iptables-multiport

Konfiguracja filtrów

Plik /etc/fail2ban/filter.d/

# -----------------------------------------------------
# Logowanie do witryn obejmujace:
# - htpasswd,
# - logowanie do kokpitu Worpressa.

# Przykladowe linijki z access_log, ktore beda podbijaly licznik:
#strona.pl ip.ip.ip.ip - - [21/Jun/2021:11:08:23 +0200] "POST /wp-login.php HTTP/1.1" 200 8993 "https://strona.pl/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"
#strona.pl ip.ip.ip.ip - - [10/Aug/2021:15:33:37 +0200] "GET /wp-admin/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
# -----------------------------------------------------

[Definition]

failregex = ^mojastrona1\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
            ^mojastrona1\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$
            ^mojastrona2\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
            ^mojastrona2\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$
            ^mojastrona3\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
            ^mojastrona3\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$
            ^mojastrona4\.baszarek\.pl <HOST> .* "(GET|POST|HEAD) .* HTTP.*" 401 .*$
            ^mojastrona4\.baszarek\.pl <HOST> .* "POST \/wp-login\.php HTTP.*" 200 .*$

# Wyjatki
ignoreregex = .*(111\.111\.111\.111)

Plik /etc/fail2ban/filter.d/

# -----------------------------------------------------
# Powtarzajece sie bledy 404, wskazujace na szukanie:
# - /.git/config,
# - /phpmyadmin,
# - itp...
#
# Przykladowe linijki z access_log, ktore beda podbijaly licznik:
#strona.pl ip.ip.ip.ip - - [10/Aug/2021:16:01:09 +0200] "GET /.git/config HTTP/1.1" 404 29291 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
# -----------------------------------------------------

[Definition]

failregex = ^mojastrona1\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$
            ^mojastrona2\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$
            ^mojastrona3\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$
            ^mojastrona4\.baszarek\.pl <HOST> .* "GET .* HTTP.*" 404 .*$

# Wyjatki
ignoreregex = .*(111\.111\.111\.111)

Odbanowanie

# fail2ban-client status
Status
|- Number of jail:	5
`- Jail list:	database-auth, hosting-auth, hosting-notfound, hosting-recidive, sshd

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	4
|  |- Total failed:	5889
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	10
   |- Total banned:	1791
   `- Banned IP list:	106.75.141.160 190.1.203.180 168.196.96.37 118.100.180.76 116.98.160.162 115.76.175.127 116.110.219.121 116.110.159.168 116.98.160.255 138.68.185.126

# fail2ban unban 106.75.141.160
1

Różne dodatkowe rzeczy:

  • W pliku /etc/fail2ban/action.d/iptables-common.conf warto zmienić REJECT na DROP:
#blocktype = REJECT --reject-with icmp-port-unreachable
blocktype = DROP
  • wypisanie ilości banów na jailu:
fail2ban-client status hosting-recidive | grep 'Currently banned:' | cut -d$'\t' -f2
  • baza danych znajduje się w pliku /var/lib/fail2ban/fail2ban.sqlite3
# sqlite3 fail2ban.sqlite3 
SQLite version 3.34.1 2021-01-20 14:10:07
Enter ".help" for usage hints.
sqlite> .header on
sqlite> .mode column
sqlite> select * from bans limit 1;
jail  ip             timeofban   bantime  bancount  data                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
----  -------------  ----------  -------  --------  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
sshd  49.146.34.185  1630592325  3600     1         {"matches": [["", "2021-09-02T16:18:44.257629", "vps-d7966fa2.vps.ovh.net sshd[85576]: Invalid user admin from 49.146.34.185 port 24981"], "2021-09-02T16:18:44.560856vps-d7966fa2.vps.ovh.net sshd[85576]: Failed none for invalid user admin from 49.146.34.185 port 24981 ssh2", "2021-09-02T16:18:44.869209vps-d7966fa2.vps.ovh.net sshd[85576]: Connection closed by invalid user admin 49.146.34.185 port 24981 [preauth]"], "failures": 3, "mlfid": "vps-d7966fa2.vps.ovh.net sshd[85576]: ", "user": "admin", "ip4": "49.146.34.185", "users": "['admin']"}
sqlite> 
  • format logów, jakieego używam w Apache
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
wiki/fail2ban.txt · ostatnio zmienione: 2021/09/06 16:29 przez lukasz