Proteggere una macchina Linux con fail2ban

From RVM Wiki
Revision as of 19:31, 10 January 2013 by Gabriele.vivinetto (talk | contribs) (Created page with "* Installare fail2ban sudo apt-get install fail2ban * Di default crea già delle chain, in base ai pacchetti installati: sudo iptables -L -n <pre> Chain INPUT (policy ACCEPT) …")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  • Installare fail2ban
sudo apt-get install fail2ban
  • Di default crea già delle chain, in base ai pacchetti installati:
sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-pureftpd  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21 
fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
  • Inserire i paramteri da cambiare in
sudoedit /etc/fail2ban/jail.local 

:r /etc/fail2ban/jail.conf
  • In particolare:
ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
bantime  = 300
maxretry = 9

destemail = recipient@example.com
  • Abilitare le sezioni interessate mettendo
enabled = true
  • Ricaricare

sudo invoke-rc.d fail2ban reload

  • Guardare i log:
sudo tail -f /var/log/fail2ban.log

Filtro customizzato per apache 404

  • Se si vogliono bloccare anche i bot che non trovano files cercnado vulnerabilità, inserire
sudoedit /etc/fail2ban/filter.d/apache-404.conf

[Definition]
failregex = <HOST> .* 404 [0-9]+
#(?P<HOST>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+.$
ignoreregex = favicon\.ico
  • Abilitarlo:
sudoedit /etc/fail2ban/jail.local

[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/*access.log
bantime = 300
findtime = 600
maxretry = 9
  • Testare la regola con
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf
  • Riavviare e testare
sudo invoke-rc.d fail2ban restart


  • Se si vuol testare error.log:
#failregex = [[]client <HOST>[]] File does not exist: .*
  • Per vedere quanti host sono bannati:
sudo fail2ban-client status apache-404

Status for the jail: apache-404
|- filter
|  |- File list:        /var/log/apache2/other_vhosts_access.log /var/log/apache2/access.log 
|  |- Currently failed: 130
|  `- Total failed:     412
`- action
   |- Currently banned: 11
   |  `- IP list:       64.27.50.50 69.160.56.137 87.104.210.109 91.121.220.8 91.236.74.125 46.4.55.227 192.95.1.132 87.98.143.72 84.112.211.204 82.20.121.210 82.40.171.5 
   `- Total banned:     15

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Proteggere_una_macchina_Linux_con_fail2ban&oldid=8790"