Fail2ban: mudanças entre as edições

Edição das 18h24min de 25 de novembro de 2017

Instalando Apache e Fail2Ban

apt-get install fail2ban apache2

ajustes básico

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local

proteção contra ataque no phpmyadmin

Acrescentar em /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
filter   = phpmyadmin
port = http,https
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600

criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:

[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)phpmyadmin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*
           
ignoreregex =

Reiniciar o fail2ban

service fail2ban restart

Aplicar regras para ações já realizadas

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf

desbloqueando IP

fail2ban-client set phpmyadmin unbanip 192.168.100.9

lista os filtros

fail2ban-client status

lista o status do filtro

fail2ban-client status phpmyadmin

proteção contra ataque ao wordpress

acrescentar em /etc/fail2ban/jail.local

[wordpress]
enabled = true
filter = wordpress
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6

e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo

[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
            ^<HOST> .* "POST .*wp-cron\.php.*
            ^<HOST> .* "POST .*wp-login\.php
ignoreregex =

proteção contra ataque sqlinject

[sqlinject]
enabled = true
filter = sqlinject
port = http,https
action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6

e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo

# Fail2Ban configuration file
#
# Author: TrogloGeek (Damien VERON)
#
# $Revision: 1 $
#

[Definition]

sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F

# Option:  failregex
# Notes.:  Regex to try to detect SQL injection trials
# Values:  TEXT
#
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Referências

Fail2ban: mudanças entre as edições

Edição das 18h24min de 25 de novembro de 2017

proteção contra ataque no phpmyadmin

proteção contra ataque ao wordpress

proteção contra ataque sqlinject

Menu de navegação

Ações da página

Ações da página

Ferramentas pessoais

Navegação

Pesquisa

Categoria

Ferramentas