Fail2ban est un programme de prévention d’intrusion réseau écrit un python.
Il est très utilisé sur Linux, et vraiment efficace.
Voici un résumé pour l’installer, afficher les IPs bannies mais aussi débannir une IP.
J’explique également comment le configurer pour protéger un site web Nginx.
apt install fail2ban
Fail2ban will ban IPs reported in log files. So, you need to configure it to know wich reported IP is to ban.
All configs are located in /etc/fail2ban/
A jail is configured inside the jail.local file that will overwrite jail.conf. It refferes to a filter file inside the filter.d folder.
Here are some usefull example of jails.
If you just want to whitelist your IP, edit jail.local or create a file /etc/fail2ban/jail.d/custom.conf and place that inside :
[DEFAULT]
ignoreip = 127.0.0.1 124.32.5.48
findtime = 3600
bantime = 86400
maxretry = 3
This jail will ban IP that attempt to connect to your server by SSH and failed several times.
This one comes by default, but you can customize it, like the port !
[sshd]
port = 2244
logpath = %(sshd_log)s
Here is how to protect nginx from many attacks. It will block IPs that do too much connections at a time and one that do too much requests per seconds.
Add this inside /etc/nginx/nginx.conf and change rate=10r/s to your needs.
limit_req_zone $binary_remote_addr zone=one:10m rate=15r/s;
limit_req_status 444;
limit_conn_zone $limit_key zone=addr:10m;
limit_conn_status 503;
Now, change you site conf file, and add these directives:
server {
[...]
limit_req zone=one burst=10 nodelay;
limit_conn addr 2;
}
bust=10 is to allow 10 requests over the 15 request/s; excessive requests are delayed until their number exceeds the maximum burst size.
Go inside jail.local and copy/paste this:
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10
[nginx-conn-limit]
enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10
Adapt maxretry to your needs.
Finally, create corresponding filter files inside /etc/fail2ban/filter.d/ :
# nginx-http-auth.conf
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
ignoreregex =
# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.
#
# Author: Daniel Black
# nginx-conn-limit.conf
[Definition]
failregex = limiting connections by zone.*client: <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
service fail2ban reload
You can also protect your wordpress website from attackers with a fabulous plugin named WP fail2ban
Install and activate it and follow the instructions given in the description’s plugin.
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"
Sample result :
Status for the jail: nginx-conn-limit
`- Banned IP list:
Status for the jail: nginx-req-limit
`- Banned IP list:
Status for the jail: sshd
`- Banned IP list:
Status for the jail: wordpress-hard
`- Banned IP list:
Status for the jail: wordpress-soft
`- Banned IP list:
For a detailed status of each jails, just remove the last grep before, like this :
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}'
