Saltar al contenido

faill2ban Seguridad Linux

  • por

Trucos, configuraciones y aplicaciones concretas usando Fail2ban

Archivo de configuración /etc/fail2ban/jail.local en Debian

 

  • 
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.13.0/24
bantime  = 900
maxretry = 5

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

[ssh]
enabled = true
port    = 22
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[apache]
enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 3

[apache-noscript]
enabled = true
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3

[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3

[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3

 

 

Como solucionar el problema de que no funcione el ban tras varios intentos fallidos de autenticación SASL en Debian

 

Existe un problema con la expresión regular que aparece en el fichero /etc/fail2ban/filter.d/sasl.conf que hace match con las líneas que quedan registradas en el fichero /var/log/mail.log tras cada intento fallido. La solución al problema es cambiar dicha expresión regular:

  • < failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
> failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+

 

 

Como desbanear una IP

 

Para ver que IP's están baneadas, podemos ejecutar el siguiente comando y fijarnos en la cadena fail2ban-$servicio que nos interese.

  • root@$máquina~# iptables -nvL

   ...
Chain fail2ban-ssh (3 references)
 pkts bytes target     prot opt in     out     source               destination
   16   920 DROP       0    --  *      *       94.23.84.xxx         0.0.0.0/0
   18   924 DROP       0    --  *      *       91.21.81.xxx         0.0.0.0/0
15758 1205K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
   ...

En este caso, si quisieramos desbanear la IP 91.21.81.xxx del servicio ssh, ejecutaríamos el siguiente comando:

  • iptables -D fail2ban-ssh $número_de_línea  (en este caso $numero_de_línea tendría el valor 2)

 

 

Como bloquear los intentos de acceso a "w00tw00t.at.ISC.SANS.DFind"

 

 

Sacado de howflow.com/tricks/block_w00tw00t_scan_hosts_with_fail2ban.

  • En caso de tener una versión de fail2ban anterior a la 8.1 hemos de crear el siguiente archivo en /etc/fail2ban/action.d/iptables-allports.conf:

    # Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
#             made active on all ports from original iptables.conf
#
# $Revision: 658 $
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all

  • Creamos el archivo /etc/fail2ban/filter.d/apache-w00tw00t.conf:

    #<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326

[Definition]

# Option:  failregex
# Notes.:  regex to match the w00tw00t scan messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =

  • Editamos el archivo /etc/fail2ban/jail.local y añadimos una nueva sección de configuración:

    [apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports[name=w00tw00t]
#          mail-whois[name=w00tw00t, dest=$dirección_de_correo]
logpath  = /var/log/apache*/*access.log
maxretry = 1
bantime  = 86400
  • Tan sólo nos queda reiniciar el servicio, y ya estará funcionando:

    root@$máquina:~# /etc/init.d/fail2ban restart

 

 

Etiquetas:

Deja una respuesta