[CentOS-es] Proteger http con fail2ban
Rodrigo Pichiñual Norin
rodrigo.pichinual en gmail.com
Jue Oct 3 13:51:11 UTC 2013
Gracias Willmer
me podrias explicar parte de este trozo de codigo.
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=tu email]
logpath = /home/*/logs/access.log
bantime = 172800
maxretry = 1
entiendo que esta habilitado (enabled)
el filtro que utiliza dentro de la carpete filter.d es apache-badbots
peor el resto no lo tengo muy claro..
gracias
2013/10/3 Wilmer Arambula <tecnologiaterabyte en gmail.com>
> Yo tenia un problema similar con mi vps, al revisar los logs full ataques,
> pero con pocas cosas los detuve, te explico a ver que te sirve:
>
> 1.- SSH: Cambie el puerto por Defecto.
>
> 2.- Definir Buenas Reglas Iptables y Shorewall (Administrar una Lista Negra
> de Ips de Ataques).
>
> 3.- Fail2ban: (Luego de Investigar mucho logre esta configuración):
>
> [DEFAULT]
>
> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
> will not
> # ban a host which matches an address in this list. Several addresses can
> be
> # defined using space separator.
> ignoreip = tu ip.
>
> # "bantime" is the number of seconds that a host is banned.
> bantime = 36000
>
> # A host is banned if it has generated "maxretry" during the last
> "findtime"
> # seconds.
> findtime = 600
>
> # "maxretry" is the number of failures before a host get banned.
> maxretry = 3
>
> # "backend" specifies the backend used to get files modification.
> # Available options are "pyinotify", "gamin", "polling" and "auto".
> # This option can be overridden in each jail as well.
> #
> # pyinotify: requires pyinotify (a file alteration monitor) to be
> installed.
> # If pyinotify is not installed, Fail2ban will use auto.
> # gamin: requires Gamin (a file alteration monitor) to be installed.
> # If Gamin is not installed, Fail2ban will use auto.
> # polling: uses a polling algorithm which does not require external
> libraries.
> # auto: will try to use the following backends, in order:
> # pyinotify, gamin, polling.
> backend = auto
>
> # "usedns" specifies if jails should trust hostnames in logs,
> # warn when reverse DNS lookups are performed, or ignore all hostnames
> in logs
> #
> # yes: if a hostname is encountered, a reverse DNS lookup will be
> performed.
> # warn: if a hostname is encountered, a reverse DNS lookup will be
> performed,
> # but it will be logged as a warning.
> # no: if a hostname is encountered, will not be used for banning,
> # but it will be logged as info.
> usedns = warn
>
>
> # This jail corresponds to the standard configuration in Fail2ban 0.6.
> # The mail-whois action send a notification e-mail with a whois request
> # in the body.
>
> [ssh-iptables]
>
> enabled = true
> filter = sshd
> action = iptables[name=SSH, port=ssh, protocol=tcp]
> sendmail-whois[name=SSH, dest=root, sender=tu email]
> logpath = /var/log/secure
>
> [proftpd-iptables]
>
> enabled = true
> filter = proftpd
> action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
> sendmail-whois[name=ProFTPD, dest=tu email]
> logpath = /var/log/proftpd/access.log
> maxretry = 5
>
> # This jail forces the backend to "polling".
>
> [sasl-iptables]
>
> enabled = true
> filter = sasl
> backend = polling
> action = iptables[name=sasl, port=smtp, protocol=tcp]
> sendmail-whois[name=sasl, dest=tu email]
> logpath = /var/log/maillog
> maxretry = 3
>
> # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
> # used to avoid banning the user "myuser".
>
>
> [ssh-tcpwrapper]
>
> enabled = true
> filter = sshd
> action = hostsdeny
> sendmail-whois[name=SSH, dest=tu email]
> ignoreregex = for myuser from
> logpath = /var/log/secure
>
> # This jail demonstrates the use of wildcards in "logpath".
> # Moreover, it is possible to give other files on a new line.
>
> [apache-tcpwrapper]
>
> enabled = true
> filter = apache-auth
> action = hostsdeny
> logpath = /home/*/logs/*error.log
> /home/*/logs/error.log
> maxretry = 6
>
> # The hosts.deny path can be defined with the "file" argument if it is
> # not in /etc.
>
> [postfix-tcpwrapper]
>
> enabled = true
> filter = postfix
> action = iptables-multiport[name=postfix, port="110,995,143,993,25",
> protocol=tcp]
> sendmail-buffered[name=BadBots, lines=5, dest=tu email]
> logpath = /var/log/maillog
> maxretry = 3
>
> # Ban hosts which agent identifies spammer robots crawling the web
> # for email addresses. The mail outputs are buffered.
>
> [dovecot]
>
> enabled = true
> filter = dovecot
> action = iptables-multiport[name=Dovecot, port="110,995,143,993,25",
> protocol=tcp]
> sendmail-whois[name=Fail2Dovecot, lines=5, dest=tu email]
> logpath = /var/log/dovecot.log
> maxretry = 3
>
> [apache-badbots]
>
> enabled = true
> filter = apache-badbots
> action = iptables-multiport[name=BadBots, port="http,https"]
> sendmail-buffered[name=BadBots, lines=5, dest=tu email]
> logpath = /home/*/logs/access.log
> bantime = 172800
> maxretry = 1
>
> # Use shorewall instead of iptables.
>
> [apache-shorewall]
>
> enabled = true
> filter = apache-noscript
> action = shorewall
> sendmail[name=Postfix, dest=tu email]
> logpath = /home/*/logs/error.log
>
> # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
> # option is overridden in this jail. Moreover, the action "mail-whois"
> defines
> # the variable "name" which contains a comma using "". The characters ''
> are
> # valid too.
>
> # This jail blocks TCP traffic for DNS requests.
>
> [named-refused-tcp]
>
> enabled = true
> filter = named-refused
> action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
> sendmail-whois[name=Named, dest=tu email]
> logpath = /var/log/messages
> ignoreip = tu ip
>
> # Jail for more extended banning of persistent abusers
> # !!! WARNING !!!
> # Make sure that your loglevel specified in fail2ban.conf/.local
> # is not at DEBUG level -- which might then cause fail2ban to fall into
> # an infinite loop constantly feeding itself with non-informative lines
> [recidive]
>
> enabled = true
> filter = recidive
> logpath = /var/log/fail2ban.log
> action = iptables-allports[name=recidive]
> sendmail-whois-lines[name=recidive,
> logpath=/var/log/fail2ban.log]
> bantime = 604800 ; 1 week
> findtime = 86400 ; 1 day
> maxretry = 5
>
>
> Estas son algunas opciones que puedes configurar en tu fail2ban, si buscas
> en google con tus logs que ya tienes puedes probar cada una de ellas, te
> recomiendo que crees tu propio archivo jail.local en vez de jail.conf, asi
> cada vez que actualices tendrás tus reglas guardadas sin problemas, todo es
> cuestión de paciencia y sobre todo de analizar tus logs para detectar los
> ataques que recibes, claro habrán otros que no veras como escaneos, pero
> tampoco hay que ponerse tan paranoico.
>
>
>
> El 2 de octubre de 2013 12:44, Rodrigo Pichiñual Norin <
> rodrigo.pichinual en gmail.com> escribió:
>
> > Hola a todos.
> >
> >
> > Tengo instalado fail2ban en centos 6.3
> >
> > Logre entender como proteger SSH en caso de ataques de fuerza bruta.
> >
> >
> > banntime=600
> >
> > [ssh-iptables]
> > enabled = true
> > filter = sshd
> > action = iptables[name=SSH, port=ssh, protocol=tcp]
> > mail-whois[name=SSH, dest=mimail en dominio.cl,
> > sender=fail2ban@<fail2ban en latitud33.cl>
> > dominio.cl]
> > logpath = /var/log/secure
> > maxretry = 5
> >
> > Esto bloquea a una ip el accesso mediante SSH después de 5 intentos
> > fallidos (bloque la ip durante 600 seg).
> >
> > lo probé y funciona.
> >
> > pero ahora quiero proteger mi servidor web (apache httpd).
> >
> > pero no se como hacerlo.
> >
> > en ssh el maxretry es 5(intentos antes de bloquear) en un servidor web
> esto
> > debería ser mucho mas mayor (nro de transacciones de un web server
> siempre
> > es mas alto)
> >
> >
> > Orientación..gracias
> > _______________________________________________
> > CentOS-es mailing list
> > CentOS-es en centos.org
> > http://lists.centos.org/mailman/listinfo/centos-es
> >
>
>
>
> --
> *Wilmer Arambula. *
> *Asoc. Cooperativa Tecnologia Terabyte 124, RL.*
> **
> **
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>
Más información sobre la lista de distribución CentOS-es