Fail2ban : mise en place de règles automatisées iptables pour contrer les attaques par bruteforce
Contents
1 Introduction
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
2 Installation
aptitude |
aptitude install fail2ban |
3 Configuration
You may want to add your own rules. Here are examples.
3.1 Wordpress
I want to block bruteforce on my Wordpress installation. Unfortunately Wordpress do not return 403 errors when an authentication fails. So we have to
3.1.1 Jail
Add this in your jail.conf to check access and error log files:
3.1.2 Filters
Here is the filder for access. It's a regex to catch the IP address in the log file:
And for access:
3.2 Validate filers and configuration
You can validate the configuration of your filters like this:
fail2ban-regex |
fail2ban-regex <logfile> <fail2ban rule to test> |
4 Usage
4.1 Unban someone
This solution is to ask to iptables to unban an IP. But Fail2ban won't be aware of that and will still thinking that the attacker is blocked if you do not use the solution one, until the maximum blocking retention time will be reached.
Get the current chains list:
iptables |
> iptables -L | grep ^Chain Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain fail2ban-nginx-naxsi (2 references) Chain fail2ban-ssh (1 references) |
If you do not know on which chain, your IP has been blocked, remove the grep command.
Then ask to iptables to see the current blocks IPs on a specific chain:
Now I want to remove the second line:
iptables |
iptables -D fail2ban-nginx-naxsi 2 |
To finish, inform fail2ban to unban someone:
fail2ban-client |
fail2ban-client get nginx-naxsi actionunban 222.2.5.210 |
Modify nginx-naxsi by the name of the fail2ban jail name.