Fail2ban

Smokyr

Objet: Protection contre les attaques de type brute force.

Intallation: apt install fail2ban

Paramètrage: de base avec les modification suivantes:

Parametrage personnel pour les attaques répétitives avec recidive.conf placé dans le répertoire jail.d de fail2ban contenu de ce fichier:

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
banaction = nftables-allports
findtime = 86400 ; 1 jour
bantime = 2592000 ; 30 jours
maxretry = 3 ; au bout de trois tentatives
protocol = 0-255; ban de tous les protocoles

Modification des jails utilisées, dans le fichier jail.local:

# Option: loglevel
# Notes.: Set the log level output.
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
# Values: [ LEVEL ] Default: INFO
loglevel = INFO
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate — also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log

# « ignoreip » can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 ; + moniphome

# Destination email for action that send you an email
destemail = ; mon adresse email

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = ; adresse email du serveur « root »
# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s

# Detection par défaut
maxretry = 5 ; 5 tentavies
bantime = 29m ; ban de 29m
findtime = 1d ; sur un jour

# configure nftables
banaction = nftables-multiport
banaction_allports = nftables-allports
chain = input
port = smtp,465,submission,imap3,imaps,pop3,pop3s,http,https,socks

# *******************************
# JAIL
# *******************************

[sshd]

enabled = true
port = 22, ;+ mon port perso pour ssh

[ssh-ddos]

enabled = false

[webmin-auth]

enabled = true
port = 10000

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data,2222

[postfix]

enabled = true
port = smtp,465,submission

[dovecot]

enabled = true
port = pop3,pop3s,imap3,imaps,submission,465,sieve

[postfix-sasl]

enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
maxretry = 2

[recidive]

enabled = true
maxretry = 3 ; 3 tentatives
# Ban permanent
bantime = -1
findtime = 7d ; recherche sur 7 jours

#
# HTTP servers
#

[apache-auth]

enabled = true
port = http,https
# logpath = %(apache_error_log)s

[apache-auth-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
filter = apache-auth
logpath = /var/log/virtualmin/*_error_log

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

enabled = true
port = http,https
# logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-badbots-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
filter = apache-badbots
logpath = /var/log/virtualmin/*_access_log

[apache-noscript]

enabled = true
port = http,https
# logpath = %(apache_error_log)s

[apache-noscript-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
filter = apache-noscript
logpath = /var/log/virtualmin/*_error_log

[apache-overflows]

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2

[apache-overflows-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2
filter = apache-overflows
logpath = /var/log/virtualmin/*_error_log

[apache-nohome]

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2

[apache-nohome-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2
filter = apache-nohome
logpath = /var/log/virtualmin/*_error_log

[apache-botsearch]

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2

[apache-botsearch-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2
filter = apache-botsearch
logpath = /var/log/virtualmin/*_error_log

[apache-fakegooglebot]

enabled = true
port = http,https
# logpath = %(apache_access_log)s
maxretry = 1
# ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot

[apache-fakegooglebot-wm] ; pour virtualmin

enabled = false
port = http,https
# logpath = %(apache_access_log)s
maxretry = 1
# ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot
filter = apache-fakegooglebot
logpath = /var/log/virtualmin/*_access_log

[apache-modsecurity]

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2

[apache-modsecurity-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 2
filter = apache-modsecurity
logpath = /var/log/virtualmin/*_error_log

[apache-shellshock]

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 1

[apache-shellshock-wm] ; pour virtualmin

enabled = true
port = http,https
# logpath = %(apache_error_log)s
maxretry = 1
filter = apache-shellshock
logpath = /var/log/virtualmin/*_error_log

# Ban attackers that try to use PHP’s URL-fopen() functionality
# through GET/POST variables. – Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = true
port = http,https
logpath = %(apache_access_log)s

[php-url-fopen-wm] ; pour virtualmin

enabled = true
port = http,https
#logpath = %(apache_access_log)s
filter = php-url-fopen
logpath = /var/log/virtualmin/*_access_log

# WordPress

[wordpress-hard]
enabled = true
port = http, https
maxretry = 3
banaction = nftables-multiport
logpath = /var/log/auth.log

[wordpress-soft]
enabled = true
port = http, https
maxretry = 3
banaction = nftables-multiport
logpath = /var/log/auth.log

[wordpress-extra]
enabled = true
port = http, https
maxretry = 3
banaction = nftables-multiport
logpath = /var/log/auth.log

A noter, les 3 dernières jails, pour wordpress en utilisant l’extension WP fail2ban.

Signature Sfullak
Sfullak/Smokyr

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.