Te dire busca en google hay muchas formas de proteger apache, te agrego dos links la mejor forma de hacerlo es probando con tus logs y configurarlo a tus necesidades, es lo que mas recomiendo:
*apache-tcpwrapper:*
Bloquea con el fichero /etc/hosts.deny los hosts que se intentan conectar a dominios protegidos con contraseña (estos fallos de autenticación aparecen en el error_log)
*apache-badbots*
Bloquea por iptables los hosts que se conectan haciendo uso de un “User Agent” sospechoso, y nos envia un mail para avisarnos.
Pondre dos links: http://apliweb.com/blog/fail2ban-evitando-ataques-en-nuestro-servidor-web
http://garciavictor.blogspot.com/2012/11/fail2ban-en-debian-squeezy-wheezy.h...
2013/10/3 Rodrigo Pichiñual Norin rodrigo.pichinual@gmail.com
Gracias Willmer
me podrias explicar parte de este trozo de codigo.
[apache-badbots]
enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=tu email] logpath = /home/*/logs/access.log bantime = 172800 maxretry = 1
entiendo que esta habilitado (enabled) el filtro que utiliza dentro de la carpete filter.d es apache-badbots
peor el resto no lo tengo muy claro..
gracias
2013/10/3 Wilmer Arambula tecnologiaterabyte@gmail.com
Yo tenia un problema similar con mi vps, al revisar los logs full
ataques,
pero con pocas cosas los detuve, te explico a ver que te sirve:
1.- SSH: Cambie el puerto por Defecto.
2.- Definir Buenas Reglas Iptables y Shorewall (Administrar una Lista
Negra
de Ips de Ataques).
3.- Fail2ban: (Luego de Investigar mucho logre esta configuración):
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = tu ip.
# "bantime" is the number of seconds that a host is banned. bantime = 36000
# A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600
# "maxretry" is the number of failures before a host get banned. maxretry = 3
# "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto
# "usedns" specifies if jails should trust hostnames in logs, # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. # warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn
# This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=tu email] logpath = /var/log/secure
[proftpd-iptables]
enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=tu email] logpath = /var/log/proftpd/access.log maxretry = 5
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=tu email] logpath = /var/log/maillog maxretry = 3
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex"
is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=tu email] ignoreregex = for myuser from logpath = /var/log/secure
# This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true filter = apache-auth action = hostsdeny logpath = /home/*/logs/*error.log /home/*/logs/error.log maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is # not in /etc.
[postfix-tcpwrapper]
enabled = true filter = postfix action = iptables-multiport[name=postfix, port="110,995,143,993,25", protocol=tcp] sendmail-buffered[name=BadBots, lines=5, dest=tu email] logpath = /var/log/maillog maxretry = 3
# Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered.
[dovecot]
enabled = true filter = dovecot action = iptables-multiport[name=Dovecot, port="110,995,143,993,25", protocol=tcp] sendmail-whois[name=Fail2Dovecot, lines=5, dest=tu email] logpath = /var/log/dovecot.log maxretry = 3
[apache-badbots]
enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=tu email] logpath = /home/*/logs/access.log bantime = 172800 maxretry = 1
# Use shorewall instead of iptables.
[apache-shorewall]
enabled = true filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=tu email] logpath = /home/*/logs/error.log
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too.
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = true filter = named-refused action = iptables-multiport[name=Named, port="domain,953",
protocol=tcp]
sendmail-whois[name=Named, dest=tu email]logpath = /var/log/messages ignoreip = tu ip
# Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive]
enabled = true filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5
Estas son algunas opciones que puedes configurar en tu fail2ban, si
buscas
en google con tus logs que ya tienes puedes probar cada una de ellas, te recomiendo que crees tu propio archivo jail.local en vez de jail.conf,
asi
cada vez que actualices tendrás tus reglas guardadas sin problemas, todo
es
cuestión de paciencia y sobre todo de analizar tus logs para detectar los ataques que recibes, claro habrán otros que no veras como escaneos, pero tampoco hay que ponerse tan paranoico.
El 2 de octubre de 2013 12:44, Rodrigo Pichiñual Norin < rodrigo.pichinual@gmail.com> escribió:
Hola a todos.
Tengo instalado fail2ban en centos 6.3
Logre entender como proteger SSH en caso de ataques de fuerza bruta.
banntime=600
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois[name=SSH, dest=mimail@dominio.cl, sender=fail2ban@fail2ban@latitud33.cl dominio.cl] logpath = /var/log/secure maxretry = 5
Esto bloquea a una ip el accesso mediante SSH después de 5 intentos fallidos (bloque la ip durante 600 seg).
lo probé y funciona.
pero ahora quiero proteger mi servidor web (apache httpd).
pero no se como hacerlo.
en ssh el maxretry es 5(intentos antes de bloquear) en un servidor web
esto
debería ser mucho mas mayor (nro de transacciones de un web server
siempre
es mas alto)
Orientación..gracias _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
-- *Wilmer Arambula. * *Asoc. Cooperativa Tecnologia Terabyte 124, RL.* ** ** _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es