Trucos, configuraciones y aplicaciones concretas usando Fail2ban
Archivo de configuración /etc/fail2ban/jail.local en Debian
-
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.13.0/24 bantime = 900 maxretry = 5 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 3 [apache-noscript] enabled = true port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 3 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl] enabled = true port = smtp filter = sasl logpath = /var/log/mail.log maxretry = 3
Como solucionar el problema de que no funcione el ban tras varios intentos fallidos de autenticación SASL en Debian
Existe un problema con la expresión regular que aparece en el fichero /etc/fail2ban/filter.d/sasl.conf que hace match con las líneas que quedan registradas en el fichero /var/log/mail.log tras cada intento fallido. La solución al problema es cambiar dicha expresión regular:
-
< failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ > failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+
Como desbanear una IP
Para ver que IP's están baneadas, podemos ejecutar el siguiente comando y fijarnos en la cadena fail2ban-$servicio que nos interese.
-
root@$máquina~# iptables -nvL ... Chain fail2ban-ssh (3 references) pkts bytes target prot opt in out source destination 16 920 DROP 0 -- * * 94.23.84.xxx 0.0.0.0/0 18 924 DROP 0 -- * * 91.21.81.xxx 0.0.0.0/0 15758 1205K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ...
En este caso, si quisieramos desbanear la IP 91.21.81.xxx del servicio ssh, ejecutaríamos el siguiente comando:
-
iptables -D fail2ban-ssh $número_de_línea (en este caso $numero_de_línea tendría el valor 2)
Como bloquear los intentos de acceso a "w00tw00t.at.ISC.SANS.DFind"
Sacado de howflow.com/tricks/block_w00tw00t_scan_hosts_with_fail2ban.
-
En caso de tener una versión de fail2ban anterior a la 8.1 hemos de crear el siguiente archivo en /etc/fail2ban/action.d/iptables-allports.conf:
# Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko <debian@onerussian.com> # made active on all ports from original iptables.conf # # $Revision: 658 $ # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] # Defaut name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = all
-
Creamos el archivo /etc/fail2ban/filter.d/apache-w00tw00t.conf:
#<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326 [Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
-
Editamos el archivo /etc/fail2ban/jail.local y añadimos una nueva sección de configuración:
[apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports[name=w00tw00t] # mail-whois[name=w00tw00t, dest=$dirección_de_correo] logpath = /var/log/apache*/*access.log maxretry = 1 bantime = 86400
-
Tan sólo nos queda reiniciar el servicio, y ya estará funcionando:
root@$máquina:~# /etc/init.d/fail2ban restart