iptables y fail2ban

Jose Blanco Red, Revisado, Seguridad, VPS

Rápido:

iptables -L -n --line-numbers

Con resolución de nombres (lento):

iptables --list --line-numbers

Hacer persistentes los baneos de fail2ban

Hay que modificar 2 ficheros de acciones:

/etc/fail2ban/action.d/iptables.conf

actionstart = iptables -N fail2ban-<name>
 iptables -A fail2ban-<name> -j RETURN
 iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
 cat /etc/fail2ban/ip.blacklist|grep <name> | cut -f2 -d":" | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 echo <name>:<ip> >> /etc/fail2ban/ip.blacklist
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 echo <name>:<ip> >> /etc/fail2ban/ip.blacklist.unbaned2

/etc/fail2ban/action.d/iptables-multiport.conf

actionstart = iptables -N fail2ban-<name>
 iptables -A fail2ban-<name> -j RETURN
 iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
 cat /etc/fail2ban/ip.blacklist|grep <name> | cut -f2 -d":" | while read IP; do iptables -I fail2ban-<name> 1 -s $I$
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 echo <name>:<ip> >> /etc/fail2ban/ip.blacklist
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 echo <name>:<ip> >> /etc/fail2ban/ip.blacklist.unbaned

Los ficheros ip.blacklist y ip.blacklist.unbaned se pueden crear al principio con touch, ya irán creciendo.

touch etc/fail2ban/ip.blacklist

touch etc/fail2ban/ip.blacklist.unbaned

El formato que tendrán servicio:<dirección IP>, por ejemplo:

postfix:X.133.82.52

apache-postflood:X.154.251.120

Siguiendo con fail2ban, en el fichero jail.local me gusta modificar las acciones para recibir correos electrónicos:

%(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

Por ejemplo en mi jail.local, para la sección ssh tengo esto:

[sshd]
enabled = true
filter = sshd
action = iptables-allports
 %(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
logpath = /var/log/auth.log

[sshd-ddos]
enabled = true
filter = sshd-ddos
action = iptables-allports
 %(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
logpath = /var/log/auth.log

La variable destemail se puede definir en la sección DEFAULT, y puede ser cualquier dirección de correo:

[DEFAULT]
...
destemail = postmaster@dominio

Me gusta añadir estas configuraciones al final del jail.local:

[apache]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true

[apache-phpmyadmin]
enabled = true
port = http,https
filter = apache-phpmyadmin
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-postflood]
enabled = false
port = http,https
filter = apache-post
action = %(action_mw)s
logpath = /var/log/apache2/access.log
findtime = 10
maxretry = 10

[apache-badbots]
enabled = true
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
filter=apache-badbots
logpath = /var/log/apache2/access.log
bantime = 172800
maxretry = 1

Para ello además necesitas estos 3 filtros:

apache-post.conf

#
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*"POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

apache-phpmyadmin.conf

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
 
[Definition]
 
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
 
# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s)
 
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

apache-null.conf

#
# Auteur : Joël LE CORRE - Sublimigeek -
# Créé le : 18/10/2012 - Modifié le : 21/10/2012
#

#############################################################################
# Fichier de configuration Fail2ban #
# Jail permettant de blacklister les adresses IP des machines scannant #
# le serveur Web Apache2 via les requêtes "^null$" #
#############################################################################

[Definition]
# Format de la requête à bloquer avec Fail2ban
# XX.XX.XX.XX - - [19/Oct/2012:08:34:23 +0200] "-" 408 0 "-" "-"

# Regex parsant les logs du serveur
failregex = ^<HOST> - - (.*) "-" 408 0 "-" "-"

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Deja un comentario firewall

iptables y fail2ban

Hacer persistentes los baneos de fail2ban

Deja una respuesta Cancelar la respuesta