Fail2ban : mise en place de règles automatisées iptables pour contrer les attaques par bruteforce
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
aptitude install fail2ban
You may want to add your own rules. Here are examples.
I want to block bruteforce on my Wordpress installation. Unfortunately Wordpress do not return 403 errors when an authentication fails. So we have to
Add this in your jail.conf to check access and error log files:
Here is the filder for access. It's a regex to catch the IP address in the log file:
# WordPress brute force auth filter # # Block IPs trying to auth wp wordpress # [Definition] failregex = ^<HOST> -.*"POST.*(wp-login|xmlrpc)\.php ignoreregex =
And for access:
# WordPress brute force auth filter # # Block IPs trying to auth wp wordpress # [Definition] failregex = ^.*client: <HOST>,.*"POST.*(wp-login|xmlrpc)\.php ignoreregex =
3.2 Validate filers and configuration
You can validate the configuration of your filters like this:
fail2ban-regex <logfile> <fail2ban rule to test>
4.1 Unban someone
This solution is to ask to iptables to unban an IP. But Fail2ban won't be aware of that and will still thinking that the attacker is blocked if you do not use the solution one, until the maximum blocking retention time will be reached.
Get the current chains list:
> iptables -L | grep ^Chain Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain fail2ban-nginx-naxsi (2 references) Chain fail2ban-ssh (1 references)
If you do not know on which chain, your IP has been blocked, remove the grep command.
Then ask to iptables to see the current blocks IPs on a specific chain:
Now I want to remove the second line:
iptables -D fail2ban-nginx-naxsi 2
To finish, inform fail2ban to unban someone:
fail2ban-client get nginx-naxsi actionunban 18.104.22.168
Modify nginx-naxsi by the name of the fail2ban jail name.