Mudanças entre as edições de "Fail2ban"
| Linha 1: | Linha 1: | ||
| + | Instalando Apache e Fail2Ban | ||
| + | |||
| + | <source lang="bash"> | ||
| + | apt-get install fail2ban apache2 | ||
| + | </source> | ||
| + | |||
| + | ajustes básico | ||
| + | |||
| + | <source lang="bash"> | ||
| + | cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | ||
| + | sed -i '30s/600/3600/g' /etc/fail2ban/jail.local | ||
| + | sed -i '34s/600/3600/g' /etc/fail2ban/jail.local | ||
| + | sed -i '35s/3/6/g' /etc/fail2ban/jail.local | ||
| + | sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local | ||
| + | </source> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | == proteção contra ataque no phpmyadmin == | ||
| + | |||
| + | Acrescentar em /etc/fail2ban/jail.local | ||
| + | |||
| + | [phpmyadmin] | ||
| + | enabled = true | ||
| + | filter = phpmyadmin | ||
| + | port = http,https | ||
| + | logpath = /var/log/apache2/access.log | ||
| + | action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] | ||
| + | maxretry = 2 | ||
| + | bantime = 84600 | ||
| + | |||
| + | |||
| + | criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo: | ||
| + | |||
| + | [Definition] | ||
| + | failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)manager.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)setup.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)mysql.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)sqlweb.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)webdb.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)pma.* | ||
| + | \[client <HOST>\] File does not exist:.*(?i)vtigercrm.* | ||
| + | ^<HOST>.*GET.*(?i)phpmyadmin.* | ||
| + | ^<HOST>.*GET.*(?i)manager.* | ||
| + | ^<HOST>.*GET.*(?i)setup.* | ||
| + | ^<HOST>.*GET.*(?i)mysql.* | ||
| + | ^<HOST>.*GET.*(?i)sqlweb.* | ||
| + | ^<HOST>.*GET.*(?i)webdb.* | ||
| + | ^<HOST>.*GET.*(?i)pma.* | ||
| + | ^<HOST>.*GET.*(?i)vtigercrm.* | ||
| + | |||
| + | ignoreregex = | ||
| + | |||
| + | |||
| + | --- Reiniciar o fail2ban | ||
| + | service fail2ban restart | ||
| + | |||
| + | --- Aplicar regras para ações já realizadas | ||
| + | fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf | ||
| + | |||
| + | |||
| + | --- desbloqueando IP | ||
| + | fail2ban-client set apache-myadmin unbanip 192.168.100.9 | ||
| + | |||
| + | |||
| + | --- lista os filtros | ||
| + | fail2ban-client status | ||
| + | |||
| + | --- lista o status do filtro | ||
| + | fail2ban-client status apache-myadmin | ||
| + | |||
| + | |||
| + | *********************** proteção contra ataque ao wordpress | ||
| + | |||
| + | acrescentar em /etc/fail2ban/jail.local | ||
| + | |||
| + | [wordpress] | ||
| + | enabled = true | ||
| + | filter = wordpress | ||
| + | port = http,https | ||
| + | action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] | ||
| + | logpath = /var/log/apache2/access.log | ||
| + | bantime = 84600 | ||
| + | maxretry = 6 | ||
| + | |||
| + | |||
| + | e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo | ||
| + | |||
| + | [Definition] | ||
| + | failregex = ^<HOST> .* "POST .*xmlrpc\.php | ||
| + | ^<HOST> .* "POST .*wp-cron\.php.* | ||
| + | ^<HOST> .* "POST .*wp-login\.php | ||
| + | ignoreregex = | ||
| + | |||
| + | |||
| + | |||
| + | *********************** proteção contra ataque sqlinject | ||
| + | |||
| + | |||
| + | [sqlinject] | ||
| + | enabled = true | ||
| + | filter = sqlinject | ||
| + | port = http,https | ||
| + | action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] | ||
| + | logpath = /var/log/apache2/access.log | ||
| + | bantime = 84600 | ||
| + | maxretry = 6 | ||
| + | |||
| + | |||
| + | e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo | ||
| + | |||
| + | # Fail2Ban configuration file | ||
| + | # | ||
| + | # Author: TrogloGeek (Damien VERON) | ||
| + | # | ||
| + | # $Revision: 1 $ | ||
| + | # | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) | ||
| + | sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F | ||
| + | |||
| + | # Option: failregex | ||
| + | # Notes.: Regex to try to detect SQL injection trials | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*" | ||
| + | |||
| + | # Option: ignoreregex | ||
| + | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | ignoreregex = | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | Referências | ||
| + | https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter | ||
| + | https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 | ||
| + | https://github.com/TrogloGeek/fail2ban-apache-sqlinject | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
* http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html | * http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html | ||
* http://www.the-art-of-web.com/system/fail2ban-log/ | * http://www.the-art-of-web.com/system/fail2ban-log/ | ||
Edição das 21h18min de 25 de novembro de 2017
Instalando Apache e Fail2Ban
apt-get install fail2ban apache2
ajustes básico
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
proteção contra ataque no phpmyadmin
Acrescentar em /etc/fail2ban/jail.local
[phpmyadmin] enabled = true filter = phpmyadmin port = http,https logpath = /var/log/apache2/access.log action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] maxretry = 2 bantime = 84600
criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:
[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
\[client <HOST>\] File does not exist:.*(?i)manager.*
\[client <HOST>\] File does not exist:.*(?i)setup.*
\[client <HOST>\] File does not exist:.*(?i)mysql.*
\[client <HOST>\] File does not exist:.*(?i)sqlweb.*
\[client <HOST>\] File does not exist:.*(?i)webdb.*
\[client <HOST>\] File does not exist:.*(?i)pma.*
\[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
^<HOST>.*GET.*(?i)phpmyadmin.*
^<HOST>.*GET.*(?i)manager.*
^<HOST>.*GET.*(?i)setup.*
^<HOST>.*GET.*(?i)mysql.*
^<HOST>.*GET.*(?i)sqlweb.*
^<HOST>.*GET.*(?i)webdb.*
^<HOST>.*GET.*(?i)pma.*
^<HOST>.*GET.*(?i)vtigercrm.*
ignoreregex =
--- Reiniciar o fail2ban
service fail2ban restart
--- Aplicar regras para ações já realizadas fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf
--- desbloqueando IP
fail2ban-client set apache-myadmin unbanip 192.168.100.9
--- lista os filtros
fail2ban-client status
--- lista o status do filtro fail2ban-client status apache-myadmin
- proteção contra ataque ao wordpress
acrescentar em /etc/fail2ban/jail.local
[wordpress] enabled = true filter = wordpress port = http,https action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
[Definition] failregex = ^<HOST> .* "POST .*xmlrpc\.php
^<HOST> .* "POST .*wp-cron\.php.*
^<HOST> .* "POST .*wp-login\.php
ignoreregex =
- proteção contra ataque sqlinject
[sqlinject]
enabled = true
filter = sqlinject
port = http,https
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
- Fail2Ban configuration file
- Author: TrogloGeek (Damien VERON)
- $Revision: 1 $
[Definition]
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F
- Option: failregex
- Notes.: Regex to try to detect SQL injection trials
- Values: TEXT
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
- Option: ignoreregex
- Notes.: regex to ignore. If this regex matches, the line is ignored.
- Values: TEXT
ignoreregex =
Referências https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 https://github.com/TrogloGeek/fail2ban-apache-sqlinject
- http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html
- http://www.the-art-of-web.com/system/fail2ban-log/
- https://github.com/fail2ban/fail2ban/issues/132
- https://www.raspberrypi.org/forums/viewtopic.php?t=67934&p=496490
- http://serverfault.com/questions/285256/how-to-unban-an-ip-properly-with-fail2ban
iptables -D fail2ban-NAME -s IP -j DROP
