Pages : 1
#1 Le 25/01/2012, à 04:47
- Fighter777
règles de protections fail2ban (perso)
voici quelques règles de protections fail2ban que j'utilise sur mon serveur dédié
apache w00tw00t
Fichier : /etc/fail2ban/filter.d/apache-w00tw00t.conf
[Definition]
failregex = ^<HOST> -.*"GET \/.*w00t.*".*
\[client <HOST>\] client sent HTTP\/1\.1 request without hostname \(see RFC2616 section 14\.23\)\: .*
ignoreregex =
exemple :
[Sun Jan 22 13:05:38 2012] [error] [client 69.162.110.73] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
attaque ddos apache
Fichier : /etc/fail2ban/filter.d/apache-ddos.conf
[Definition]
failregex = \[client <HOST>\] client denied by server configuration\: \/htdocs *$
\[client <HOST>\] request failed\: URI too long \(longer than 8190\) *$
ignoreregex =
exemple :
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /usr/share/phpmyadmin/scripts
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
[Sun Jan 22 12:50:39 2012] [error] [client 95.142.171.240] client denied by server configuration: /htdocs
attaque par bruteforce
Fichier : /etc/fail2ban/filter.d/apache-bruteforce.conf
[Definition]
failregex = [[]client <HOST>[]] File does not exist: /var/www/admin.*
[[]client <HOST>[]] File does not exist: /usr/share/.*
[[]client <HOST>[]] request failed: error reading the headers
[[]client <HOST>[]] File does not exist: /var/www/3rdparty.*
[[]client <HOST>[]] File does not exist: /var/www/PHPMYADMIN.*
[[]client <HOST>[]] File does not exist: /var/www/PMA.*
[[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin.*
[[]client <HOST>[]] File does not exist: /var/www/round.*
[[]client <HOST>[]] File does not exist: /var/www/rc.*
[[]client <HOST>[]] File does not exist: /var/www/mss2.*
[[]client <HOST>[]] File does not exist: /var/www/mail.*
[[]client <HOST>[]] File does not exist: /var/www/rms.*
[[]client <HOST>[]] File does not exist: /var/www/web.*
[[]client <HOST>[]] File does not exist: /var/www/wm.*
[[]client <HOST>[]] File does not exist: /var/www/bin.*
[[]client <HOST>[]] File does not exist: /var/www/cube.*
[[]client <HOST>[]] File does not exist: /var/www/proxy.*
[[]client <HOST>[]] File does not exist: /var/www/ip.*
[[]client <HOST>[]] File does not exist: /var/www/mysql.*
[[]client <HOST>[]] File does not exist: /var/www/myadmin.*
[[]client <HOST>[]] File does not exist: /var/www/bbs.*
[[]client <HOST>[]] File does not exist: /var/www/cpadmin.*
[[]client <HOST>[]] File does not exist: /var/www/blog.*
[[]client <HOST>[]] File does not exist: /var/www/forum.*
[[]client <HOST>[]] File does not exist: /var/www/e107.*
[[]client <HOST>[]] File does not exist: /var/www/www.*
[[]client <HOST>[]] File does not exist: /var/www/SSLMySQLAdmin.*
[[]client <HOST>[]] File does not exist: /var/www/SQL.*
[[]client <HOST>[]] File does not exist: /var/www/~.*
[[]client <HOST>[]] File does not exist: /var/www/db.*
[[]client <HOST>[]] File does not exist: /var/www/sql.*
[[]client <HOST>[]] File does not exist: /var/www/Myadmin.*
[[]client <HOST>[]] File does not exist: /var/www/php.*
[[]client <HOST>[]] File does not exist: /var/www/2phpmyadmin.*
[[]client <HOST>[]] File does not exist: /var/www/tool.*
[[]client <HOST>[]] File does not exist: /var/www/path.*
[[]client <HOST>[]] File does not exist: /var/www/data.*
[[]client <HOST>[]] File does not exist: /var/www/doesnotexist.*
ignoreregex =
exemple :
[Sun Jan 22 16:58:28 2012] [error] [client 49.212.46.75] invalid request-URI HTTP/1.1
[Sun Jan 22 16:58:28 2012] [error] [client 49.212.46.75] request failed: error reading the headers
[Sun Jan 22 16:58:29 2012] [error] [client 49.212.46.75] client denied by server configuration: /htdocs[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] invalid request-URI HTTP/1.1
[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] request failed: error reading the headers
[Tue Jan 24 19:02:14 2012] [error] [client 190.254.75.82] client denied by server configuration: /htdocs2012-01-22 16:58:29,514 fail2ban.actions: WARNING [apache-bruteforce] Ban 49.212.46.75
2012-01-24 19:02:14,839 fail2ban.actions: WARNING [apache-bruteforce] Ban 190.254.75.82
Apache flood
Fichier : /etc/fail2ban/filter.d/apache-flood.conf
[Definition]
failregex = ^<HOST> -.*"GET http.*".*
ignoreregex =
attaque sur l'IP (en rapport avec la config d'apache)
Fichier : /etc/fail2ban/filter.d/apache-other-Vhost.conf
[Definition]
failregex = 88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*muieblackcat
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*w00t
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*mysql
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*dbadmin
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*myadmin
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*MyAdmin
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*admin
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*php
88\.191\.XXX\.XXX\:80 <HOST> -.*"GET .*jmx-console
ignoreregex =
Fichier /etc/fail2ban/jail.conf :
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/*.log
maxretry = 1
[apache-flood]
enabled = true
filter = apache-flood
action = iptables[name=Apache-flood,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 3
[apache-ddos]
enabled = true
filter = apache-ddos
action = iptables[name=Apache-ddos,port=80,protocol=tcp]
logpath = /var/log/apache2/error*.log
maxretry = 3
[apache-bruteforce]
enabled = true
filter = apache-bruteforce
action = iptables[name=Apache-bruteforce,port=80,protocol=tcp]
logpath = /var/log/apache2/error*.log
maxretry = 1
[apache-Vhost]
enabled = true
filter = apache-other-Vhost
action = iptables[name=Apache-other-Vhost,port=80,protocol=tcp]
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 1
fichier fail2ban.log si tout va bien :
2012-01-28 04:41:59,817 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-01-28 04:41:59,820 fail2ban.jail : INFO Creating new jail 'apache-w00tw00t'
2012-01-28 04:41:59,820 fail2ban.jail : INFO Jail 'apache-w00tw00t' uses poller
2012-01-28 04:41:59,858 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,859 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:41:59,861 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_aion-XXX.log
2012-01-28 04:41:59,862 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log
2012-01-28 04:41:59,864 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2012-01-28 04:41:59,865 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,866 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,868 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-01-28 04:41:59,869 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,871 fail2ban.filter : INFO Set maxRetry = 1
2012-01-28 04:41:59,873 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:41:59,874 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:41:59,887 fail2ban.jail : INFO Creating new jail 'apache-Vhost'
2012-01-28 04:41:59,887 fail2ban.jail : INFO Jail 'apache-Vhost' uses poller
2012-01-28 04:41:59,888 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log
2012-01-28 04:41:59,889 fail2ban.filter : INFO Set maxRetry = 1
2012-01-28 04:41:59,891 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:41:59,892 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:41:59,923 fail2ban.jail : INFO Creating new jail 'apache-flood'
2012-01-28 04:41:59,923 fail2ban.jail : INFO Jail 'apache-flood' uses poller
2012-01-28 04:41:59,925 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,926 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_aion-XXX.log
2012-01-28 04:41:59,928 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2012-01-28 04:41:59,929 fail2ban.filter : INFO Added logfile = /var/log/apache2/access_XXX.log
2012-01-28 04:41:59,930 fail2ban.filter : INFO Set maxRetry = 3
2012-01-28 04:41:59,932 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:41:59,933 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:41:59,943 fail2ban.jail : INFO Creating new jail 'apache-noscript'
2012-01-28 04:41:59,943 fail2ban.jail : INFO Jail 'apache-noscript' uses poller
2012-01-28 04:41:59,944 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:41:59,945 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,946 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-01-28 04:41:59,948 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:41:59,949 fail2ban.filter : INFO Set maxRetry = 1
2012-01-28 04:41:59,950 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:41:59,951 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:41:59,965 fail2ban.jail : INFO Creating new jail 'ssh'
2012-01-28 04:41:59,966 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-01-28 04:41:59,967 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-01-28 04:41:59,968 fail2ban.filter : INFO Set maxRetry = 3
2012-01-28 04:41:59,970 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:41:59,971 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:42:00,076 fail2ban.jail : INFO Creating new jail 'apache-bruteforce'
2012-01-28 04:42:00,076 fail2ban.jail : INFO Jail 'apache-bruteforce' uses poller
2012-01-28 04:42:00,078 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_aion-XXX.log
2012-01-28 04:42:00,079 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,080 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-01-28 04:42:00,081 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,083 fail2ban.filter : INFO Set maxRetry = 1
2012-01-28 04:42:00,084 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:42:00,085 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:42:00,486 fail2ban.jail : INFO Creating new jail 'webmin'
2012-01-28 04:42:00,487 fail2ban.jail : INFO Jail 'webmin' uses poller
2012-01-28 04:42:00,488 fail2ban.filter : INFO Added logfile = /var/log/messages
2012-01-28 04:42:00,489 fail2ban.filter : INFO Set maxRetry = 2
2012-01-28 04:42:00,491 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:42:00,492 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:42:00,504 fail2ban.jail : INFO Creating new jail 'apache-ddos'
2012-01-28 04:42:00,504 fail2ban.jail : INFO Jail 'apache-ddos' uses poller
2012-01-28 04:42:00,506 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_aion-XXXX.log
2012-01-28 04:42:00,507 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,508 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-01-28 04:42:00,510 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_XXX.log
2012-01-28 04:42:00,511 fail2ban.filter : INFO Set maxRetry = 3
2012-01-28 04:42:00,512 fail2ban.filter : INFO Set findtime = 300
2012-01-28 04:42:00,514 fail2ban.actions: INFO Set banTime = -1
2012-01-28 04:42:00,528 fail2ban.jail : INFO Jail 'apache-w00tw00t' started
2012-01-28 04:42:00,533 fail2ban.jail : INFO Jail 'apache-Vhost' started
2012-01-28 04:42:00,543 fail2ban.jail : INFO Jail 'apache-flood' started
2012-01-28 04:42:00,562 fail2ban.jail : INFO Jail 'apache-noscript' started
2012-01-28 04:42:00,572 fail2ban.jail : INFO Jail 'ssh' started
2012-01-28 04:42:00,588 fail2ban.jail : INFO Jail 'apache-bruteforce' started
2012-01-28 04:42:00,605 fail2ban.jail : INFO Jail 'webmin' started
2012-01-28 04:42:00,624 fail2ban.jail : INFO Jail 'apache-ddos' started
liste des bans à titre d'exemple
2012-01-22 07:58:58,742 fail2ban.actions: WARNING [apache-ddos] Ban 95.108.150.235
2012-01-22 10:16:46,253 fail2ban.actions: WARNING [apache-ddos] Ban 218.38.29.31
2012-01-22 12:50:40,703 fail2ban.actions: WARNING [apache-ddos] Ban 95.142.171.240
2012-01-22 14:27:56,065 fail2ban.actions: WARNING [apache-ddos] Ban 46.251.237.34
2012-01-22 14:39:10,798 fail2ban.actions: WARNING [apache-ddos] Ban 203.196.171.229
2012-01-22 16:58:29,514 fail2ban.actions: WARNING [apache-bruteforce] Ban 49.212.46.75
2012-01-22 18:48:23,314 fail2ban.actions: WARNING [apache-ddos] Ban 210.48.67.75
2012-01-23 00:49:50,060 fail2ban.actions: WARNING [apache-ddos] Ban 200.188.200.147
2012-01-23 11:41:13,140 fail2ban.actions: WARNING [apache-ddos] Ban 64.27.1.89
2012-01-23 11:48:46,665 fail2ban.actions: WARNING [apache-ddos] Ban 64.5.40.26
2012-01-23 18:02:35,803 fail2ban.actions: WARNING [apache-ddos] Ban 119.188.7.166
2012-01-23 23:44:11,447 fail2ban.actions: WARNING [apache-ddos] Ban 110.4.107.2
2012-01-24 07:08:33,227 fail2ban.actions: WARNING [apache-ddos] Ban 89.187.153.223
2012-01-24 15:00:20,222 fail2ban.actions: WARNING [apache-ddos] Ban 184.72.253.250
2012-01-24 15:00:20,262 fail2ban.actions: WARNING [apache-ddos] 184.72.253.250 already banned
2012-01-24 19:02:14,839 fail2ban.actions: WARNING [apache-bruteforce] Ban 190.254.75.82
2012-01-24 19:23:49,213 fail2ban.actions: WARNING [apache-ddos] Ban 178.19.24.129
2012-01-24 22:58:11,736 fail2ban.actions: WARNING [apache-ddos] Ban 193.71.76.2
la config pour les attaque ddos est propre à mon serveur apache qui n'accèpte pas les connexion sur l'adresse ip mais uniquement sur les noms de domaines et sous domaines
fichier : /etc/apache2/sites-available/default
<VirtualHost *:80>
ServerName 88.191.XX.XX
<Directory />
Deny from all
</Directory>
</VirtualHost>
pour information, les filtres sont écrits en language regex, voir le site wiki pour plus d'info: http://fr.wikipedia.org/wiki/Expression_rationnelle
PS : remplacer les XXX.XXX par votre adresse IP
EDIT : modification du fichier jail.conf, apache-w00tw00t.conf
ajout du fichier apache-other-Vhost.conf
Dernière modification par Fighter777 (Le 28/01/2012, à 04:51)
Hors ligne
#2 Le 28/01/2012, à 04:29
- Fighter777
Re : règles de protections fail2ban (perso)
modification des règles
à cause de la configuration de apache, le fichier /var/log/apache2/other_vhosts_access.log n'avait pas la même forme que les autres fichier access
exemple :
other_vhosts_access.log :
88.191.XXX.XXX:80 58.64.149.143 - - [27/Jan/2012:21:06:14 +0100] "GET /muieblackcat HTTP/1.1" 403 469 "-" "-"
donc je corrige les règles en fonction des logs que je choppe sur mon serveur
Hors ligne
Pages : 1