faill2ban Seguridad Linux

Trucos, configuraciones y aplicaciones concretas usando Fail2ban

Archivo de configuración /etc/fail2ban/jail.local en Debian

 


  • 
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 192.168.13.0/24
    bantime  = 900
    maxretry = 5
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = root@localhost
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    [ssh]
    enabled = true
    port    = 22
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 3
    
    [apache]
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*access.log
    maxretry = 3
    
    [apache-noscript]
    enabled = true
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 3
    
    [postfix]
    enabled  = true
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 3
    
    [sasl]
    enabled  = true
    port     = smtp
    filter   = sasl
    logpath  = /var/log/mail.log
    maxretry = 3

 

 

Como solucionar el problema de que no funcione el ban tras varios intentos fallidos de autenticación SASL en Debian

 


Existe un problema con la expresión regular que aparece en el fichero /etc/fail2ban/filter.d/sasl.conf que hace match con las líneas que quedan registradas en el fichero /var/log/mail.log tras cada intento fallido. La solución al problema es cambiar dicha expresión regular:

  • < failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
    > failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+

 

 

Como desbanear una IP

 


Para ver que IP's están baneadas, podemos ejecutar el siguiente comando y fijarnos en la cadena fail2ban-$servicio que nos interese.

  • root@$máquina~# iptables -nvL
    
       ...
    Chain fail2ban-ssh (3 references)
     pkts bytes target     prot opt in     out     source               destination
       16   920 DROP       0    --  *      *       94.23.84.xxx         0.0.0.0/0
       18   924 DROP       0    --  *      *       91.21.81.xxx         0.0.0.0/0
    15758 1205K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
       ...

En este caso, si quisieramos desbanear la IP 91.21.81.xxx del servicio ssh, ejecutaríamos el siguiente comando:

  • iptables -D fail2ban-ssh $número_de_línea  (en este caso $numero_de_línea tendría el valor 2)

 

 

Como bloquear los intentos de acceso a "w00tw00t.at.ISC.SANS.DFind"

 


 

Sacado de howflow.com/tricks/block_w00tw00t_scan_hosts_with_fail2ban.

  • En caso de tener una versión de fail2ban anterior a la 8.1 hemos de crear el siguiente archivo en /etc/fail2ban/action.d/iptables-allports.conf:

    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
    #             made active on all ports from original iptables.conf
    #
    # $Revision: 658 $
    #
    
    [Definition]
    
    # Option:  actionstart
    # Notes.:  command executed once at the start of Fail2Ban.
    # Values:  CMD
    #
    actionstart = iptables -N fail2ban-<name>
                  iptables -A fail2ban-<name> -j RETURN
                  iptables -I INPUT -p <protocol> -j fail2ban-<name>
    
    # Option:  actionstop
    # Notes.:  command executed once at the end of Fail2Ban
    # Values:  CMD
    #
    actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
                 iptables -F fail2ban-<name>
                 iptables -X fail2ban-<name>
    
    # Option:  actioncheck
    # Notes.:  command executed once before each actionban command
    # Values:  CMD
    #
    actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
    
    # Option:  actionban
    # Notes.:  command executed when banning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    
    # Option:  actionunban
    # Notes.:  command executed when unbanning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
    
    [Init]
    
    # Defaut name of the chain
    #
    name = default
    
    # Option:  protocol
    # Notes.:  internally used by config reader for interpolations.
    # Values:  [ tcp | udp | icmp | all ] Default: tcp
    #
    protocol = all
  • Creamos el archivo /etc/fail2ban/filter.d/apache-w00tw00t.conf:

    #<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the w00tw00t scan messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching.
    # Values:  TEXT
    failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    
    ignoreregex =
  • Editamos el archivo /etc/fail2ban/jail.local y añadimos una nueva sección de configuración:

    [apache-w00tw00t]
    enabled  = true
    filter   = apache-w00tw00t
    action   = iptables-allports[name=w00tw00t]
    #          mail-whois[name=w00tw00t, dest=$dirección_de_correo]
    logpath  = /var/log/apache*/*access.log
    maxretry = 1
    bantime  = 86400
  • Tan sólo nos queda reiniciar el servicio, y ya estará funcionando:

    root@$máquina:~# /etc/init.d/fail2ban restart

 

 

Deja una respuesta