Ceci est une ancienne révision du document !
Fail2Ban est un script qui analyse les log du système et exécute des actions suivant ce qu’on lui dit de trouver dans ces logs.
Par exemple : Trop de tentaive de connexion à ssh qui échoue ⇒ on bannit l’adresse ip pendant un certain temps.
Sous Debian, rien de plus imple comme d’hab
aptitude install fail2ban
Le fichier de config est la : /etc/fail2ban/fail2ban.conf
Un fichier permet de configurer l’activation des règles : /etc/fail2ban/jail.conf
Tous les filtres se trouvent dans /etc/fail2ban/filter.d/
Toutes les actions se trouvent dans /etc/fail2ban/action.d/
D’autres règles peuvent être trouvé par là ⇒ http://j2c.org/informatique/linux/fail2ban.php
Vérifier un filtre
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf | less
Running tests ============= Use regex file : /etc/fail2ban/filter.d/apache-404.conf Use log file : /var/log/apache2/error.log Results ======= Failregex |- Regular expressions: | [1] [[]client <HOST>[]] File does not exist: .* | `- Number of matches: [1] 652 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 50.17.179.154 (Sun Sep 30 19:23:01 2012) 200.58.71.91 (Mon Oct 01 05:29:33 2012) 200.58.71.91 (Mon Oct 01 05:29:34 2012) 200.58.71.91 (Mon Oct 01 05:29:34 2012) 200.58.71.91 (Mon Oct 01 05:29:35 2012) 200.58.71.91 (Mon Oct 01 05:29:35 2012) 200.58.71.91 (Mon Oct 01 05:29:36 2012) 200.58.71.91 (Mon Oct 01 05:29:37 2012) 200.58.71.91 (Mon Oct 01 05:29:38 2012) <==--- tronqué---==> 192.31.21.179 (Tue Oct 02 02:51:40 2012) 192.31.21.179 (Tue Oct 02 05:01:36 2012) 192.31.21.179 (Tue Oct 02 07:24:32 2012) Date template hits: 1326 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 652 However, look at the above section 'Running tests' which could contain important information.