Fail2ban v0.11.x avec support IPv6 sur Debian Stretch

De Le Wiki de debian-fr.xyz
Aller à : navigation, rechercher

Nous allons ici installer fail2ban 0.11.x qui contrairement à la version 0.9.x des dépôts Stretch de Debian prend en charge le bannissement IPv6...


 ATTENTION : Ce tuto s'adresse à des personnes expérimentées.
Pour rappel il n'est pas conseillé de sortir des dépôts officiels Debian. Les manipulations décrites ci-dessous sont donc sous votre seule et unique responsabilité.


Surpression fail2ban

# apt-cache policy fail2ban

fail2ban:
  Installé : 0.9.6-2
  Candidat : 0.9.6-2
 Table de version :
 *** 0.9.6-2 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status
     0.8.13-1 500
        500 http://deb.debian.org/debian jessie/main amd64 Packages


# apt remove --purge fail2ban


# rm -rf /etc/fail2ban


Installation fail2ban from GIT

Prérequis

# apt install python python-dnspython python-pyinotify gamin


Installation

# cd /usr/local/


# git clone https://github.com/fail2ban/fail2ban.git

Clonage dans 'fail2ban'...
remote: Counting objects: 32232, done.
remote: Compressing objects: 100% (36/36), done.
remote: Total 32232 (delta 22), reused 23 (delta 13), pack-reused 32183
Réception d'objets: 100% (32232/32232), 8.91 MiB | 1.21 MiB/s, fait.
Résolution des deltas: 100% (23680/23680), fait.

# cd fail2ban


# python setup.py install

running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/fail2ban
copying fail2ban/setup.py -> build/lib.linux-x86_64-2.7/fail2ban
...
Creating build/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> /usr/local/bin
creating fail2ban-python binding -> /usr/local/bin
changing mode of /usr/local/bin/fail2ban-client to 755
changing mode of /usr/local/bin/fail2ban-regex to 755
changing mode of /usr/local/bin/fail2ban-server to 755
changing mode of /usr/local/bin/fail2ban-testcases to 755

Please do not forget to update your configuration files.
They are in "/etc/fail2ban/".

You can also install systemd service-unit file from "build/fail2ban.service"
resp. corresponding init script from "files/*-initd".

Vérification

# fail2ban-client -h

Usage: fail2ban-client [OPTIONS] <COMMAND>

Fail2Ban v0.11.0.dev0 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Options:
    -c <DIR>                configuration directory
    -s <FILE>               socket path
    -p <FILE>               pidfile path
    --loglevel <LEVEL>      logging level
    --logtarget <FILE>|STDOUT|STDERR|SYSLOG
    --syslogsocket auto|<FILE>
    -d                      dump configuration. For debugging
    --dp, --dump-pretty     dump the configuration using more human readable representation
    -t, --test              test configuration (can be also specified with start parameters)
    -i                      interactive mode
    -v                      increase verbosity
    -q                      decrease verbosity
    -x                      force execution of the server (remove socket file)
    -b                      start server in background (default)
    -f                      start server in foreground
    --async                 start server in async mode (for internal usage only, don't read configuration)
    --timeout               timeout to wait for the server (for internal usage only, don't read configuration)
    --str2sec <STRING>      convert time abbreviation format to seconds
    -h, --help              display this help message
    -V, --version           print the version

Command:
                                             BASIC
    start                                    starts the server and the jails
    restart                                  restarts the server
    restart [--unban] [--if-exists] <JAIL>   restarts the jail <JAIL> (alias
                                             for 'reload --restart ... <JAIL>')
    reload [--restart] [--unban] [--all]     reloads the configuration without
                                             restarting of the server, the
                                             option '--restart' activates
                                             completely restarting of affected
                                             jails, thereby can unban IP
                                             addresses (if option '--unban'
                                             specified)
    reload [--restart] [--unban] [--if-exists] <JAIL>
                                             reloads the jail <JAIL>, or
                                             restarts it (if option '--restart'
                                             specified)
    stop                                     stops all jails and terminate the
                                             server
    unban --all                              unbans all IP addresses (in all
                                             jails and database)
    unban <IP> ... <IP>                      unbans <IP> (in all jails and
                                             database)
    status                                   gets the current status of the
                                             server
    ping                                     tests if the server is alive
    echo                                     for internal usage, returns back
                                             and outputs a given string
    help                                     return this output
    version                                  return the server version

                                             LOGGING
    set loglevel <LEVEL>                     sets logging level to <LEVEL>.
                                             Levels: CRITICAL, ERROR, WARNING,
                                             NOTICE, INFO, DEBUG, TRACEDEBUG,
                                             HEAVYDEBUG or corresponding
                                             numeric value (50-5)
    get loglevel                             gets the logging level
    set logtarget <TARGET>                   sets logging target to <TARGET>.
                                             Can be STDOUT, STDERR, SYSLOG or a
                                             file
    get logtarget                            gets logging target
    set syslogsocket auto|<SOCKET>           sets the syslog socket path to
                                             auto or <SOCKET>. Only used if
                                             logtarget is SYSLOG
    get syslogsocket                         gets syslog socket path
    flushlogs                                flushes the logtarget if a file
                                             and reopens it. For log rotation.

                                             DATABASE
    set dbfile <FILE>                        set the location of fail2ban
                                             persistent datastore. Set to
                                             "None" to disable
    get dbfile                               get the location of fail2ban
                                             persistent datastore
    set dbpurgeage <SECONDS>                 sets the max age in <SECONDS> that
                                             history of bans will be kept
    get dbpurgeage                           gets the max age in seconds that
                                             history of bans will be kept

                                             JAIL CONTROL
    add <JAIL> <BACKEND>                     creates <JAIL> using <BACKEND>
    start <JAIL>                             starts the jail <JAIL>
    stop <JAIL>                              stops the jail <JAIL>. The jail is
                                             removed
    status <JAIL> [FLAVOR]                   gets the current status of <JAIL>,
                                             with optional flavor or extended
                                             info

                                             JAIL CONFIGURATION
    set <JAIL> idle on|off                   sets the idle state of <JAIL>
    set <JAIL> ignoreself true|false         allows the ignoring of own IP
                                             addresses
    set <JAIL> addignoreip <IP>              adds <IP> to the ignore list of
                                             <JAIL>
    set <JAIL> delignoreip <IP>              removes <IP> from the ignore list
                                             of <JAIL>
    set <JAIL> addlogpath <FILE> ['tail']    adds <FILE> to the monitoring list
                                             of <JAIL>, optionally starting at
                                             the 'tail' of the file (default
                                             'head').
    set <JAIL> dellogpath <FILE>             removes <FILE> from the monitoring
                                             list of <JAIL>
    set <JAIL> logencoding <ENCODING>        sets the <ENCODING> of the log
                                             files for <JAIL>
    set <JAIL> addjournalmatch <MATCH>       adds <MATCH> to the journal filter
                                             of <JAIL>
    set <JAIL> deljournalmatch <MATCH>       removes <MATCH> from the journal
                                             filter of <JAIL>
    set <JAIL> addfailregex <REGEX>          adds the regular expression
                                             <REGEX> which must match failures
                                             for <JAIL>
    set <JAIL> delfailregex <INDEX>          removes the regular expression at
                                             <INDEX> for failregex
    set <JAIL> ignorecommand <VALUE>         sets ignorecommand of <JAIL>
    set <JAIL> addignoreregex <REGEX>        adds the regular expression
                                             <REGEX> which should match pattern
                                             to exclude for <JAIL>
    set <JAIL> delignoreregex <INDEX>        removes the regular expression at
                                             <INDEX> for ignoreregex
    set <JAIL> findtime <TIME>               sets the number of seconds <TIME>
                                             for which the filter will look
                                             back for <JAIL>
    set <JAIL> bantime <TIME>                sets the number of seconds <TIME>
                                             a host will be banned for <JAIL>
    set <JAIL> datepattern <PATTERN>         sets the <PATTERN> used to match
                                             date/times for <JAIL>
    set <JAIL> usedns <VALUE>                sets the usedns mode for <JAIL>
    set <JAIL> banip <IP>                    manually Ban <IP> for <JAIL>
    set <JAIL> unbanip <IP>                  manually Unban <IP> in <JAIL>
    set <JAIL> maxretry <RETRY>              sets the number of failures
                                             <RETRY> before banning the host
                                             for <JAIL>
    set <JAIL> maxlines <LINES>              sets the number of <LINES> to
                                             buffer for regex search for <JAIL>
    set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>]
                                             adds a new action named <ACT> for
                                             <JAIL>. Optionally for a Python
                                             based action, a <PYTHONFILE> and
                                             <JSONKWARGS> can be specified,
                                             else will be a Command Action
    set <JAIL> delaction <ACT>               removes the action <ACT> from
                                             <JAIL>

                                             COMMAND ACTION CONFIGURATION
    set <JAIL> action <ACT> actionstart <CMD>
                                             sets the start command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the
                                             action <ACT> for <JAIL>
    set <JAIL> action <ACT> actioncheck <CMD>
                                             sets the check command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionban <CMD>  sets the ban command <CMD> of the
                                             action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionunban <CMD>
                                             sets the unban command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> timeout <TIMEOUT>
                                             sets <TIMEOUT> as the command
                                             timeout in seconds for the action
                                             <ACT> for <JAIL>

                                             GENERAL ACTION CONFIGURATION
    set <JAIL> action <ACT> <PROPERTY> <VALUE>
                                             sets the <VALUE> of <PROPERTY> for
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>]
                                             calls the <METHOD> with
                                             <JSONKWARGS> for the action <ACT>
                                             for <JAIL>

                                             JAIL INFORMATION
    get <JAIL> logpath                       gets the list of the monitored
                                             files for <JAIL>
    get <JAIL> logencoding                   gets the encoding of the log files
                                             for <JAIL>
    get <JAIL> journalmatch                  gets the journal filter match for
                                             <JAIL>
    get <JAIL> ignoreself                    gets the current value of the
                                             ignoring the own IP addresses
    get <JAIL> ignoreip                      gets the list of ignored IP
                                             addresses for <JAIL>
    get <JAIL> ignorecommand                 gets ignorecommand of <JAIL>
    get <JAIL> failregex                     gets the list of regular
                                             expressions which matches the
                                             failures for <JAIL>
    get <JAIL> ignoreregex                   gets the list of regular
                                             expressions which matches patterns
                                             to ignore for <JAIL>
    get <JAIL> findtime                      gets the time for which the filter
                                             will look back for failures for
                                             <JAIL>
    get <JAIL> bantime                       gets the time a host is banned for
                                             <JAIL>
    get <JAIL> datepattern                   gets the patern used to match
                                             date/times for <JAIL>
    get <JAIL> usedns                        gets the usedns setting for <JAIL>
    get <JAIL> maxretry                      gets the number of failures
                                             allowed for <JAIL>
    get <JAIL> maxlines                      gets the number of lines to buffer
                                             for <JAIL>
    get <JAIL> actions                       gets a list of actions for <JAIL>

                                             COMMAND ACTION INFORMATION
    get <JAIL> action <ACT> actionstart      gets the start command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionstop       gets the stop command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actioncheck      gets the check command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionban        gets the ban command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionunban      gets the unban command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> timeout          gets the command timeout in
                                             seconds for the action <ACT> for
                                             <JAIL>

                                             GENERAL ACTION INFORMATION
    get <JAIL> actionproperties <ACT>        gets a list of properties for the
                                             action <ACT> for <JAIL>
    get <JAIL> actionmethods <ACT>           gets a list of methods for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> <PROPERTY>       gets the value of <PROPERTY> for
                                             the action <ACT> for <JAIL>

Report bugs to https://github.com/fail2ban/fail2ban/issues


# fail2ban-client start

Server ready


# fail2ban-client status

Status
|- Number of jail:	0
`- Jail list:

Automatisation lancement

# cp files/debian-initd /etc/init.d/fail2ban


# chmod +x /etc/init.d/fail2ban


# systemctl enable fail2ban.service

fail2ban.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable fail2ban

# systemctl daemon-reload


# service fail2ban restart


# service fail2ban status

● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2017-11-27 09:07:24 EAT; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 11586 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

nov. 27 09:07:24 dev.domaine.com systemd[1]: Starting LSB: Start/stop fail2ban...
nov. 27 09:07:24 dev.domaine.com fail2ban[11586]: Starting authentication failure monitor: fail2ban.
nov. 27 09:07:24 dev.domaine.com systemd[1]: Started LSB: Start/stop fail2ban.

Mise en place règles

  Important.png Ne JAMAIS modifier jail.conf! Vos configurations personnelles doivent être placées dans jail.local


# nano /etc/fail2ban/jail.local


[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 197.158.88.85

[sshd]
enabled  = true
port    = xxxxx

[apache-auth]
enabled  = true

[apache-badbots]
enabled  = true

[dovecot]
enabled  = true

[postfix]
enabled  = true

[postfix-sasl]
enabled  = true

[webmin-auth]

[phpmyadmin-syslog]

[pure-ftpd]
enabled  = true

[pam-generic]
enabled  = true

[recidive]
enabled  = true

Wordpress (wp-fail2ban)

Page WordPress.org de l’extension
# cp /var/www/domaine.com/web/wp-content/plugins/wp-fail2ban/filters.d/* /etc/fail2ban/filter.d/
# nano /etc/fail2ban/jail.local
[wordpress-hard]
enabled = true
logpath = /var/log/auth.log
maxretry = 1
port = http,https

[wordpress-soft]
enabled = true
logpath = /var/log/auth.log
maxretry = 6
port = http,https

Test

# service fail2ban restart && tail -f /var/log/fail2ban.log

2017-11-27 09:34:11,405 fail2ban.filter         [13205]: INFO      findtime: 600
2017-11-27 09:34:11,406 fail2ban.jail           [13205]: INFO    Jail 'sshd' started
2017-11-27 09:34:11,407 fail2ban.jail           [13205]: INFO    Jail 'apache-auth' started
2017-11-27 09:34:11,408 fail2ban.jail           [13205]: INFO    Jail 'apache-badbots' started
2017-11-27 09:34:11,408 fail2ban.jail           [13205]: INFO    Jail 'pure-ftpd' started
2017-11-27 09:34:11,409 fail2ban.jail           [13205]: INFO    Jail 'postfix' started
2017-11-27 09:34:11,409 fail2ban.jail           [13205]: INFO    Jail 'dovecot' started
2017-11-27 09:34:11,410 fail2ban.jail           [13205]: INFO    Jail 'postfix-sasl' started
2017-11-27 09:34:11,410 fail2ban.jail           [13205]: INFO    Jail 'recidive' started
2017-11-27 09:34:11,413 fail2ban.jail           [13205]: INFO    Jail 'pam-generic' started
2017-11-27 09:35:39,037 fail2ban.filter         [13205]: INFO    [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:35:38
2017-11-27 09:35:43,171 fail2ban.filter         [13205]: INFO    [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:35:43
2017-11-27 09:36:25,786 fail2ban.filter         [13205]: INFO    [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:36:25
2017-11-27 09:36:53,990 fail2ban.filter         [13205]: INFO    [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:36:53
2017-11-27 09:37:04,739 fail2ban.filter         [13205]: INFO    [pure-ftpd] Found 10.11.12.13 - 2017-11-27 09:37:04
2017-11-27 09:37:04,815 fail2ban.actions        [13205]: NOTICE  [pure-ftpd] Ban 10.11.12.13
2017-11-27 09:37:04,818 fail2ban.filter         [13205]: INFO    [recidive] Found 10.11.12.13 - 2017-11-27 09:37:04


# iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-pure-ftpd
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j f2b-pure-ftpd
-A f2b-pure-ftpd -s 10.11.12.13/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-pure-ftpd -j RETURN

Mise à jour

# cd /usr/local/fail2ban


# git pull


# python setup.py install


# /etc/init.d/fail2ban restart


Et comme bien sur votre conf se trouve dans jail.local vous ne perdrez pas vos petits réglages...


Lol (discussion) 30 décembre 2017 à 15:29 (UTC)