Fail2ban v0.11.x avec support IPv6 sur Debian Stretch
Aller à la navigation
Aller à la recherche
Nous allons ici installer fail2ban 0.11.x qui contrairement à la version 0.9.x des dépôts Stretch de Debian prend en charge le bannissement IPv6...
ATTENTION : Ce tuto s'adresse à des personnes expérimentées.
Pour rappel il n'est pas conseillé de sortir des dépôts officiels Debian. Les manipulations décrites ci-dessous sont donc sous votre seule et unique responsabilité.
Surpression fail2ban
# apt-cache policy fail2ban
fail2ban:
Installé : 0.9.6-2
Candidat : 0.9.6-2
Table de version :
*** 0.9.6-2 500
500 http://deb.debian.org/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
0.8.13-1 500
500 http://deb.debian.org/debian jessie/main amd64 Packages
# apt remove --purge fail2ban
# rm -rf /etc/fail2ban
Installation fail2ban from GIT
Prérequis
# apt install python python-dnspython python-pyinotify gamin
Installation
# cd /usr/local/
# git clone https://github.com/fail2ban/fail2ban.git
Clonage dans 'fail2ban'... remote: Counting objects: 32232, done. remote: Compressing objects: 100% (36/36), done. remote: Total 32232 (delta 22), reused 23 (delta 13), pack-reused 32183 Réception d'objets: 100% (32232/32232), 8.91 MiB | 1.21 MiB/s, fait. Résolution des deltas: 100% (23680/23680), fait.
# cd fail2ban
# python setup.py install
running install running build running build_py creating build creating build/lib.linux-x86_64-2.7 creating build/lib.linux-x86_64-2.7/fail2ban copying fail2ban/setup.py -> build/lib.linux-x86_64-2.7/fail2ban ... Creating build/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> /usr/local/bin creating fail2ban-python binding -> /usr/local/bin changing mode of /usr/local/bin/fail2ban-client to 755 changing mode of /usr/local/bin/fail2ban-regex to 755 changing mode of /usr/local/bin/fail2ban-server to 755 changing mode of /usr/local/bin/fail2ban-testcases to 755 Please do not forget to update your configuration files. They are in "/etc/fail2ban/". You can also install systemd service-unit file from "build/fail2ban.service" resp. corresponding init script from "files/*-initd".
Vérification
# fail2ban-client -h
Usage: fail2ban-client [OPTIONS] <COMMAND>
Fail2Ban v0.11.0.dev0 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
Options:
-c <DIR> configuration directory
-s <FILE> socket path
-p <FILE> pidfile path
--loglevel <LEVEL> logging level
--logtarget <FILE>|STDOUT|STDERR|SYSLOG
--syslogsocket auto|<FILE>
-d dump configuration. For debugging
--dp, --dump-pretty dump the configuration using more human readable representation
-t, --test test configuration (can be also specified with start parameters)
-i interactive mode
-v increase verbosity
-q decrease verbosity
-x force execution of the server (remove socket file)
-b start server in background (default)
-f start server in foreground
--async start server in async mode (for internal usage only, don't read configuration)
--timeout timeout to wait for the server (for internal usage only, don't read configuration)
--str2sec <STRING> convert time abbreviation format to seconds
-h, --help display this help message
-V, --version print the version
Command:
BASIC
start starts the server and the jails
restart restarts the server
restart [--unban] [--if-exists] <JAIL> restarts the jail <JAIL> (alias
for 'reload --restart ... <JAIL>')
reload [--restart] [--unban] [--all] reloads the configuration without
restarting of the server, the
option '--restart' activates
completely restarting of affected
jails, thereby can unban IP
addresses (if option '--unban'
specified)
reload [--restart] [--unban] [--if-exists] <JAIL>
reloads the jail <JAIL>, or
restarts it (if option '--restart'
specified)
stop stops all jails and terminate the
server
unban --all unbans all IP addresses (in all
jails and database)
unban <IP> ... <IP> unbans <IP> (in all jails and
database)
status gets the current status of the
server
ping tests if the server is alive
echo for internal usage, returns back
and outputs a given string
help return this output
version return the server version
LOGGING
set loglevel <LEVEL> sets logging level to <LEVEL>.
Levels: CRITICAL, ERROR, WARNING,
NOTICE, INFO, DEBUG, TRACEDEBUG,
HEAVYDEBUG or corresponding
numeric value (50-5)
get loglevel gets the logging level
set logtarget <TARGET> sets logging target to <TARGET>.
Can be STDOUT, STDERR, SYSLOG or a
file
get logtarget gets logging target
set syslogsocket auto|<SOCKET> sets the syslog socket path to
auto or <SOCKET>. Only used if
logtarget is SYSLOG
get syslogsocket gets syslog socket path
flushlogs flushes the logtarget if a file
and reopens it. For log rotation.
DATABASE
set dbfile <FILE> set the location of fail2ban
persistent datastore. Set to
"None" to disable
get dbfile get the location of fail2ban
persistent datastore
set dbpurgeage <SECONDS> sets the max age in <SECONDS> that
history of bans will be kept
get dbpurgeage gets the max age in seconds that
history of bans will be kept
JAIL CONTROL
add <JAIL> <BACKEND> creates <JAIL> using <BACKEND>
start <JAIL> starts the jail <JAIL>
stop <JAIL> stops the jail <JAIL>. The jail is
removed
status <JAIL> [FLAVOR] gets the current status of <JAIL>,
with optional flavor or extended
info
JAIL CONFIGURATION
set <JAIL> idle on|off sets the idle state of <JAIL>
set <JAIL> ignoreself true|false allows the ignoring of own IP
addresses
set <JAIL> addignoreip <IP> adds <IP> to the ignore list of
<JAIL>
set <JAIL> delignoreip <IP> removes <IP> from the ignore list
of <JAIL>
set <JAIL> addlogpath <FILE> ['tail'] adds <FILE> to the monitoring list
of <JAIL>, optionally starting at
the 'tail' of the file (default
'head').
set <JAIL> dellogpath <FILE> removes <FILE> from the monitoring
list of <JAIL>
set <JAIL> logencoding <ENCODING> sets the <ENCODING> of the log
files for <JAIL>
set <JAIL> addjournalmatch <MATCH> adds <MATCH> to the journal filter
of <JAIL>
set <JAIL> deljournalmatch <MATCH> removes <MATCH> from the journal
filter of <JAIL>
set <JAIL> addfailregex <REGEX> adds the regular expression
<REGEX> which must match failures
for <JAIL>
set <JAIL> delfailregex <INDEX> removes the regular expression at
<INDEX> for failregex
set <JAIL> ignorecommand <VALUE> sets ignorecommand of <JAIL>
set <JAIL> addignoreregex <REGEX> adds the regular expression
<REGEX> which should match pattern
to exclude for <JAIL>
set <JAIL> delignoreregex <INDEX> removes the regular expression at
<INDEX> for ignoreregex
set <JAIL> findtime <TIME> sets the number of seconds <TIME>
for which the filter will look
back for <JAIL>
set <JAIL> bantime <TIME> sets the number of seconds <TIME>
a host will be banned for <JAIL>
set <JAIL> datepattern <PATTERN> sets the <PATTERN> used to match
date/times for <JAIL>
set <JAIL> usedns <VALUE> sets the usedns mode for <JAIL>
set <JAIL> banip <IP> manually Ban <IP> for <JAIL>
set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>
set <JAIL> maxretry <RETRY> sets the number of failures
<RETRY> before banning the host
for <JAIL>
set <JAIL> maxlines <LINES> sets the number of <LINES> to
buffer for regex search for <JAIL>
set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>]
adds a new action named <ACT> for
<JAIL>. Optionally for a Python
based action, a <PYTHONFILE> and
<JSONKWARGS> can be specified,
else will be a Command Action
set <JAIL> delaction <ACT> removes the action <ACT> from
<JAIL>
COMMAND ACTION CONFIGURATION
set <JAIL> action <ACT> actionstart <CMD>
sets the start command <CMD> of
the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the
action <ACT> for <JAIL>
set <JAIL> action <ACT> actioncheck <CMD>
sets the check command <CMD> of
the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionban <CMD> sets the ban command <CMD> of the
action <ACT> for <JAIL>
set <JAIL> action <ACT> actionunban <CMD>
sets the unban command <CMD> of
the action <ACT> for <JAIL>
set <JAIL> action <ACT> timeout <TIMEOUT>
sets <TIMEOUT> as the command
timeout in seconds for the action
<ACT> for <JAIL>
GENERAL ACTION CONFIGURATION
set <JAIL> action <ACT> <PROPERTY> <VALUE>
sets the <VALUE> of <PROPERTY> for
the action <ACT> for <JAIL>
set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>]
calls the <METHOD> with
<JSONKWARGS> for the action <ACT>
for <JAIL>
JAIL INFORMATION
get <JAIL> logpath gets the list of the monitored
files for <JAIL>
get <JAIL> logencoding gets the encoding of the log files
for <JAIL>
get <JAIL> journalmatch gets the journal filter match for
<JAIL>
get <JAIL> ignoreself gets the current value of the
ignoring the own IP addresses
get <JAIL> ignoreip gets the list of ignored IP
addresses for <JAIL>
get <JAIL> ignorecommand gets ignorecommand of <JAIL>
get <JAIL> failregex gets the list of regular
expressions which matches the
failures for <JAIL>
get <JAIL> ignoreregex gets the list of regular
expressions which matches patterns
to ignore for <JAIL>
get <JAIL> findtime gets the time for which the filter
will look back for failures for
<JAIL>
get <JAIL> bantime gets the time a host is banned for
<JAIL>
get <JAIL> datepattern gets the patern used to match
date/times for <JAIL>
get <JAIL> usedns gets the usedns setting for <JAIL>
get <JAIL> maxretry gets the number of failures
allowed for <JAIL>
get <JAIL> maxlines gets the number of lines to buffer
for <JAIL>
get <JAIL> actions gets a list of actions for <JAIL>
COMMAND ACTION INFORMATION
get <JAIL> action <ACT> actionstart gets the start command for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> actionstop gets the stop command for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> actioncheck gets the check command for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> actionban gets the ban command for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> actionunban gets the unban command for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> timeout gets the command timeout in
seconds for the action <ACT> for
<JAIL>
GENERAL ACTION INFORMATION
get <JAIL> actionproperties <ACT> gets a list of properties for the
action <ACT> for <JAIL>
get <JAIL> actionmethods <ACT> gets a list of methods for the
action <ACT> for <JAIL>
get <JAIL> action <ACT> <PROPERTY> gets the value of <PROPERTY> for
the action <ACT> for <JAIL>
Report bugs to https://github.com/fail2ban/fail2ban/issues
# fail2ban-client start
Server ready
# fail2ban-client status
Status |- Number of jail: 0 `- Jail list:
Automatisation lancement
# cp files/debian-initd /etc/init.d/fail2ban
# chmod +x /etc/init.d/fail2ban
# systemctl enable fail2ban.service
fail2ban.service is not a native service, redirecting to systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable fail2ban
# systemctl daemon-reload
# service fail2ban restart
# service fail2ban status
● fail2ban.service - LSB: Start/stop fail2ban
Loaded: loaded (/etc/init.d/fail2ban; generated; vendor preset: enabled)
Active: active (exited) since Mon 2017-11-27 09:07:24 EAT; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 11586 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
nov. 27 09:07:24 dev.domaine.com systemd[1]: Starting LSB: Start/stop fail2ban...
nov. 27 09:07:24 dev.domaine.com fail2ban[11586]: Starting authentication failure monitor: fail2ban.
nov. 27 09:07:24 dev.domaine.com systemd[1]: Started LSB: Start/stop fail2ban.
Mise en place règles
Ne JAMAIS modifier jail.conf! Vos configurations personnelles doivent être placées dans jail.local
# nano /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 197.158.88.85 [sshd] enabled = true port = xxxxx [apache-auth] enabled = true [apache-badbots] enabled = true [dovecot] enabled = true [postfix] enabled = true [postfix-sasl] enabled = true [webmin-auth] [phpmyadmin-syslog] [pure-ftpd] enabled = true [pam-generic] enabled = true [recidive] enabled = true
Wordpress (wp-fail2ban)
Page WordPress.org de l’extension
# cp /var/www/domaine.com/web/wp-content/plugins/wp-fail2ban/filters.d/* /etc/fail2ban/filter.d/ # nano /etc/fail2ban/jail.local
[wordpress-hard] enabled = true logpath = /var/log/auth.log maxretry = 1 port = http,https [wordpress-soft] enabled = true logpath = /var/log/auth.log maxretry = 6 port = http,https
Test
# service fail2ban restart && tail -f /var/log/fail2ban.log
2017-11-27 09:34:11,405 fail2ban.filter [13205]: INFO findtime: 600 2017-11-27 09:34:11,406 fail2ban.jail [13205]: INFO Jail 'sshd' started 2017-11-27 09:34:11,407 fail2ban.jail [13205]: INFO Jail 'apache-auth' started 2017-11-27 09:34:11,408 fail2ban.jail [13205]: INFO Jail 'apache-badbots' started 2017-11-27 09:34:11,408 fail2ban.jail [13205]: INFO Jail 'pure-ftpd' started 2017-11-27 09:34:11,409 fail2ban.jail [13205]: INFO Jail 'postfix' started 2017-11-27 09:34:11,409 fail2ban.jail [13205]: INFO Jail 'dovecot' started 2017-11-27 09:34:11,410 fail2ban.jail [13205]: INFO Jail 'postfix-sasl' started 2017-11-27 09:34:11,410 fail2ban.jail [13205]: INFO Jail 'recidive' started 2017-11-27 09:34:11,413 fail2ban.jail [13205]: INFO Jail 'pam-generic' started
2017-11-27 09:35:39,037 fail2ban.filter [13205]: INFO [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:35:38 2017-11-27 09:35:43,171 fail2ban.filter [13205]: INFO [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:35:43 2017-11-27 09:36:25,786 fail2ban.filter [13205]: INFO [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:36:25 2017-11-27 09:36:53,990 fail2ban.filter [13205]: INFO [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:36:53 2017-11-27 09:37:04,739 fail2ban.filter [13205]: INFO [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:37:04 2017-11-27 09:37:04,815 fail2ban.actions [13205]: NOTICE [pure-ftpd] Ban 10.11.12.13 2017-11-27 09:37:04,818 fail2ban.filter [13205]: INFO [recidive] Found 10.11.12.13 - 2017-11-27 09:37:04
# iptables -S
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-pure-ftpd -A INPUT -p tcp -m multiport --dports 21,20,990,989 -j f2b-pure-ftpd -A f2b-pure-ftpd -s 10.11.12.13/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-pure-ftpd -j RETURN
Mise à jour
# cd /usr/local/fail2ban
# git pull
# python setup.py install
# /etc/init.d/fail2ban restart
Et comme bien sur votre conf se trouve dans jail.local vous ne perdrez pas vos petits réglages...
Lol (discussion) 30 décembre 2017 à 15:29 (UTC)