Mudanças entre as edições de "Fail2ban"

De MochilaWiki
Ir para navegaçãoIr para pesquisar
 
(8 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 1: Linha 1:
 
Instalando Apache e Fail2Ban
 
Instalando Apache e Fail2Ban
 
 
<source lang="bash">
 
<source lang="bash">
 
apt-get install fail2ban apache2
 
apt-get install fail2ban apache2
Linha 6: Linha 5:
  
 
ajustes básico
 
ajustes básico
 
 
<source lang="bash">
 
<source lang="bash">
 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Linha 14: Linha 12:
 
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
 
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
 
</source>
 
</source>
 
 
 
  
 
== proteção contra ataque no phpmyadmin ==
 
== proteção contra ataque no phpmyadmin ==
Linha 55: Linha 50:
  
  
--- Reiniciar o fail2ban
+
Reiniciar o fail2ban
 +
<source lang="bash">
 
service fail2ban restart
 
service fail2ban restart
 +
</source>
  
--- Aplicar regras para ações já realizadas
+
Aplicar regras para ações já realizadas
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf
+
<source lang="bash">
 +
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf
 +
</source>
  
 +
desbloqueando IP
 +
<source lang="bash">
 +
fail2ban-client set phpmyadmin unbanip 192.168.100.9
 +
</source>
  
--- desbloqueando IP
+
lista os filtros
fail2ban-client set apache-myadmin unbanip 192.168.100.9
+
<source lang="bash">
 
 
 
 
--- lista os filtros
 
 
fail2ban-client status
 
fail2ban-client status
 +
</source>
  
--- lista o status do filtro
+
lista o status do filtro
fail2ban-client status apache-myadmin
+
<source lang="bash">
 
+
fail2ban-client status phpmyadmin
 +
</source>
  
*********************** proteção contra ataque ao wordpress
+
== proteção contra ataque ao wordpress ==
  
 
acrescentar em /etc/fail2ban/jail.local
 
acrescentar em /etc/fail2ban/jail.local
  
[wordpress]
+
[wordpress]
enabled = true
+
enabled = true
filter = wordpress
+
filter = wordpress
port = http,https
+
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
+
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
+
logpath = /var/log/apache2/access.log
bantime = 84600
+
bantime = 84600
maxretry = 6
+
maxretry = 6
  
  
 
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
 
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
  
[Definition]
+
[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
+
failregex = ^<HOST> .* "POST .*xmlrpc\.php
            ^<HOST> .* "POST .*wp-cron\.php.*
+
            ^<HOST> .* "POST .*wp-cron\.php.*
            ^<HOST> .* "POST .*wp-login\.php
+
            ^<HOST> .* "POST .*wp-login\.php
ignoreregex =
+
ignoreregex =
  
  
  
*********************** proteção contra ataque sqlinject
+
== proteção contra ataque sqlinject ==
  
  
[sqlinject]
+
[sqlinject]
enabled = true
+
enabled = true
filter = sqlinject
+
filter = sqlinject
port = http,https
+
port = http,https
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
+
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
+
logpath = /var/log/apache2/access.log
bantime = 84600
+
bantime = 84600
maxretry = 6
+
maxretry = 6
  
  
 
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
 
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
  
# Fail2Ban configuration file
+
# Fail2Ban configuration file
#
+
#
# Author: TrogloGeek (Damien VERON)
+
# Author: TrogloGeek (Damien VERON)
#
+
#
# $Revision: 1 $
+
# $Revision: 1 $
#
+
#
 +
 +
[Definition]
 +
 +
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
 +
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F
 +
 +
# Option:  failregex
 +
# Notes.:  Regex to try to detect SQL injection trials
 +
# Values:  TEXT
 +
#
 +
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
 +
 +
# Option:  ignoreregex
 +
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 +
# Values:  TEXT
 +
#
 +
ignoreregex =
  
[Definition]
+
== x00 ==
  
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
+
[nginx-x00]
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F
+
enabled  = true
 +
port    = http,https
 +
filter  = nginx-x00
 +
logpath  = /var/log/nginx/access.log
 +
bantime = 3600
 +
maxretry = 1
  
# Option:  failregex
+
e em /etc/fail2ban/filter.d/nginx-x00.conf
# Notes.:  Regex to try to detect SQL injection trials
 
# Values:  TEXT
 
#
 
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
 
 
 
# Option:  ignoreregex
 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 
# Values:  TEXT
 
#
 
ignoreregex =
 
  
 +
[Definition]
 +
 +
failregex = ^<HOST> .* ".*\\x.*" .*$
 +
 +
ignoreregex =
  
 +
* https://serverfault.com/questions/772833/fail2ban-regex-to-block-x00-requests
  
  
 +
== Drupal 7 (CVE-2018-7600 / SA-CORE-2018-002) ==
  
 +
/etc/fail2ban/jail.local
 +
[drupalgeddon2]
 +
enabled = true
 +
filter = drupalgeddon2
 +
port = http,https
 +
action = iptables-multiport[name=drupalgeddon2, port="http,https", protocol=tcp]
 +
#logpath  = /var/log/apache2/*.log
 +
logpath  = /var/log/nginx/*.log
 +
bantime = 84600
 +
maxretry = 1
  
  
 +
em /etc/fail2ban/filter.d/drupalgeddon2.conf
  
 +
[Definition]
 +
failregex = ^<HOST> .* ".*passthru&name.*" .*$
 +
                ^<HOST>.*GET.*(?i)passthru&name.*
 +
ignoreregex =
  
 +
* https://github.com/dreadlocked/Drupalgeddon2
 +
* https://github.com/pimps/CVE-2018-7600
 +
* https://www.drupal.org/forum/support/post-installation/2018-04-21/drupalgeddon-hacks-are-starting-to-show-up
 +
* https://wojnowski.net.pl/main/index/dissecting-mister-spy-bot-website-hack
  
  
Linha 149: Linha 189:
  
 
Referências
 
Referências
https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
+
* https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
+
* https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
https://github.com/TrogloGeek/fail2ban-apache-sqlinject
+
* https://github.com/TrogloGeek/fail2ban-apache-sqlinject
 
+
* [https://www.abuseipdb.com/fail2ban.html Integrating AbuseIPDB with Fail2Ban - Automatically Report Bad IPs]
 
 
 
 
 
 
 
 
 
 
* http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html
 
* http://www.the-art-of-web.com/system/fail2ban-log/
 
* https://github.com/fail2ban/fail2ban/issues/132
 
* https://www.raspberrypi.org/forums/viewtopic.php?t=67934&p=496490
 
* http://serverfault.com/questions/285256/how-to-unban-an-ip-properly-with-fail2ban
 
 
 
 
 
<source lang="bash">
 
iptables -D fail2ban-NAME -s IP -j DROP
 
</source>
 

Edição atual tal como às 19h26min de 12 de setembro de 2018

Instalando Apache e Fail2Ban

apt-get install fail2ban apache2

ajustes básico

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local

proteção contra ataque no phpmyadmin

Acrescentar em /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
filter   = phpmyadmin
port = http,https
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600


criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:

[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)phpmyadmin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*
           
ignoreregex =


Reiniciar o fail2ban

service fail2ban restart

Aplicar regras para ações já realizadas

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf

desbloqueando IP

fail2ban-client set phpmyadmin unbanip 192.168.100.9

lista os filtros

fail2ban-client status

lista o status do filtro

fail2ban-client status phpmyadmin

proteção contra ataque ao wordpress

acrescentar em /etc/fail2ban/jail.local

[wordpress]
enabled = true
filter = wordpress
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6


e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo

[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
            ^<HOST> .* "POST .*wp-cron\.php.*
            ^<HOST> .* "POST .*wp-login\.php
ignoreregex =


proteção contra ataque sqlinject

[sqlinject]
enabled = true
filter = sqlinject
port = http,https
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6


e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo

# Fail2Ban configuration file
#
# Author: TrogloGeek (Damien VERON)
#
# $Revision: 1 $
#

[Definition]

sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F

# Option:  failregex
# Notes.:  Regex to try to detect SQL injection trials
# Values:  TEXT
#
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

x00

[nginx-x00]
enabled  = true
port     = http,https
filter   = nginx-x00
logpath  = /var/log/nginx/access.log
bantime = 3600
maxretry = 1

e em /etc/fail2ban/filter.d/nginx-x00.conf

[Definition]

failregex = ^<HOST> .* ".*\\x.*" .*$

ignoreregex =


Drupal 7 (CVE-2018-7600 / SA-CORE-2018-002)

/etc/fail2ban/jail.local

[drupalgeddon2]
enabled = true
filter = drupalgeddon2
port = http,https
action = iptables-multiport[name=drupalgeddon2, port="http,https", protocol=tcp]
#logpath  = /var/log/apache2/*.log
logpath  = /var/log/nginx/*.log
bantime = 84600
maxretry = 1


em /etc/fail2ban/filter.d/drupalgeddon2.conf

[Definition]
failregex = ^<HOST> .* ".*passthru&name.*" .*$
                ^<HOST>.*GET.*(?i)passthru&name.*
ignoreregex =



Referências