Fail2ban : mise en place de règles automatisées iptables pour contrer les attaques par bruteforce

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

2 Installation

Command aptitude
aptitude install fail2ban

3 Configuration

You may want to add your own rules. Here are examples.

3.1 Wordpress

I want to block bruteforce on my Wordpress installation. Unfortunately Wordpress do not return 403 errors when an authentication fails. So we have to

3.1.1 Jail

Add this in your jail.conf to check access and error log files:

Configuration File /etc/fail2ban/jail.conf
[wp-auth-errors]
 
enabled = true
port = http,https
filter = wp-auth-error
logpath = /var/log/nginx/*error*.log
bantime = 3600
maxretry = 6
 
[wp-auth-access]
 
enabled = true
port = http,https
filter = wp-auth-access
logpath = /var/log/nginx/*access*.log
bantime = 3600
maxretry = 6

3.1.2 Filters

Here is the filder for access. It's a regex to catch the IP address in the log file:

Configuration File /etc/fail2ban/filter.d/wp-auth-access.conf
# WordPress brute force auth filter
#
# Block IPs trying to auth wp wordpress
#
[Definition]
failregex = ^<HOST> -.*"POST.*(wp-login|xmlrpc)\.php
ignoreregex =

And for access:

Configuration File /etc/fail2ban/filter.d/wp-auth-access.conf
# WordPress brute force auth filter
#
# Block IPs trying to auth wp wordpress
#
[Definition]
failregex = ^.*client: <HOST>,.*"POST.*(wp-login|xmlrpc)\.php
ignoreregex =

3.2 Validate filers and configuration

You can validate the configuration of your filters like this:

Command fail2ban-regex
fail2ban-regex <logfile> <fail2ban rule to test>

4 Usage

4.1 Unban someone

This solution is to ask to iptables to unban an IP. But Fail2ban won't be aware of that and will still thinking that the attacker is blocked if you do not use the solution one, until the maximum blocking retention time will be reached.

Get the current chains list:

Command iptables
> iptables -L | grep ^Chain
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain fail2ban-nginx-naxsi (2 references)
Chain fail2ban-ssh (1 references)

If you do not know on which chain, your IP has been blocked, remove the grep command.

Then ask to iptables to see the current blocks IPs on a specific chain:

Command iptables
> iptables -L fail2ban-nginx-naxsi -v -n --line-numbers
Chain fail2ban-nginx-naxsi (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      315 75198 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2       16  1704 DROP       all  --  *      *       222.2.5.210          0.0.0.0/0

Now I want to remove the second line:

Command iptables
iptables -D fail2ban-nginx-naxsi 2

To finish, inform fail2ban to unban someone:

Command fail2ban-client
fail2ban-client get nginx-naxsi actionunban 222.2.5.210

Modify nginx-naxsi by the name of the fail2ban jail name.

5 Ressources

Documentation Fail2ban