Mudanças entre as edições de "Fail2ban"
De MochilaWiki
Ir para navegaçãoIr para pesquisarLinha 1: | Linha 1: | ||
Instalando Apache e Fail2Ban | Instalando Apache e Fail2Ban | ||
− | |||
<source lang="bash"> | <source lang="bash"> | ||
apt-get install fail2ban apache2 | apt-get install fail2ban apache2 | ||
Linha 6: | Linha 5: | ||
ajustes básico | ajustes básico | ||
− | |||
<source lang="bash"> | <source lang="bash"> | ||
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | ||
Linha 14: | Linha 12: | ||
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local | sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local | ||
</source> | </source> | ||
− | |||
− | |||
− | |||
== proteção contra ataque no phpmyadmin == | == proteção contra ataque no phpmyadmin == | ||
Linha 147: | Linha 142: | ||
* https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 | * https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 | ||
* https://github.com/TrogloGeek/fail2ban-apache-sqlinject | * https://github.com/TrogloGeek/fail2ban-apache-sqlinject | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Edição das 21h25min de 25 de novembro de 2017
Instalando Apache e Fail2Ban
apt-get install fail2ban apache2
ajustes básico
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local
proteção contra ataque no phpmyadmin
Acrescentar em /etc/fail2ban/jail.local
[phpmyadmin] enabled = true filter = phpmyadmin port = http,https logpath = /var/log/apache2/access.log action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] maxretry = 2 bantime = 84600
criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:
[Definition] failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.* \[client <HOST>\] File does not exist:.*(?i)manager.* \[client <HOST>\] File does not exist:.*(?i)setup.* \[client <HOST>\] File does not exist:.*(?i)mysql.* \[client <HOST>\] File does not exist:.*(?i)sqlweb.* \[client <HOST>\] File does not exist:.*(?i)webdb.* \[client <HOST>\] File does not exist:.*(?i)pma.* \[client <HOST>\] File does not exist:.*(?i)vtigercrm.* ^<HOST>.*GET.*(?i)phpmyadmin.* ^<HOST>.*GET.*(?i)manager.* ^<HOST>.*GET.*(?i)setup.* ^<HOST>.*GET.*(?i)mysql.* ^<HOST>.*GET.*(?i)sqlweb.* ^<HOST>.*GET.*(?i)webdb.* ^<HOST>.*GET.*(?i)pma.* ^<HOST>.*GET.*(?i)vtigercrm.* ignoreregex =
Reiniciar o fail2ban
service fail2ban restart
Aplicar regras para ações já realizadas
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf
desbloqueando IP
fail2ban-client set phpmyadmin unbanip 192.168.100.9
lista os filtros
fail2ban-client status
lista o status do filtro
fail2ban-client status phpmyadmin
proteção contra ataque ao wordpress
acrescentar em /etc/fail2ban/jail.local
[wordpress] enabled = true filter = wordpress port = http,https action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6
e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
[Definition] failregex = ^<HOST> .* "POST .*xmlrpc\.php ^<HOST> .* "POST .*wp-cron\.php.* ^<HOST> .* "POST .*wp-login\.php ignoreregex =
proteção contra ataque sqlinject
[sqlinject] enabled = true filter = sqlinject port = http,https action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6
e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo
# Fail2Ban configuration file # # Author: TrogloGeek (Damien VERON) # # $Revision: 1 $ # [Definition] sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F # Option: failregex # Notes.: Regex to try to detect SQL injection trials # Values: TEXT # failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*" # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Referências