Proteggere una macchina Linux con fail2ban: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
Newer edit →
VisualWikitext
m Created page with "* Installare fail2ban sudo apt-get install fail2ban * Di default crea già delle chain, in base ai pacchetti installati: sudo iptables -L -n <pre> Chain INPUT (policy ACCEPT) …"
 
mNo edit summary
Line 1: Line 1:
=Installazione=
* Installare fail2ban
* Installare fail2ban
  sudo apt-get install fail2ban
  sudo apt-get install fail2ban
Line 30: Line 31:
</pre>
</pre>


=Configurazione parametri generali=
* Inserire i paramteri da cambiare in
* Inserire i paramteri da cambiare in
  sudoedit /etc/fail2ban/jail.local  
  sudoedit /etc/fail2ban/jail.local  
Line 36: Line 38:


* In particolare:
* In particolare:
# questi host non verranno mai bannati
  ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
  ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
# tempo per cui il ban è attivo
  bantime  = 300
  bantime  = 300
# numero di tentativi dopo il quale il ban avviene
  maxretry = 9
  maxretry = 9


# destinatario e mittente delle notifiche
  destemail = recipient@example.com
  destemail = recipient@example.com
sendermail = fail2ban@example.com


# banna ed invia mail
action = %(action_mw)s
* Abilitare le sezioni interessate mettendo
* Abilitare le sezioni interessate mettendo
  enabled = true
  enabled = true
Line 67: Line 77:
<pre>
<pre>
[apache-404]
[apache-404]
enabled = true
enabled = true
port = http,https
port = http,https
Line 101: Line 112:


</pre>
</pre>
=Escalation dei ban=
* Monitorando il log di fail2ban stesso, è possibile estendere il ban ulteriormente
* Creazione filtro
sudoedit /etc/fail2ban/filter.d/fail2ban-ban.conf
<pre>
failregex = Ban <HOST>
ignoreregex =
</pre>
* Se si vuole l'escalation solo per determinati classi di ban, aggiungere il nome del filtro alla regex, ad esempio:
failregex = \[sendmail\] Ban <HOST>
* Abilitare la jail:
sudoedit /etc/fail2ban/jail.local
<pre>
[fail2ban-ban]
enabled = true
# block all tcp traffic
banaction = iptables-allports
# if you want to block all traffic, uncomment following line
# protocol = all
filter = fail2ban
logpath = /var/log/fail2ban.log
# If banned more than 5 times in an hour, ban again for two hours
maxretry = 5
findtime = 3600
bantime = 7200
</pre>
* Considerare quanto segue:
<pre>
<fab23> I am using FreeBSD IPFW as firewall, and on default with the fail2ban setup it blocks the IP on all ports
<fab23> but after I had been locked out with ssh from a shared network where one of my users misstyped his mail password several times, I switch to only block ports, so I still can ssh to my systems :)
<GabrieleV> fab23, You are absolutely right ! I have to consider this ... anyway, I can access my virtual machine control panel out of band. But it's a clever consideration: block only services for what are you monitoring !
</pre>
* Testare la regola:
sudo fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/fail2ban-ban.conf
* Riavviare:
sudo invoke-rc.d fail2ban restart


=Riferimenti=
=Riferimenti=
*[http://guide.debianizzati.org/index.php/Fail2ban Fail2ban - Guide@Debianizzati.Org]
*[http://guide.debianizzati.org/index.php/Fail2ban Fail2ban - Guide@Debianizzati.Org]
*[http://blog.barbarycodes.com/2010/10/06/automated-banning-of-script-kiddies-with-fail2ban/ Automated Banning of Script Kiddies with fail2ban | Barbary Codes and Data]
*[http://blog.barbarycodes.com/2010/10/06/automated-banning-of-script-kiddies-with-fail2ban/ Automated Banning of Script Kiddies with fail2ban | Barbary Codes and Data]

Revision as of 12:30, 11 January 2013

Installazione

  • Installare fail2ban
sudo apt-get install fail2ban
  • Di default crea già delle chain, in base ai pacchetti installati:
sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-pureftpd  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21 
fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Configurazione parametri generali

  • Inserire i paramteri da cambiare in
sudoedit /etc/fail2ban/jail.local 

:r /etc/fail2ban/jail.conf
  • In particolare:
# questi host non verranno mai bannati
ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
# tempo per cui il ban è attivo
bantime  = 300
# numero di tentativi dopo il quale il ban avviene
maxretry = 9

# destinatario e mittente delle notifiche
destemail = recipient@example.com
sendermail = fail2ban@example.com

# banna ed invia mail
action = %(action_mw)s
  • Abilitare le sezioni interessate mettendo
enabled = true
  • Ricaricare

sudo invoke-rc.d fail2ban reload

  • Guardare i log:
sudo tail -f /var/log/fail2ban.log

Filtro customizzato per apache 404

  • Se si vogliono bloccare anche i bot che non trovano files cercnado vulnerabilità, inserire
sudoedit /etc/fail2ban/filter.d/apache-404.conf

[Definition]
failregex = <HOST> .* 404 [0-9]+
#(?P<HOST>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+.$
ignoreregex = favicon\.ico
  • Abilitarlo:
sudoedit /etc/fail2ban/jail.local

[apache-404]

enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/*access.log
bantime = 300
findtime = 600
maxretry = 9
  • Testare la regola con
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf
  • Riavviare e testare
sudo invoke-rc.d fail2ban restart


  • Se si vuol testare error.log:
#failregex = [[]client <HOST>[]] File does not exist: .*
  • Per vedere quanti host sono bannati:
sudo fail2ban-client status apache-404

Status for the jail: apache-404
|- filter
|  |- File list:        /var/log/apache2/other_vhosts_access.log /var/log/apache2/access.log 
|  |- Currently failed: 130
|  `- Total failed:     412
`- action
   |- Currently banned: 11
   |  `- IP list:       64.27.50.50 69.160.56.137 87.104.210.109 91.121.220.8 91.236.74.125 46.4.55.227 192.95.1.132 87.98.143.72 84.112.211.204 82.20.121.210 82.40.171.5 
   `- Total banned:     15

Escalation dei ban

  • Monitorando il log di fail2ban stesso, è possibile estendere il ban ulteriormente
  • Creazione filtro
sudoedit /etc/fail2ban/filter.d/fail2ban-ban.conf

failregex = Ban <HOST>
ignoreregex =
  • Se si vuole l'escalation solo per determinati classi di ban, aggiungere il nome del filtro alla regex, ad esempio:
failregex = \[sendmail\] Ban <HOST>
  • Abilitare la jail:
sudoedit /etc/fail2ban/jail.local 

[fail2ban-ban]
enabled = true
# block all tcp traffic
banaction = iptables-allports
# if you want to block all traffic, uncomment following line
# protocol = all
filter = fail2ban
logpath = /var/log/fail2ban.log
# If banned more than 5 times in an hour, ban again for two hours
maxretry = 5
findtime = 3600
bantime = 7200


  • Considerare quanto segue:
<fab23> I am using FreeBSD IPFW as firewall, and on default with the fail2ban setup it blocks the IP on all ports
<fab23> but after I had been locked out with ssh from a shared network where one of my users misstyped his mail password several times, I switch to only block ports, so I still can ssh to my systems :)
<GabrieleV> fab23, You are absolutely right ! I have to consider this ... anyway, I can access my virtual machine control panel out of band. But it's a clever consideration: block only services for what are you monitoring !
  • Testare la regola:
sudo fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/fail2ban-ban.conf
  • Riavviare:
sudo invoke-rc.d fail2ban restart

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Proteggere_una_macchina_Linux_con_fail2ban&oldid=8791"