Fail2ban – Sécurité informatique

fail2ban

Fail2ban – Sécurité informatique

Fail2ban logo

Fail2ban logo

Bannir des IP avec Fail2ban

Fail2ban lit des fichiers de log comme /var/log/pwdfail ou /var/log/apache/error_log et bannit les adresses IP qui ont obtenu un trop grand nombre d’échecs lors de l’authentification. Il met à jour les règles du pare-feu pour rejeter cette adresse IP. Ces règles peuvent êtres défines par l’utilisateur. Fail2ban peut lire plusieurs fichiers de log comme ceux de sshd ou du serveur Apache.

Fail2ban est un logiciel libre; vous pouvez le distribuer et/ou le modifier sous les termes de la licence GNU General Public License comme publiée par la Free Software Foundation; soit dans la version 2 de cette license, ou (selon votre choix) dans les termes d’une version postérieure.

Modification du fichier de configuration dans

 
vim /etc/fail2ban/jail.conf

 



# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 6000
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = myemail@hotmail.com

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log



 

link :
http://www.fail2ban.org/
http://doc.ubuntu-fr.org/fail2ban

SHARE THIS POST

  • Facebook
  • Twitter
  • Myspace
  • Google Buzz
  • Reddit
  • Stumnleupon
  • Delicious
  • Digg
  • Technorati

13 Comments on "Fail2ban – Sécurité informatique"

  1. boby 19/04/2013 à 15:34 - Reply

    Merci beaucoup !!!

    Chromium 25.0.1364.160 Ubuntu

    Thumb up 0 Thumb down 0

  2. ebook gratuit en francais 04/05/2016 à 09:29 - Reply

    Wow! Ⅰn the еnd I gߋt a webzite from wherе I can reaⅼly take usᥱful data reɡarding mʏ study ɑnd knowledge.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  3. cure clinical depression 17/06/2016 à 00:37 - Reply

    This is just despair, the state of being depressed or sad,
    but if the individual shouldn’t be able
    to transfer on after an inexpensive time interval, that’s ‘despair dysfunction’, which can also be called clinical melancholy.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  4. Franchise of Ayurvedic Products 17/06/2016 à 07:52 - Reply

    Our group of employees works in coordination to ensure the delivery of finest grade products.

    Chrome 39.0.2171.95 Windows

    Thumb up 0 Thumb down 0

  5. used Maternity clothes 29/08/2016 à 03:25 - Reply

    This will make you determine the amount of money you will spend on the
    one that you would like to use in your bathing space.
    The soft bristles of a brush won’t get down to the skin to separate the hair and will just smooth
    the top. If you begin at an early age, you can train a dog
    to have its hair dried while using a blow dryer.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  6. deslivres.net 20/11/2016 à 03:57 - Reply

    This iss a gгeat tiⲣ ρarticularly tⲟ
    thosе fresh to the blogosphere. Simple ƅut vvery accurate info… Τhanks foг sharing tis оne.
    A must read article!

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  7. king tickets 25/11/2016 à 14:41 - Reply

    Magnificent goods from you, man. I’ve bear in mind your stuff previous to and you’re just extremely great.
    I actually like what you’ve got here, really like what you’re stating and the way wherein you are
    saying it. You are making it enjoyable and you continue to care for to stay it sensible.

    I cant wait to read far more from you. This is really a terrific web site.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  8. Elizabeth 21/12/2016 à 22:59 - Reply

    Hello, its good piece of writing on the topic of media print,
    we all understand media is a great source of information.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  9. argent sur ordi 26/12/2016 à 23:00 - Reply

    If you would like to improve your experience simply keep visiting this web page
    and be updated with the most recent gossip
    posted here.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  10. Lovie 18/02/2017 à 16:10 - Reply

    With havin so much content and articles do you ever run into any issues of plagorism or
    copyright infringement? My website has a lot of unique content I’ve either created myself
    or outsourced but it looks like a lot of it is popping it up all
    over the web without my permission. Do you know any methods to help stop content from being stolen? I’d really appreciate it.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  11. Grazyna 25/03/2017 à 15:26 - Reply

    Nice answers in return of this matter with solid arguments and
    explaining everything regarding that.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  12. solar powered tent 21/04/2017 à 03:55 - Reply

    Sunmodule Bisun solar panels are ideally suited for ground-mount systems and flat
    roofs.

    Opera 12.17 Windows

    Thumb up 0 Thumb down 0

  13. Nancy 23/05/2017 à 19:51 - Reply

    Als Aⅼternative bietet sich der Steuerberater an, den natürⅼich auch allе anderen Steuerzahler in Anspruch nehmen können.

    Chrome 34.0.1847.116 Windows 7

    Thumb up 0 Thumb down 0

Leave A Response