Fail2ban em CentOS ou Amazon Linux AMI

De Wiki Hackstore

Descrição

  • Instalação de fail2ban em ambiente CentOS


Requisitos

CentOS

Instale o repo do EPEL e na sequência digite:

yum install fail2ban

Amazon Linux AMI

Instale o pacote nativo do repo da amazon:

yum --disablerepo epel install fail2ban

Configuração

mediawiki

Instale a seguinte extensão no mediawiki no diretório de extensões:

vi extensions/fail2banlog.php
<?php

$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' =>'Laurent Chouraki',
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog',
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );

//Modified by Andrey N. Petrov <andreynpetrov@gmail.com> for Mediawiki versions from 1.27.0

$wgHooks['AuthManagerLoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($response, $user, $username) {
global $fail2banfile;
global $fail2banid;
        if ( $response->status == "PASS" ) return true; // Do not log success or password send request, continue to next hook
        $time = date ("Y-m-d H:i:s T");
        $ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies

        // append a line to the log
        error_log("$time Authentication error from $ip on $fail2banid\n",3,$fail2banfile);
        return true; // continue to next hook
}

Habilite a extensão no arquivo LocalSettings.php:

$fail2banfile = "/var/log/MWf2b.log"; // the file fail2ban will read
$fail2banid = $wgSitename; // some info if you use the same file for many wikis
require_once( "$IP/extensions/fail2banlog.php" );


Crie o arquivo de log e dê permissão de escrita para o apache:

touch /var/log/MWf2b.log ; chown apache. /var/log/MWf2b.log


jail.conf

Adicione as seguintes linhas ao final do arquivo /etc/fail2ban/jail.conf:

[mediawiki]
enabled = true
filter = mediawiki
action = iptables-allports[name=mediawiki]
logpath = /var/log/MWf2b.log
maxretry = 3
bantime = 31536000


filter.d/mediawiki.conf

Crie o arquivo /etc/fail2ban/filter.d/mediawiki.conf com o seguinte conteúdo:

[Definition]
failregex = Authentication error from <HOST> on .*

jail.d/mediawiki.conf

Crie o arquivo /etc/fail2ban/jail.d/mediawiki.conf com o seguinte conteúdo:

[mediawiki]
enabled = true
logfile = /var/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z

Wordpress

Instale a seguinte extensão no wordpress:

https://br.wordpress.org/plugins/wp-fail2ban/


Após instalar o RPM do fail2ban, configure os jails:

filter.d/wordpress.conf

Crie o arquivo /etc/fail2ban/filter.d/wordpress.conf com o seguinte conteúdo:

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$

ignoreregex =

jail.d/wordpress.conf

Crie o arquivo /etc/fail2ban/jail.d/wordpress.conf com o seguinte conteúdo:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http,https


Zimbra

jail.conf

Adicione as seguintes linhas ao arquivo /etc/fail2ban/jail.conf:

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/24
bantime = 6000000
findtime = 600
maxretry = 3
backend = auto
action = iptables[name=%(__name__)s, port=%(port)s]


[zimbra-account]
enabled = true
filter = zimbra2
action = iptables-allports[name=Zimbra-account]
sendmail[name=FAIL2Ban, dest=contato@hackstore.com.br; coffnix@hackstore.com.br]
logpath = /opt/zimbra/log/mailbox.log
bantime = 6000000
maxretry = 3

[zimbra-audit]
enabled = true
filter = zimbranovo
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=contato@hackstore.com.br; coffnix@hackstore.com.br]
logpath = /opt/zimbra/log/audit.log
bantime = 6000000
maxretry = 3


[postfix]
enabled = true
filter = postfix
action = iptables-allports[name=Postfix]
sendmail[name=Postfix, dest=contato@hackstore.com.br; coffnix@hackstore.com.br]
logpath = /var/log/maillog
bantime = 6000000
maxretry = 3

[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
sendmail[name=SASL, dest=contato@hackstore.com.br; coffnix@hackstore.com.br]
logpath = /var/log/maillog
bantime = 6000000

[sasl2-iptables]
enabled = true
filter = sasl2
action = iptables-allports[name=sasl2]
sendmail[name=SASL, dest=contato@hackstore.com.br; coffnix@hackstore.com.br]
logpath = /var/log/maillog
bantime = 6000000

filter.d/zimbranovo.conf (zimbra acima de 8.6)

Crie o arquivo /etc/fail2ban/filter.d/zimbranovo.conf com o seguinte conteúdo:

[Definition]

failregex = .*;oip=<HOST>;.* security - cmd=Auth; .* error=authentication failed for .*;$

ignoreregex =


filter.d/zimbra.conf

Crie o arquivo /etc/fail2ban/filter.d/zimbra.conf com o seguinte conteúdo:

[Definition]

failregex = \[ip=<HOST>;\] account – authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, account lockout$
\[ip=<HOST>;\] account – authentication failed for .* \(account lockout\)$
;oip=<HOST>;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*ip=<HOST>;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

ignoreregex =


filter.d/zimbra2.conf

Crie o arquivo /etc/fail2ban/filter.d/zimbra2.conf com o seguinte conteúdo:

[Definition]

failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

ignoreregex =


filter.d/zimbra-webmail.conf

Crie o arquivo /etc/fail2ban/filter.d/zimbra-webmail.conf com o seguinte conteúdo:

[Definition]

failregex = WARN [.*] [name=.*;ip=;ua=.*;] security - cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;

ignoreregex =


filter.d/postfix.conf

Crie o arquivo /etc/fail2ban/filter.d/postfix.conf com o seguinte conteúdo:

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

filter.d/sasl.conf

Crie o arquivo /etc/fail2ban/filter.d/sasl.conf com o seguinte conteúdo:

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]


failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$


ignoreregex=


filter.d/sasl2.conf

Crie o arquivo /etc/fail2ban/filter.d/sasl2.conf com o seguinte conteúdo:

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$


ignoreregex=


Utilização

Inicie o serviço do fail2ban:

/etc/init.d/fail2ban start


Adicione ao boot:

chkconfig fail2ban on


Verifique no /var/log/messages

Caso deseje remover um ip da lista de banidos:

fail2ban-client set wordpress unbanip 177.162.150.158


Caso deseje visualizar os jails:

fail2ban-client status

Caso queira ver os ips bloqueados em um jail específico:

fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 5
   |- Total banned:     5
   `- Banned IP list:   131.255.141.230 131.255.141.231 212.237.26.191 80.211.183.242 95.181.178.182