Proteggere una macchina Linux con fail2ban

From RVM Wiki
Revision as of 12:30, 11 January 2013 by Gabriele.vivinetto (talk | contribs)
Jump to navigation Jump to search

Installazione

  • Installare fail2ban
sudo apt-get install fail2ban
  • Di default crea già delle chain, in base ai pacchetti installati:
sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-pureftpd  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21 
fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Configurazione parametri generali

  • Inserire i paramteri da cambiare in
sudoedit /etc/fail2ban/jail.local 

:r /etc/fail2ban/jail.conf
  • In particolare:
# questi host non verranno mai bannati
ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
# tempo per cui il ban è attivo
bantime  = 300
# numero di tentativi dopo il quale il ban avviene
maxretry = 9

# destinatario e mittente delle notifiche
destemail = recipient@example.com
sendermail = fail2ban@example.com

# banna ed invia mail
action = %(action_mw)s
  • Abilitare le sezioni interessate mettendo
enabled = true
  • Ricaricare

sudo invoke-rc.d fail2ban reload

  • Guardare i log:
sudo tail -f /var/log/fail2ban.log

Filtro customizzato per apache 404

  • Se si vogliono bloccare anche i bot che non trovano files cercnado vulnerabilità, inserire
sudoedit /etc/fail2ban/filter.d/apache-404.conf

[Definition]
failregex = <HOST> .* 404 [0-9]+
#(?P<HOST>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+.$
ignoreregex = favicon\.ico
  • Abilitarlo:
sudoedit /etc/fail2ban/jail.local

[apache-404]

enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/*access.log
bantime = 300
findtime = 600
maxretry = 9
  • Testare la regola con
sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf
  • Riavviare e testare
sudo invoke-rc.d fail2ban restart


  • Se si vuol testare error.log:
#failregex = [[]client <HOST>[]] File does not exist: .*
  • Per vedere quanti host sono bannati:
sudo fail2ban-client status apache-404

Status for the jail: apache-404
|- filter
|  |- File list:        /var/log/apache2/other_vhosts_access.log /var/log/apache2/access.log 
|  |- Currently failed: 130
|  `- Total failed:     412
`- action
   |- Currently banned: 11
   |  `- IP list:       64.27.50.50 69.160.56.137 87.104.210.109 91.121.220.8 91.236.74.125 46.4.55.227 192.95.1.132 87.98.143.72 84.112.211.204 82.20.121.210 82.40.171.5 
   `- Total banned:     15

Escalation dei ban

  • Monitorando il log di fail2ban stesso, è possibile estendere il ban ulteriormente
  • Creazione filtro
sudoedit /etc/fail2ban/filter.d/fail2ban-ban.conf

failregex = Ban <HOST>
ignoreregex =
  • Se si vuole l'escalation solo per determinati classi di ban, aggiungere il nome del filtro alla regex, ad esempio:
failregex = \[sendmail\] Ban <HOST>
  • Abilitare la jail:
sudoedit /etc/fail2ban/jail.local 

[fail2ban-ban]
enabled = true
# block all tcp traffic
banaction = iptables-allports
# if you want to block all traffic, uncomment following line
# protocol = all
filter = fail2ban
logpath = /var/log/fail2ban.log
# If banned more than 5 times in an hour, ban again for two hours
maxretry = 5
findtime = 3600
bantime = 7200


  • Considerare quanto segue:
<fab23> I am using FreeBSD IPFW as firewall, and on default with the fail2ban setup it blocks the IP on all ports
<fab23> but after I had been locked out with ssh from a shared network where one of my users misstyped his mail password several times, I switch to only block ports, so I still can ssh to my systems :)
<GabrieleV> fab23, You are absolutely right ! I have to consider this ... anyway, I can access my virtual machine control panel out of band. But it's a clever consideration: block only services for what are you monitoring !
  • Testare la regola:
sudo fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/fail2ban-ban.conf
  • Riavviare:
sudo invoke-rc.d fail2ban restart

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Proteggere_una_macchina_Linux_con_fail2ban&oldid=8791"