Configuration de Fail2ban et règles

Installation de fail2ban

apt-get install fail2ban

Configuration des fichiers conf

nano fail2ban.conf

On définit dans ce fichier le niveau de log désiré.

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
#         1 = ERROR
#         2 = WARN
#         3 = INFO
#         4 = DEBUG
# Values: [ NUM ]  Default: 1
#
loglevel = 3

On définit ensuite les différents autres configurations:

nano jail.conf

# Réseaux et adresses à ne pas bannir
ignoreip = 127.0.0.1/8 192.168.1.0/24

# Temps pendant lequel bannir l'ip
bantime = 900

# Durée sur laquelle fail2ban doit chercher des tentatives
findtime = 600

# Nombre de tentatives sur la durée pour bannir
maxretry = 3

# Email de destination
destemail = admin@mondomaine.tld

# Nom de l'émetteur pour les notification d'actions
sendername = Fail2ban-host

# Adresse de l'émetteur
sender = fail2ban@mondomaine.tld

# Action par défaut, pour activer l'envoi complet par mail
action = %(action_)s

On définit ensuite chacune des prisons que l'on souhaite activer, par exemple pour ssh:

[ssh]

enabled  = true
port     = 2221
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

On active la prison en passant "enable" à "true" et on définit le port utilisé pour ce service si besoin de le changer.

on enregistre sous

/etc/fail2ban/jail.local

Règles à activer pour un serveur web

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[ssh-ddos]

enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-modsecurity]

enabled  = true
filter   = apache-modsecurity
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-nohome]

enabled  = true
filter   = apache-nohome
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

[proftpd]

enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp,submission
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[dovecot]

enabled = true
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

# To log wrong MySQL access attempts add to /etc/mysql/my.cnf:
# log-error=/var/log/mysql/error.log
# log-warning = 2
[mysqld-auth]

enabled  = true
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysql/error.log

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 2

Règles à activer pour un serveur mail

[ssh]

enabled  = true
port     = 2221
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[pam-generic]

enabled  = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[ssh-ddos]

enabled  = true
port     = 2221
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled  = true
port     = http,https,8021,44321
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled  = true
port     = http,https,8021,44321
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled  = true
port     = http,https,8021,44321
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-modsecurity]

enabled  = true
filter   = apache-modsecurity
port     = http,https,8021,44321
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-nohome]

enabled  = true
filter   = apache-nohome
port     = http,https,8021,44321
logpath  = /var/log/apache*/*error.log
maxretry = 2

[php-url-fopen]

enabled = true
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log

[roundcube-auth]

enabled  = true
filter   = roundcube-auth
port     = http,https,8021,44321
logpath  = /var/www/roundcube/logs/errors

#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.warn

[dovecot]

enabled = true
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

# To log wrong MySQL access attempts add to /etc/mysql/my.cnf:
# log-error=/var/log/mysql/error.log
# log-warning = 2
[mysqld-auth]

enabled  = true
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysql/error.log

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 2

Règles à activer pour un serveur DNS

[ssh]

enabled  = true
port     = 2212
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[ssh-ddos]

enabled  = true
port     = 2212
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

[postfix]

enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log

[sasl]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[named-refused-tcp]

enabled  = true
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 2