fail2ban funciona bem em tentativas SSH ruins, mas falha em tentativas ruins de Apache2

2

Estou usando o Debian Linux. uname --all mostra:

Linux xxx.xx 2.6.32-5-686 #1 SMP Tue May 13 16:33:32 UTC 2014 i686 GNU/Linux

Estou executando sshd em uma porta que não é 22. Atualizei /etc/fail2ban/jail.local para apontar para a nova sshd port. Funciona bem. Eu posso tentar fazer o login para essa porta com um cliente ssh, digite a senha errada várias vezes, então ele bloqueia esse endereço IP via iptables.

No entanto, eu também estou executando um servidor web apache, que é atingido o tempo todo com tentativas como essa (de /var/log/apache2/error.log ):

[Sun Nov 02 08:03:13 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/muieblackcat
[Sun Nov 02 08:03:14 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpMyAdmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpmyadmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/pma
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/myadmin
[Sun Nov 02 08:03:17 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/MyAdmin

Eu estava tentando configurar o fail2ban para ler o error.log e proibir os endereços IP ofensivos via iptables, mas não consigo fazê-lo funcionar.

Como eu disse, funciona muito bem para o ssh, mas não para o apache. Aqui está minha prisão.local:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 67.159.128.0/19
# bantime = 21600 == 6 hours
bantime  = 21600

#findtime, in seconds.  300 = 5 minutes, 10800 = 3 hours
findtime = 10800
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=

%(logpath)s]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in     

jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

# we are banning port xxxxx instead of ssh because I use port xxxxx instead
[ssh]

enabled = true
port    = xxxxx
filter  = sshd
logpath  = /var/log/auth.log
findtime = 300
maxretry = 4

#
# HTTP servers
#

[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 3

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache2/*error.log
findtime = 300
maxretry  = 3

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 4

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 2

[apache-misc]

enabled = true
port = http,https
filter = apache-misc
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 2

Aqui está o meu arquivo / etc / fail2ban / apache-misc:

[Definition]

failregex = <HOST>.*"[A-Z]* /(cms|user|muieblackcat|db|cpcommerce|wp-login|joomla|    awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|    mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*"
        <HOST>.*\" (502|500|417|416|415|414|413|412|404|405|403|401|400)

ignoreregex = .*\"GET \/(press|mailto|domestic|word).*

Alguém pode oferecer sugestões?

    
por Jim Earl 03.11.2014 / 01:42

1 resposta

0

Eu recomendaria começar com um pequeno subconjunto de condições de regex usando a sintaxe recomendada da seguinte forma ...

failregex = [[]client (?P<host>\S*)[]] File does not exist: .*/(muieblackcat|phpmyadmin)

Você sempre pode criar e pode facilmente testar sua regex. Não se esqueça de recarregar o fail2ban depois de fazer as alterações.

    
por 03.11.2014 / 04:24