Fail2ban

Fail2ban est un programme de prévention d’intrusion réseau écrit un python.

Il est très utilisé sur Linux, et vraiment efficace.

Voici un résumé pour l’installer, afficher les IPs bannies mais aussi débannir une IP.

J’explique également comment le configurer pour protéger un site web Nginx.

 

Install fail2ban

apt install fail2ban

Fail2ban will ban IPs reported in log files. So, you need to configure it to know wich reported IP is to ban.

All configs are located in /etc/fail2ban/
A jail is configured inside the jail.local file that will overwrite jail.conf. It refferes to a filter file inside the filter.d folder.
Here are some usefull example of jails.

[DEFAULT]

If you just want to whitelist your IP, edit jail.local or create a file /etc/fail2ban/jail.d/custom.conf and place that inside :

[DEFAULT]
ignoreip = 127.0.0.1 124.32.5.48
findtime = 3600
bantime = 86400
maxretry = 3

[SSHD]

This jail will ban IP that attempt to connect to your server by SSH and failed several times.
This one comes by default, but you can customize it, like the port !

[sshd]

port    = 2244
logpath = %(sshd_log)s

NGINX

Here is how to protect nginx from many attacks. It will block IPs that do too much connections at a time and one that do too much requests per seconds.

1st, we need to configure nginx to report these IPs inside its logs.

Add this inside /etc/nginx/nginx.conf and change rate=10r/s to your needs.

limit_req_zone $binary_remote_addr zone=one:10m rate=15r/s;
limit_req_status 444;

limit_conn_zone $limit_key zone=addr:10m;
limit_conn_status    503;

Now, change you site conf file, and add these directives:

server {

    [...]

    limit_req   zone=one burst=10 nodelay;

    limit_conn addr 2;
}

bust=10 is to allow 10 requests over the 15 request/s; excessive requests are delayed until their number exceeds the maximum burst size.

2nd, Create corresponding jails and filters

Go inside jail.local and copy/paste this:

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10

[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10

Adapt maxretry to your needs.

Finally, create corresponding filter files inside /etc/fail2ban/filter.d/ :

# nginx-http-auth.conf

[Definition]

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$

ignoreregex = 

# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.
# 
# Author: Daniel Black

# nginx-conn-limit.conf

[Definition]

failregex = limiting connections by zone.*client: <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

service fail2ban reload

WordPress

You can also protect your wordpress website from attackers with a fabulous plugin named WP fail2ban

Install and activate it and follow the instructions given in the description’s plugin.

view raw
1.fail2ban.md
hosted with ❤ by GitHub

This is how you can easily show a summury of all banned ip of each jails:

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

Sample result :

Status for the jail: nginx-conn-limit
   `- Banned IP list:
Status for the jail: nginx-req-limit
   `- Banned IP list:
Status for the jail: sshd
   `- Banned IP list:
Status for the jail: wordpress-hard
   `- Banned IP list:
Status for the jail: wordpress-soft
   `- Banned IP list:

For a detailed status of each jails, just remove the last grep before, like this :

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}'

view raw
2.jails-banip.md
hosted with ❤ by GitHub

This is how to unban an IP from a jail:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

view raw
3.unbanip.md
hosted with ❤ by GitHub

Laissez un commentaire

Votre adresse de messagerie ne sera pas publiée.

Search
Generic filters
Exact matches only
Filter by Custom Post Type