Mudanças entre as edições de "Fail2ban"

Edição das 21h22min de 25 de novembro de 2017

Instalando Apache e Fail2Ban

apt-get install fail2ban apache2

ajustes básico

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '30s/600/3600/g' /etc/fail2ban/jail.local
sed -i '34s/600/3600/g' /etc/fail2ban/jail.local
sed -i '35s/3/6/g' /etc/fail2ban/jail.local
sed -i '111s/action_/action_mwl/g' /etc/fail2ban/jail.local

proteção contra ataque no phpmyadmin

Acrescentar em /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
filter   = phpmyadmin
port = http,https
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600

criar um arquivo em /etc/fail2ban/filter.d/phpmyadmin.conf com conteúdo:

[Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)phpmyadmin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*
           
ignoreregex =

Reiniciar o fail2ban

service fail2ban restart

Aplicar regras para ações já realizadas

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf

desbloqueando IP

fail2ban-client set phpmyadmin unbanip 192.168.100.9

lista os filtros

fail2ban-client status

lista o status do filtro

fail2ban-client status phpmyadmin

proteção contra ataque ao wordpress

acrescentar em /etc/fail2ban/jail.local

[wordpress]
enabled = true
filter = wordpress
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 84600
maxretry = 6

e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo

[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc\.php
            ^<HOST> .* "POST .*wp-cron\.php.*
            ^<HOST> .* "POST .*wp-login\.php
ignoreregex =

proteção contra ataque sqlinject

[sqlinject] enabled = true filter = sqlinject port = http,https action = iptables-multiport[name=sqlinject, port="http,https", protocol=tcp] logpath = /var/log/apache2/access.log bantime = 84600 maxretry = 6

e crie o /etc/fail2ban/filter.d/sqlinject.conf com o conteúdo

Fail2Ban configuration file
Author: TrogloGeek (Damien VERON)
$Revision: 1 $

[Definition]

sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F

Option: failregex
Notes.: Regex to try to detect SQL injection trials
Values: TEXT

failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"

Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT

ignoreregex =

Referências https://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 https://github.com/TrogloGeek/fail2ban-apache-sqlinject

iptables -D fail2ban-NAME -s IP -j DROP

Mudanças entre as edições de "Fail2ban"

Edição das 21h22min de 25 de novembro de 2017

proteção contra ataque no phpmyadmin

proteção contra ataque ao wordpress

proteção contra ataque sqlinject

Menu de navegação

Ações da página

Ações da página

Ferramentas pessoais

Navegação

Categoria

Ferramentas

Pesquisa

@@ Linha 55: / Linha 55: @@
---- Reiniciar o fail2ban
+Reiniciar o fail2ban
+<source lang="bash">
 service fail2ban restart
+</source>
---- Aplicar regras para ações já realizadas
+Aplicar regras para ações já realizadas
-fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-myadmin.conf
+<source lang="bash">
+fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/phpmyadmin.conf
+</source>
+desbloqueando IP
+<source lang="bash">
+fail2ban-client set phpmyadmin unbanip 192.168.100.9
+</source>
---- desbloqueando IP
+lista os filtros
-fail2ban-client set apache-myadmin unbanip 192.168.100.9
+<source lang="bash">
---- lista os filtros
 fail2ban-client status
+</source>
---- lista o status do filtro
+lista o status do filtro
-fail2ban-client status apache-myadmin
+<source lang="bash">
+fail2ban-client status phpmyadmin
+</source>
-*********************** proteção contra ataque ao wordpress
+== proteção contra ataque ao wordpress ==
 acrescentar em /etc/fail2ban/jail.local
-[wordpress]
+ [wordpress]
-enabled = true
+ enabled = true
-filter = wordpress
+ filter = wordpress
-port = http,https
+ port = http,https
-action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
+ action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
-logpath = /var/log/apache2/access.log
+ logpath = /var/log/apache2/access.log
-bantime = 84600
+ bantime = 84600
-maxretry = 6
+ maxretry = 6
 e crie o /etc/fail2ban/filter.d/wordpress.conf com o conteúdo
-[Definition]
+ [Definition]
-failregex = ^<HOST> .* "POST .*xmlrpc\.php
+ failregex = ^<HOST> .* "POST .*xmlrpc\.php
-            ^<HOST> .* "POST .*wp-cron\.php.*
+             ^<HOST> .* "POST .*wp-cron\.php.*
-            ^<HOST> .* "POST .*wp-login\.php
+             ^<HOST> .* "POST .*wp-login\.php
-ignoreregex =
+ ignoreregex =
-*********************** proteção contra ataque sqlinject
+== proteção contra ataque sqlinject ==