Fail2ban: mudanças entre as edições

De MochilaWiki
Ir para navegaçãoIr para pesquisar
← Edição anteriorEdição posterior →
Sem resumo de edição
Sem resumo de edição
Linha 1: Linha 1:
Instalando Apache e Fail2Ban
<source lang="bash">
apt-get install fail2ban apache2
</source>
ajustes básico
<source lang="bash">
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
</source>
== proteção contra ataque no phpmyadmin ==
Acrescentar em /etc/fail2ban/jail.local
[phpmyadmin]
enabled = true
filter  = phpmyadmin
port = http,https
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600
criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:
[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)phpmyadmin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*
           
ignoreregex =
--- Reiniciar o fail2ban
service fail2ban restart
--- Aplicar regras para ações já realizadas
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf
--- desbloqueando IP
fail2ban-client set apache-myadmin unbanip 192.168.100.9
--- lista os filtros
fail2ban-client status
--- lista o status do filtro
fail2ban-client status apache-myadmin
*********************** proteção contra ataque ao wordpress
acrescentar em /etc/fail2ban/jail.local
[wordpress]
enabled = true
filter = wordpress
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
            ^<HOST> .* "POST .*wp-cron\.php.*
            ^<HOST> .* "POST .*wp-login\.php
ignoreregex =
*********************** proteção contra ataque sqlinject
[sqlinject]
enabled = true
filter = sqlinject
port = http,https
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
# Fail2Ban configuration file
#
# Author: TrogloGeek (Damien VERON)
#
# $Revision: 1 $
#
[Definition]
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F
# Option:  failregex
# Notes.:  Regex to try to detect SQL injection trials
# Values:  TEXT
#
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Referências
https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
https://github.com/TrogloGeek/fail2ban-apache-sqlinject
* http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html
* http://ittipsoftheday.blogspot.com.br/2016/01/how-to-remove-ip-from-iredmail.html
* http://www.the-art-of-web.com/system/fail2ban-log/
* http://www.the-art-of-web.com/system/fail2ban-log/

Edição das 18h18min de 25 de novembro de 2017

Instalando Apache e Fail2Ban 

apt-get install fail2ban apache2

ajustes básico 

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local



proteção contra ataque no phpmyadmin

Acrescentar em /etc/fail2ban/jail.local 

[phpmyadmin]
enabled = true
filter   = phpmyadmin
port = http,https
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600


criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo: 

[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)phpmyadmin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*
           
ignoreregex =


--- Reiniciar o fail2ban service fail2ban restart

--- Aplicar regras para ações já realizadas fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf


--- desbloqueando IP fail2ban-client set apache-myadmin unbanip 192.168.100.9


--- lista os filtros fail2ban-client status

--- lista o status do filtro fail2ban-client status apache-myadmin


                                              • proteção contra ataque ao wordpress

acrescentar em /etc/fail2ban/jail.local

[wordpress] enabled = true filter = wordpress port = http,https action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6


e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo

[Definition] failregex = ^<HOST> .* "POST .*xmlrpc\.php 

           ^<HOST> .* "POST .*wp-cron\.php.*
           ^<HOST> .* "POST .*wp-login\.php

ignoreregex =


                                              • proteção contra ataque sqlinject


[sqlinject] enabled = true filter = sqlinject port = http,https action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6


e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo

  1. Fail2Ban configuration file
  3. Author: TrogloGeek (Damien VERON)
  5. $Revision: 1 $

[Definition]

sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F

  1. Option: failregex
  2. Notes.: Regex to try to detect SQL injection trials
  3. Values: TEXT

failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"

  1. Option: ignoreregex
  2. Notes.: regex to ignore. If this regex matches, the line is ignored.
  3. Values: TEXT

ignoreregex =







Referências https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 https://github.com/TrogloGeek/fail2ban-apache-sqlinject 





iptables -D fail2ban-NAME -s IP -j DROP
Disponível em “https://docs.nkosi.org/index.php?title=Fail2ban&oldid=6749