Fail2ban: mudanças entre as edições
De MochilaWiki
Ir para navegaçãoIr para pesquisar
Criou página com '* http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html * http://www.the-art-of-web.com/system/fail2ban-log/ * https://github.com/fail2ban/fail2ban...' |
Sem resumo de edição |
||
| (10 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
| Linha 1: | Linha 1: | ||
Instalando Apache e Fail2Ban | |||
* http:/ | <source lang="bash"> | ||
* https://github.com/ | apt-get install fail2ban apache2 | ||
* https://www. | </source> | ||
* | |||
ajustes básico | |||
<source lang="bash"> | |||
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |||
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local | |||
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local | |||
sed -i '35s/3/6/g' /etc/fail2ban/jail.local | |||
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local | |||
</source> | |||
== proteção contra ataque no phpmyadmin == | |||
Acrescentar em /etc/fail2ban/jail.local | |||
[phpmyadmin] | |||
enabled = true | |||
filter = phpmyadmin | |||
port = http,https | |||
logpath = /var/log/apache2/access.log | |||
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] | |||
maxretry = 2 | |||
bantime = 84600 | |||
criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo: | |||
[Definition] | |||
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.* | |||
\[client <HOST>\] File does not exist:.*(?i)manager.* | |||
\[client <HOST>\] File does not exist:.*(?i)setup.* | |||
\[client <HOST>\] File does not exist:.*(?i)mysql.* | |||
\[client <HOST>\] File does not exist:.*(?i)sqlweb.* | |||
\[client <HOST>\] File does not exist:.*(?i)webdb.* | |||
\[client <HOST>\] File does not exist:.*(?i)pma.* | |||
\[client <HOST>\] File does not exist:.*(?i)vtigercrm.* | |||
^<HOST>.*GET.*(?i)phpmyadmin.* | |||
^<HOST>.*GET.*(?i)manager.* | |||
^<HOST>.*GET.*(?i)setup.* | |||
^<HOST>.*GET.*(?i)mysql.* | |||
^<HOST>.*GET.*(?i)sqlweb.* | |||
^<HOST>.*GET.*(?i)webdb.* | |||
^<HOST>.*GET.*(?i)pma.* | |||
^<HOST>.*GET.*(?i)vtigercrm.* | |||
ignoreregex = | |||
Reiniciar o fail2ban | |||
<source lang="bash"> | |||
service fail2ban restart | |||
</source> | |||
Aplicar regras para ações já realizadas | |||
<source lang="bash"> | |||
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf | |||
</source> | |||
desbloqueando IP | |||
<source lang="bash"> | |||
fail2ban-client set phpmyadmin unbanip 192.168.100.9 | |||
</source> | |||
lista os filtros | |||
<source lang="bash"> | |||
fail2ban-client status | |||
</source> | |||
lista o status do filtro | |||
<source lang="bash"> | |||
fail2ban-client status phpmyadmin | |||
</source> | |||
== proteção contra ataque ao wordpress == | |||
acrescentar em /etc/fail2ban/jail.local | |||
[wordpress] | |||
enabled = true | |||
filter = wordpress | |||
port = http,https | |||
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] | |||
logpath = /var/log/apache2/access.log | |||
bantime = 84600 | |||
maxretry = 6 | |||
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo | |||
[Definition] | |||
failregex = ^<HOST> .* "POST .*xmlrpc\.php | |||
^<HOST> .* "POST .*wp-cron\.php.* | |||
^<HOST> .* "POST .*wp-login\.php | |||
ignoreregex = | |||
== proteção contra ataque sqlinject == | |||
[sqlinject] | |||
enabled = true | |||
filter = sqlinject | |||
port = http,https | |||
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] | |||
logpath = /var/log/apache2/access.log | |||
bantime = 84600 | |||
maxretry = 6 | |||
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo | |||
# Fail2Ban configuration file | |||
# | |||
# Author: TrogloGeek (Damien VERON) | |||
# | |||
# $Revision: 1 $ | |||
# | |||
[Definition] | |||
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) | |||
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F | |||
# Option: failregex | |||
# Notes.: Regex to try to detect SQL injection trials | |||
# Values: TEXT | |||
# | |||
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*" | |||
# Option: ignoreregex | |||
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |||
# Values: TEXT | |||
# | |||
ignoreregex = | |||
== x00 == | |||
[nginx-x00] | |||
enabled = true | |||
port = http,https | |||
filter = nginx-x00 | |||
logpath = /var/log/nginx/access.log | |||
bantime = 3600 | |||
maxretry = 1 | |||
e em /etc/fail2ban/filter.d/nginx-x00.conf | |||
[Definition] | |||
failregex = ^<HOST> .* ".*\\x.*" .*$ | |||
ignoreregex = | |||
* https://serverfault.com/questions/772833/fail2ban-regex-to-block-x00-requests | |||
== Drupal 7 (CVE-2018-7600 / SA-CORE-2018-002) == | |||
/etc/fail2ban/jail.local | |||
[drupalgeddon2] | |||
enabled = true | |||
filter = drupalgeddon2 | |||
port = http,https | |||
action = iptables-multiport[name=drupalgeddon2, port="http,https", protocol=tcp] | |||
#logpath = /var/log/apache2/*.log | |||
logpath = /var/log/nginx/*.log | |||
bantime = 84600 | |||
maxretry = 1 | |||
em /etc/fail2ban/filter.d/drupalgeddon2.conf | |||
[Definition] | |||
failregex = ^<HOST> .* ".*passthru&name.*" .*$ | |||
^<HOST>.*GET.*(?i)passthru&name.* | |||
ignoreregex = | |||
* https://github.com/dreadlocked/Drupalgeddon2 | |||
* https://github.com/pimps/CVE-2018-7600 | |||
* https://www.drupal.org/forum/support/post-installation/2018-04-21/drupalgeddon-hacks-are-starting-to-show-up | |||
* https://wojnowski.net.pl/main/index/dissecting-mister-spy-bot-website-hack | |||
Referências | |||
* https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter | |||
* https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 | |||
* https://github.com/TrogloGeek/fail2ban-apache-sqlinject | |||
* [https://www.abuseipdb.com/fail2ban.html Integrating AbuseIPDB with Fail2Ban - Automatically Report Bad IPs] | |||
Edição atual tal como às 16h26min de 12 de setembro de 2018
Instalando Apache e Fail2Ban
apt-get install fail2ban apache2
ajustes básico
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
proteção contra ataque no phpmyadmin
Acrescentar em /etc/fail2ban/jail.local
[phpmyadmin] enabled = true filter = phpmyadmin port = http,https logpath = /var/log/apache2/access.log action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] maxretry = 2 bantime = 84600
criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:
[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
\[client <HOST>\] File does not exist:.*(?i)manager.*
\[client <HOST>\] File does not exist:.*(?i)setup.*
\[client <HOST>\] File does not exist:.*(?i)mysql.*
\[client <HOST>\] File does not exist:.*(?i)sqlweb.*
\[client <HOST>\] File does not exist:.*(?i)webdb.*
\[client <HOST>\] File does not exist:.*(?i)pma.*
\[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
^<HOST>.*GET.*(?i)phpmyadmin.*
^<HOST>.*GET.*(?i)manager.*
^<HOST>.*GET.*(?i)setup.*
^<HOST>.*GET.*(?i)mysql.*
^<HOST>.*GET.*(?i)sqlweb.*
^<HOST>.*GET.*(?i)webdb.*
^<HOST>.*GET.*(?i)pma.*
^<HOST>.*GET.*(?i)vtigercrm.*
ignoreregex =
Reiniciar o fail2ban
service fail2ban restart
Aplicar regras para ações já realizadas
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf
desbloqueando IP
fail2ban-client set phpmyadmin unbanip 192.168.100.9
lista os filtros
fail2ban-client status
lista o status do filtro
fail2ban-client status phpmyadmin
proteção contra ataque ao wordpress
acrescentar em /etc/fail2ban/jail.local
[wordpress] enabled = true filter = wordpress port = http,https action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
^<HOST> .* "POST .*wp-cron\.php.*
^<HOST> .* "POST .*wp-login\.php
ignoreregex =
proteção contra ataque sqlinject
[sqlinject] enabled = true filter = sqlinject port = http,https action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
# Fail2Ban configuration file # # Author: TrogloGeek (Damien VERON) # # $Revision: 1 $ # [Definition] sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F # Option: failregex # Notes.: Regex to try to detect SQL injection trials # Values: TEXT # failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*" # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
x00
[nginx-x00] enabled = true port = http,https filter = nginx-x00 logpath = /var/log/nginx/access.log bantime = 3600 maxretry = 1
e em /etc/fail2ban/filter.d/nginx-x00.conf
[Definition] failregex = ^<HOST> .* ".*\\x.*" .*$ ignoreregex =
Drupal 7 (CVE-2018-7600 / SA-CORE-2018-002)
/etc/fail2ban/jail.local
[drupalgeddon2] enabled = true filter = drupalgeddon2 port = http,https action = iptables-multiport[name=drupalgeddon2, port="http,https", protocol=tcp] #logpath = /var/log/apache2/*.log logpath = /var/log/nginx/*.log bantime = 84600 maxretry = 1
em /etc/fail2ban/filter.d/drupalgeddon2.conf
[Definition]
failregex = ^<HOST> .* ".*passthru&name.*" .*$
^<HOST>.*GET.*(?i)passthru&name.*
ignoreregex =
- https://github.com/dreadlocked/Drupalgeddon2
- https://github.com/pimps/CVE-2018-7600
- https://www.drupal.org/forum/support/post-installation/2018-04-21/drupalgeddon-hacks-are-starting-to-show-up
- https://wojnowski.net.pl/main/index/dissecting-mister-spy-bot-website-hack
Referências
- https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
- https://github.com/TrogloGeek/fail2ban-apache-sqlinject
- Integrating AbuseIPDB with Fail2Ban - Automatically Report Bad IPs
