Ceci est une ancienne révision du document !
Fail2Ban est un script qui analyse les log du système et exécute des actions suivant ce qu’on lui dit de trouver dans ces logs.
Par exemple : Trop de tentaive de connexion à ssh qui échoue ⇒ on bannit l’adresse ip pendant un certain temps.
Sous Debian, rien de plus imple comme d’hab
aptitude install fail2ban
Le fichier de config est la : /etc/fail2ban/fail2ban.conf
Un fichier permet de configurer l’activation des règles : /etc/fail2ban/jail.conf
Tous les filtres se trouvent dans /etc/fail2ban/filter.d/
Toutes les actions se trouvent dans /etc/fail2ban/action.d/
D’autres règles peuvent être trouvé par là ⇒ http://j2c.org/informatique/linux/fail2ban.php
Et d’autres règles aussi par là ⇒ http://forums.ovh.com/showpost.php?p=269688&postcount=14
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf | less
Running tests ============= Use regex file : /etc/fail2ban/filter.d/apache-404.conf Use log file : /var/log/apache2/error.log Results ======= Failregex |- Regular expressions: | [1] [[]client <HOST>[]] File does not exist: .* | `- Number of matches: [1] 652 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 50.17.179.154 (Sun Sep 30 19:23:01 2012) 200.58.71.91 (Mon Oct 01 05:29:33 2012) 200.58.71.91 (Mon Oct 01 05:29:34 2012) 200.58.71.91 (Mon Oct 01 05:29:34 2012) 200.58.71.91 (Mon Oct 01 05:29:35 2012) 200.58.71.91 (Mon Oct 01 05:29:35 2012) 200.58.71.91 (Mon Oct 01 05:29:36 2012) 200.58.71.91 (Mon Oct 01 05:29:37 2012) 200.58.71.91 (Mon Oct 01 05:29:38 2012) <==--- tronqué---==> 192.31.21.179 (Tue Oct 02 02:51:40 2012) 192.31.21.179 (Tue Oct 02 05:01:36 2012) 192.31.21.179 (Tue Oct 02 07:24:32 2012) Date template hits: 1326 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 652 However, look at the above section 'Running tests' which could contain important information.
Pour voir les prisons en cours
# fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh
Pour voir le contenu d’une prison
# fail2ban-client status ssh Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 7 `- action |- Currently banned: 1 | `- IP list: 91.121.40.63 `- Total banned: 1
Sinon avec iptables
# iptables-save # Generated by iptables-save v1.4.14 on Tue Jun 24 16:08:30 2014 *filter :INPUT ACCEPT [668:59799] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [562:87424] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -s 91.121.40.63/32 -j DROP -A fail2ban-ssh -j RETURN COMMIT # Completed on Tue Jun 24 16:08:30 2014
Pour débanir
iptables -D fail2ban-ssh -s 91.121.40.63/32 -j DROP