iptables y fail2ban

Rápido:
iptables -L -n --line-numbers
Con resolución de nombres (lento):
iptables --list --line-numbers
Hacer persistentes los baneos de fail2ban
Hay que modificar 2 ficheros de acciones:
- /etc/fail2ban/action.d/iptables.conf
actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> cat /etc/fail2ban/ip.blacklist|grep <name> | cut -f2 -d":" | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP echo <name>:<ip> >> /etc/fail2ban/ip.blacklist actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP echo <name>:<ip> >> /etc/fail2ban/ip.blacklist.unbaned2
- /etc/fail2ban/action.d/iptables-multiport.conf
actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> cat /etc/fail2ban/ip.blacklist|grep <name> | cut -f2 -d":" | while read IP; do iptables -I fail2ban-<name> 1 -s $I$ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP echo <name>:<ip> >> /etc/fail2ban/ip.blacklist actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP echo <name>:<ip> >> /etc/fail2ban/ip.blacklist.unbaned
Los ficheros ip.blacklist y ip.blacklist.unbaned se pueden crear al principio con touch, ya irán creciendo.
touch etc/fail2ban/ip.blacklist
touch etc/fail2ban/ip.blacklist.unbaned
El formato que tendrán servicio:<dirección IP>, por ejemplo:
postfix:X.133.82.52
apache-postflood:X.154.251.120
Siguiendo con fail2ban, en el fichero jail.local me gusta modificar las acciones para recibir correos electrónicos:
%(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
Por ejemplo en mi jail.local, para la sección ssh tengo esto:
[sshd] enabled = true filter = sshd action = iptables-allports %(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] logpath = /var/log/auth.log [sshd-ddos] enabled = true filter = sshd-ddos action = iptables-allports %(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] logpath = /var/log/auth.log
La variable destemail se puede definir en la sección DEFAULT, y puede ser cualquier dirección de correo:
[DEFAULT] ... destemail = postmaster@dominio
Me gusta añadir estas configuraciones al final del jail.local:
[apache] enabled = true [apache-noscript] enabled = true [apache-overflows] enabled = true [apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache2/error.log maxretry = 3 [apache-postflood] enabled = false port = http,https filter = apache-post action = %(action_mw)s logpath = /var/log/apache2/access.log findtime = 10 maxretry = 10 [apache-badbots] enabled = true # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https filter=apache-badbots logpath = /var/log/apache2/access.log bantime = 172800 maxretry = 1
Para ello además necesitas estos 3 filtros:
apache-post.conf
# # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: Regexp to catch known spambots and software alike. Please verify # that it is your intent to block IPs which were driven by # abovementioned bots. # Values: TEXT # failregex = ^<HOST> -.*"POST.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
apache-phpmyadmin.conf
# Fail2Ban configuration file # # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # # Author: Gina Haeussge # [Definition] docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
apache-null.conf
# # Auteur : Joël LE CORRE - Sublimigeek - # Créé le : 18/10/2012 - Modifié le : 21/10/2012 # ############################################################################# # Fichier de configuration Fail2ban # # Jail permettant de blacklister les adresses IP des machines scannant # # le serveur Web Apache2 via les requêtes "^null$" # ############################################################################# [Definition] # Format de la requête à bloquer avec Fail2ban # XX.XX.XX.XX - - [19/Oct/2012:08:34:23 +0200] "-" 408 0 "-" "-" # Regex parsant les logs du serveur failregex = ^<HOST> - - (.*) "-" 408 0 "-" "-" # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =