Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

Pages : 1

#1 Le 25/01/2012, à 05:47

Fighter777

règles de protections fail2ban (perso)

voici quelques règles de protections fail2ban que j'utilise sur mon serveur dédié


apache w00tw00t
Fichier : /etc/fail2ban/filter.d/apache-w00tw00t.conf

[Definition]

failregex =  ^<HOST> -.*"GET \/.*w00t.*".*
                  \[client <HOST>\] client sent HTTP\/1\.1 request without hostname \(see RFC2616 section 14\.23\)\: .*

ignoreregex =

exemple :

[Sun Jan 22 13:05:38 2012] [error] [client 69.162.110.73] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

attaque ddos apache
Fichier : /etc/fail2ban/filter.d/apache-ddos.conf

[Definition]

failregex = \[client <HOST>\] client denied by server configuration\: \/htdocs *$
            \[client <HOST>\] request failed\: URI too long \(longer than 8190\) *$
ignoreregex =

exemple :

[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /usr/share/phpmyadmin/scripts
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs

attaque par bruteforce
Fichier : /etc/fail2ban/filter.d/apache-bruteforce.conf

[Definition]
failregex = [[]client <HOST>[]] File does not exist: /var/www/admin.*
            [[]client <HOST>[]] File does not exist: /usr/share/.*
            [[]client <HOST>[]] request failed: error reading the headers
            [[]client <HOST>[]] File does not exist: /var/www/3rdparty.*
            [[]client <HOST>[]] File does not exist: /var/www/PHPMYADMIN.*
            [[]client <HOST>[]] File does not exist: /var/www/PMA.*
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin.*
            [[]client <HOST>[]] File does not exist: /var/www/round.*
            [[]client <HOST>[]] File does not exist: /var/www/rc.*
            [[]client <HOST>[]] File does not exist: /var/www/mss2.*
            [[]client <HOST>[]] File does not exist: /var/www/mail.*
            [[]client <HOST>[]] File does not exist: /var/www/rms.*
            [[]client <HOST>[]] File does not exist: /var/www/web.*
            [[]client <HOST>[]] File does not exist: /var/www/wm.*
            [[]client <HOST>[]] File does not exist: /var/www/bin.*
            [[]client <HOST>[]] File does not exist: /var/www/cube.*
            [[]client <HOST>[]] File does not exist: /var/www/proxy.*
            [[]client <HOST>[]] File does not exist: /var/www/ip.*
            [[]client <HOST>[]] File does not exist: /var/www/mysql.*
            [[]client <HOST>[]] File does not exist: /var/www/myadmin.*
            [[]client <HOST>[]] File does not exist: /var/www/bbs.*
            [[]client <HOST>[]] File does not exist: /var/www/cpadmin.*
            [[]client <HOST>[]] File does not exist: /var/www/blog.*
            [[]client <HOST>[]] File does not exist: /var/www/forum.*
            [[]client <HOST>[]] File does not exist: /var/www/e107.*
            [[]client <HOST>[]] File does not exist: /var/www/www.*
            [[]client <HOST>[]] File does not exist: /var/www/SSLMySQLAdmin.*
            [[]client <HOST>[]] File does not exist: /var/www/SQL.*
            [[]client <HOST>[]] File does not exist: /var/www/~.*
            [[]client <HOST>[]] File does not exist: /var/www/db.*
            [[]client <HOST>[]] File does not exist: /var/www/sql.*
            [[]client <HOST>[]] File does not exist: /var/www/Myadmin.*
            [[]client <HOST>[]] File does not exist: /var/www/php.*
            [[]client <HOST>[]] File does not exist: /var/www/2phpmyadmin.*
            [[]client <HOST>[]] File does not exist: /var/www/tool.*
            [[]client <HOST>[]] File does not exist: /var/www/path.*
            [[]client <HOST>[]] File does not exist: /var/www/data.*
            [[]client <HOST>[]] File does not exist: /var/www/doesnotexist.*

ignoreregex =

exemple :

[Sun Jan 22 16:58:28 2012] [error] [client 49.212.46.75] invalid request-URI HTTP/1.1
[Sun Jan 22 16:58:28 2012] [error] [client 49.212.46.75] request failed: error reading the headers
[Sun Jan 22 16:58:29 2012] [error] [client 49.212.46.75] client denied by server configuration: /htdocs

[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] invalid request-URI HTTP/1.1
[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] request failed: error reading the headers
[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] client denied by server configuration: /htdocs


2012-01-22 16:58:29,514 fail2ban.actions: WARNING [apache-bruteforce] Ban 49.212.46.75
2012-01-24 19:02:14,839 fail2ban.actions: WARNING [apache-bruteforce] Ban 190.254.75.82

Apache flood
Fichier : /etc/fail2ban/filter.d/apache-flood.conf

[Definition]

failregex = ^<HOST> -.*"GET http.*".*

ignoreregex =

attaque sur l'IP (en rapport avec la config d'apache)
Fichier : /etc/fail2ban/filter.d/apache-other-Vhost.conf

[Definition]

failregex = 88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*muieblackcat
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*w00t
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*mysql
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*dbadmin
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*myadmin
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*MyAdmin
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*admin
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*php
        88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*jmx-console

ignoreregex =

Fichier /etc/fail2ban/jail.conf :

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/*.log
maxretry = 1

[apache-flood]
enabled = true
filter = apache-flood
action = iptables[name=Apache-flood,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 3

[apache-ddos]
enabled = true
filter = apache-ddos
action = iptables[name=Apache-ddos,port=80,protocol=tcp]
logpath = /var/log/apache2/error*.log
maxretry = 3

[apache-bruteforce]
enabled = true
filter = apache-bruteforce
action = iptables[name=Apache-bruteforce,port=80,protocol=tcp]
logpath = /var/log/apache2/error*.log
maxretry = 1

[apache-Vhost]
enabled = true
filter = apache-other-Vhost
action = iptables[name=Apache-other-Vhost,port=80,protocol=tcp]
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 1



fichier fail2ban.log si tout va bien :

2012-01-28 04:41:59,817 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-01-28 04:41:59,820 fail2ban.jail   : INFO   Creating new jail 'apache-w00tw00t'
2012-01-28 04:41:59,820 fail2ban.jail   : INFO   Jail 'apache-w00tw00t' uses poller
2012-01-28 04:41:59,858 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,859 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:41:59,861 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_aion-XXX.log
2012-01-28 04:41:59,862 fail2ban.filter : INFO   Added logfile = /var/log/apache2/other_vhosts_access.log
2012-01-28 04:41:59,864 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access.log
2012-01-28 04:41:59,865 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,866 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,868 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2012-01-28 04:41:59,869 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,871 fail2ban.filter : INFO   Set maxRetry = 1
2012-01-28 04:41:59,873 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:41:59,874 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:41:59,887 fail2ban.jail   : INFO   Creating new jail 'apache-Vhost'
2012-01-28 04:41:59,887 fail2ban.jail   : INFO   Jail 'apache-Vhost' uses poller
2012-01-28 04:41:59,888 fail2ban.filter : INFO   Added logfile = /var/log/apache2/other_vhosts_access.log
2012-01-28 04:41:59,889 fail2ban.filter : INFO   Set maxRetry = 1
2012-01-28 04:41:59,891 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:41:59,892 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:41:59,923 fail2ban.jail   : INFO   Creating new jail 'apache-flood'
2012-01-28 04:41:59,923 fail2ban.jail   : INFO   Jail 'apache-flood' uses poller
2012-01-28 04:41:59,925 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,926 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_aion-XXX.log
2012-01-28 04:41:59,928 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access.log
2012-01-28 04:41:59,929 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,930 fail2ban.filter : INFO   Set maxRetry = 3
2012-01-28 04:41:59,932 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:41:59,933 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:41:59,943 fail2ban.jail   : INFO   Creating new jail 'apache-noscript'
2012-01-28 04:41:59,943 fail2ban.jail   : INFO   Jail 'apache-noscript' uses poller
2012-01-28 04:41:59,944 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:41:59,945 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,946 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2012-01-28 04:41:59,948 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,949 fail2ban.filter : INFO   Set maxRetry = 1
2012-01-28 04:41:59,950 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:41:59,951 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:41:59,965 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-01-28 04:41:59,966 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-01-28 04:41:59,967 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-01-28 04:41:59,968 fail2ban.filter : INFO   Set maxRetry = 3
2012-01-28 04:41:59,970 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:41:59,971 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:42:00,076 fail2ban.jail   : INFO   Creating new jail 'apache-bruteforce'
2012-01-28 04:42:00,076 fail2ban.jail   : INFO   Jail 'apache-bruteforce' uses poller
2012-01-28 04:42:00,078 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:42:00,079 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,080 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2012-01-28 04:42:00,081 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,083 fail2ban.filter : INFO   Set maxRetry = 1
2012-01-28 04:42:00,084 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:42:00,085 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:42:00,486 fail2ban.jail   : INFO   Creating new jail 'webmin'
2012-01-28 04:42:00,487 fail2ban.jail   : INFO   Jail 'webmin' uses poller
2012-01-28 04:42:00,488 fail2ban.filter : INFO   Added logfile = /var/log/messages
2012-01-28 04:42:00,489 fail2ban.filter : INFO   Set maxRetry = 2
2012-01-28 04:42:00,491 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:42:00,492 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:42:00,504 fail2ban.jail   : INFO   Creating new jail 'apache-ddos'
2012-01-28 04:42:00,504 fail2ban.jail   : INFO   Jail 'apache-ddos' uses poller
2012-01-28 04:42:00,506 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_aion-XXXX.log
2012-01-28 04:42:00,507 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,508 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2012-01-28 04:42:00,510 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,511 fail2ban.filter : INFO   Set maxRetry = 3
2012-01-28 04:42:00,512 fail2ban.filter : INFO   Set findtime = 300
2012-01-28 04:42:00,514 fail2ban.actions: INFO   Set banTime = -1
2012-01-28 04:42:00,528 fail2ban.jail   : INFO   Jail 'apache-w00tw00t' started
2012-01-28 04:42:00,533 fail2ban.jail   : INFO   Jail 'apache-Vhost' started
2012-01-28 04:42:00,543 fail2ban.jail   : INFO   Jail 'apache-flood' started
2012-01-28 04:42:00,562 fail2ban.jail   : INFO   Jail 'apache-noscript' started
2012-01-28 04:42:00,572 fail2ban.jail   : INFO   Jail 'ssh' started
2012-01-28 04:42:00,588 fail2ban.jail   : INFO   Jail 'apache-bruteforce' started
2012-01-28 04:42:00,605 fail2ban.jail   : INFO   Jail 'webmin' started
2012-01-28 04:42:00,624 fail2ban.jail   : INFO   Jail 'apache-ddos' started

liste des bans à titre d'exemple

2012-01-22 07:58:58,742 fail2ban.actions: WARNING [apache-ddos] Ban 95.108.150.235
2012-01-22 10:16:46,253 fail2ban.actions: WARNING [apache-ddos] Ban 218.38.29.31
2012-01-22 12:50:40,703 fail2ban.actions: WARNING [apache-ddos] Ban 95.142.171.240
2012-01-22 14:27:56,065 fail2ban.actions: WARNING [apache-ddos] Ban 46.251.237.34
2012-01-22 14:39:10,798 fail2ban.actions: WARNING [apache-ddos] Ban 203.196.171.229
2012-01-22 16:58:29,514 fail2ban.actions: WARNING [apache-bruteforce] Ban 49.212.46.75
2012-01-22 18:48:23,314 fail2ban.actions: WARNING [apache-ddos] Ban 210.48.67.75
2012-01-23 00:49:50,060 fail2ban.actions: WARNING [apache-ddos] Ban 200.188.200.147
2012-01-23 11:41:13,140 fail2ban.actions: WARNING [apache-ddos] Ban 64.27.1.89
2012-01-23 11:48:46,665 fail2ban.actions: WARNING [apache-ddos] Ban 64.5.40.26
2012-01-23 18:02:35,803 fail2ban.actions: WARNING [apache-ddos] Ban 119.188.7.166
2012-01-23 23:44:11,447 fail2ban.actions: WARNING [apache-ddos] Ban 110.4.107.2
2012-01-24 07:08:33,227 fail2ban.actions: WARNING [apache-ddos] Ban 89.187.153.223
2012-01-24 15:00:20,222 fail2ban.actions: WARNING [apache-ddos] Ban 184.72.253.250
2012-01-24 15:00:20,262 fail2ban.actions: WARNING [apache-ddos] 184.72.253.250 already banned
2012-01-24 19:02:14,839 fail2ban.actions: WARNING [apache-bruteforce] Ban 190.254.75.82
2012-01-24 19:23:49,213 fail2ban.actions: WARNING [apache-ddos] Ban 178.19.24.129
2012-01-24 22:58:11,736 fail2ban.actions: WARNING [apache-ddos] Ban 193.71.76.2

la config pour les attaque ddos est propre à mon serveur apache qui n'accèpte pas les connexion sur l'adresse ip mais uniquement sur les noms de domaines et sous domaines

fichier : /etc/apache2/sites-available/default

<VirtualHost *:80>
ServerName 88.191.XX.XX
<Directory />
Deny from all
</Directory>
</VirtualHost>

pour information, les filtres sont écrits en language regex, voir le site wiki pour plus d'info: http://fr.wikipedia.org/wiki/Expression_rationnelle

PS : remplacer les XXX.XXX par votre adresse IP

EDIT : modification du fichier jail.conf, apache-w00tw00t.conf
ajout du fichier apache-other-Vhost.conf

Dernière modification par Fighter777 (Le 28/01/2012, à 05:51)

Hors ligne

#2 Le 28/01/2012, à 05:29

Fighter777

Re : règles de protections fail2ban (perso)

modification des règles

à cause de la configuration de apache, le fichier /var/log/apache2/other_vhosts_access.log n'avait pas la même forme que les autres fichier access

exemple :

other_vhosts_access.log :
88.191.XXX.XXX:80 58.64.149.143 - - [27/Jan/2012:21:06:14 +0100] "GET /muieblackcat HTTP/1.1" 403 469 "-" "-"

donc je corrige les règles en fonction des logs que je choppe sur mon serveur

Hors ligne

Pages : 1