Mehr Sicherheit durch fail2ban

Aus Laub-Home.de Wiki
Zur Navigation springen Zur Suche springen

Fail2Ban

Dieses kleine Programm lässt sich so konfigurieren, dass es einen Angreifer erkennt, wenn dieser versucht sich einzuloggen und er das Kennwort nicht weiß. Standardmäßig schließt dann fail2ban, mittels Firewall Regel (iptables), den Zugang für das angreifende System für 10 Minuten.

Installation

Debian/Ubuntu Linux

aptitude install fail2ban

Konfiguration

Alle Änderungen des Users können in folgender Datei konfiguriert werden, diese Überschreiben die Datei jail.conf
/etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 3

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = mymail@mydomain.de

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
#action = %(action_)s
action = %(action_mw)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local


[ssh]

enabled = false
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

Konfiguration für SSH

Folgendes der Datei hinzufügen:
/etc/fail2ban/jail.local

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

Konfiguration für Pure-FTPd

Folgendes der Datei hinzufügen:
/etc/fail2ban/jail.local

#
# FTP servers
#

[pure-ftpd]

enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/messages
maxretry = 3

/etc/fail2ban/filter.d/pure-ftpd.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd
#
# $Revision: 3$
#

[Definition]

# Error message specified in multiple languages
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)

#
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "<HOST>" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
#failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Konfiguration für Apache HTTPd

/etc/fail2ban/jail.local

#
# HTTP servers
#

[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache*/*error.log
maxretry = 5

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 3

[apache-404block]
enabled = true
port = http,https
filter = apache-404block
logpath = /var/log/apache*/*access.log
maxretry = 5

/etc/fail2ban/filter.d/apache-auth.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch
            [[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|password mismatch)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/filter.d/apache-nohome.conf

# Fail2Ban configuration file
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 716 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match failures to find a home directory on a server, which
#          became popular last days. Most often attacker just uses IP instead of
#          domain name -- so expect to see them in generic error.log if you have
#          per-domain log files.
# Values:  TEXT
#
#failregex = [[]client <HOST>[]] File does not exist: .*/~.*
failregex = [[]client <HOST>[]] File does not exist:      

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/filter.d/apache-404block.conf

[Definition]
failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$
ignoreregex =

Achtung kommt es beim Start zu folgender Fehlermeldung:

fail2ban.filter : ERROR  No 'host' group in '- - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$'

Dann fehlt <HOST> for dem failregex Parameter. Es muss so aussehen wie oben beschrieben (apache-404block.conf)!

Konfiguration für Dovecot POP3 & IMAP

Achtung!!! Das logging des Dovecot 1.1 und älter muss in der dovecot.conf auf den Syslog gestellt werden. Hierzu einfach hinter log_path = nichts eintragen.
/etc/fail2ban/jail.local

[dovecot-pop3imap]

enabled = true
filter = dovecot-pop3imap
port = imap2,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.log
maxretry = 5

dovecot-pop3imap.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

SASL Postfix Konfiguration

/etc/fail2ban/filter.d/sasl.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Default
#failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
# Debian Lenny
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/jail.local

[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log

Regex Testen

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

IP Entsperren

Hat man sich mal wieder selbst vom Server ausgesperrt kann man die IPtables Rule einfach mit folgendem Befehl löschen:

iptables --delete RULENAME POSITION

Ein kurzes Beispiel:

iptables --list
....
Chain fail2ban-apache-nohome (1 references)
target     prot opt source               destination
DROP       all  --  10.10.10.1     anywhere
RETURN     all  --  anywhere             anywhere
....

will man die die IP 10.10.10.1 entsperren sähe der Befehl wie folgt aus:

iptables --delete fail2ban-apache-nohome 1

Quellen