Aumente a segurança do seu servidor com o Fail2ban

por Henrique Fagundes · 21/04/2012

Prezados Colegas,

Primeiramente saudações pinguianas a todos!

Nesse artigo, vou tentar explicar da maneira mais simples possível como implementar essa ótima solução de segurança chamada Fail2ban.

O que ele faz? O Fail2ban simplesmente bloqueia um determina IP que tentar logar no seu servidor através de protocolos (que você vai configurar) por um determinado número de tentativas (que você vai configurar) sem sucesso. Para saber mais, clique aqui.

Bom… Chega de bla, bla, bla e vamos colocar a mão na massa!

Instale o programa com o comando abaixo:

apt-get install fail2ban

Depois de instalado, vamos editar o principal arquivo de configuração:

vim /etc/fail2ban/jail.conf

No meu caso, o arquivo ficou assim:

[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8, 158.64.239.238
ignorecommand =

bantime  = -1
findtime  = 3600
maxretry = 3

backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = [email protected]
sender = [email protected]
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport
banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action = %(action_)s

[sshd]
port    = 22
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[sshd-ddos]
port    = 22
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[dropbear]
port     = 22
logpath  = %(dropbear_log)s
backend  = %(dropbear_backend)s

[selinux-ssh]
port     = 22
logpath  = %(auditd_log)s

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
         #sendmail-whois[name=PHPMYADMIN, [email protected]]
logpath = /var/log/apache2/phpmyadmin.log
maxretry = 3

[apache-auth]
enabled  = true
port     = http,https
filter   = apache-auth
action = iptables-multiport[name=apache-auth, port="http,https", protocol=tcp]
         #sendmail-whois[name=APACHE, [email protected]]
logpath  = /var/log/apache2/*/*_error.log
maxretry = 3
 
[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
action = iptables-multiport[name=apache-noscript, port="http,https", protocol=tcp]
         #sendmail-whois[name=APACHE, [email protected]]
logpath  = /var/log/apache2/*/*_error.log
maxretry = 3

[apache-overflows]
enabled  = true
port     = http,https
filter   = apache-overflows
action = iptables-multiport[name=apache-overflows, port="http,https", protocol=tcp]
         #sendmail-whois[name=APACHE, [email protected]]
logpath  = /var/log/apache2/*/*_error.log
maxretry = 3
 
[apache-badbots]
enabled  = true
port     = http,https
filter   = apache-badbots
action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp]
         #sendmail-whois[name=APACHE, [email protected]]
logpath  = /var/log/apache2/*/*_error.log
maxretry = 3

[wordpress-hard]
enabled = true
port = http,https
action = iptables-multiport[name=wordpress-hard, port="http,https", protocol=tcp]
         #sendmail-whois[name=WORDPRESS, [email protected]]
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 3

[wordpress-soft]
enabled = true
port = http,https
action = iptables-multiport[name=wordpress-soft, port="http,https", protocol=tcp]
         #sendmail-whois[name=WORDPRESS, [email protected]]
filter = wordpress-soft
logpath = /var/log/auth.log
maxretry = 3

[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log

[nginx-http-auth]
port    = http,https
logpath = %(nginx_error_log)s

[nginx-limit-req]
port    = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2

[php-url-fopen]
port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s

[suhosin]
port    = http,https
logpath = %(suhosin_log)s

[lighttpd-auth]
port    = http,https
logpath = %(lighttpd_error_log)s

[roundcube-auth]
port     = http,https
logpath  = %(roundcube_errors_log)s

[openwebmail]
port     = http,https
logpath  = /var/log/openwebmail.log

[horde]
port     = http,https
logpath  = /var/log/horde/horde.log

[groupoffice]
port     = http,https
logpath  = /home/groupoffice/log/info.log

[sogo-auth]
port     = http,https
logpath  = /var/log/sogo/sogo.log

[tine20]
logpath  = /var/log/tine20/tine20.log
port     = http,https

[drupal-auth]
port     = http,https
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s

[guacamole]
port     = http,https
logpath  = /var/log/tomcat*/catalina.out

[monit]
port = 2812
logpath  = /var/log/monit

[webmin-auth]
port    = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

[froxlor-auth]
port    = http,https
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s

[squid]
port     =  80,443,3128,8080
logpath = /var/log/squid/access.log

[3proxy]
port    = 3128
logpath = /var/log/3proxy.log

[proftpd]
enabled = true
port     = ftp,ftp-data,ftps,ftps-data
action = iptables-multiport[name=proftpd, port="ftp,ftp-data,ftps,ftps-data", protocol=tcp]
         #sendmail-whois[name=FTP, [email protected]]
filter = proftpd
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s
maxretry = 3

[pure-ftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(pureftpd_log)s
backend  = %(pureftpd_backend)s

[gssftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s

[wuftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(wuftpd_log)s
backend  = %(wuftpd_backend)s

[vsftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s

[assp]
port     = smtp,465,submission
logpath  = /var/log/mail.log

[courier-smtp]
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s

[postfix]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

[postfix-rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1

[sendmail-auth]
port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[sendmail-reject]
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s

[qmail-rbl]
filter  = qmail
port    = smtp,465,submission
logpath = /service/qmail/log/main/current

[dovecot]
port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[sieve]
port   = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[solid-pop3d]
port    = pop3,pop3s
logpath = %(solidpop3d_log)s

[exim]
port   = smtp,465,submission
logpath = %(exim_main_log)s

[exim-spam]
port   = smtp,465,submission
logpath = %(exim_main_log)s

[kerio]
port    = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log

[courier-auth]
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s

[postfix-sasl]
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

[perdition]
port   = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log

[cyrus-imap]
port   = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[uwimap-auth]
port   = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[named-refused]
port     = domain,953
logpath  = /var/log/named/security.log

[nsd]
port     = 53
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log

[asterisk]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/messages
maxretry = 10

[freeswitch]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/freeswitch.log
maxretry = 10

[mysqld-auth]
port     = 3306
logpath  = %(mysql_log)s
backend  = %(mysql_backend)s

[mongodb-auth]
port     = 27017
logpath  = /var/log/mongodb/mongodb.log

[recidive]
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s

[pam-generic]
banaction = %(banaction_allports)s
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s

[xinetd-fail]
banaction = iptables-multiport-log
logpath   = %(syslog_daemon)s
backend   = %(syslog_backend)s
maxretry  = 2

[stunnel]
logpath = /var/log/stunnel4/stunnel.log

[ejabberd-auth]
port    = 5222
logpath = /var/log/ejabberd/ejabberd.log

[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[nagios]
logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
backend  = %(syslog_backend)s
maxretry = 1

[oracleims]
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s

[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222

[portsentry]
logpath  = /var/lib/portsentry/portsentry.history
maxretry = 1

[pass2allow-ftp]
port         = ftp,ftp-data,ftps,ftps-data
knocking_url = /knocking/
filter       = apache-pass[knocking_url="%(knocking_url)s"]
logpath      = %(apache_access_log)s
blocktype    = RETURN
returntype   = DROP
maxretry     = 1
findtime     = 1

[murmur]
port     = 64738
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath  = /var/log/mumble-server/mumble-server.log

[screensharingd]
logpath  = /var/log/system.log
logencoding = utf-8

[haproxy-http-auth]
logpath  = /var/log/haproxy.log

[slapd]
port    = ldap,ldaps
filter  = slapd
logpath = /var/log/slapd.log

No inicio do arquivo de configuração configura-se praticamente tudo, vejamos:

ignoreip -> Os IPS que não serão banidos em hipótese alguma
bantime -> O tem que os IPS banidos ficaram bloqueados
maxretry -> Quantas vezes um ip pode tentar logar antes de ser banido.

Bom… Deixei a minha colaboração nesse artigo, porém, digo que isso não é tudo.
O fail2ban possui inúmeras configurações que podem ser implementadas nesse artigo, mas aí, vai da criatividade de cada um.

Conforme a dica do colega Brivaldo Junior, este outro artigo demonstra mais algumas configurações do Fail2ban

Espero ter colaborado.

Esse artigo foi útil? Colabore com o nosso site para podermos continuar dando mais dicas como essa!

Formas de doação:

Boleto / Cartão de crédito: https//bit.ly/AprendendoLinux
Pix: [email protected]
PicPay: @henrique_fagundes
PayPal: [email protected]
Bitcoin: bc1qtnn5z058htzy799dslwrpjcdpm0vuta3vrj28l

Favorecido: Luiz Henrique Marques Fagundes

Tags: fail2ban firewall segurança

Aumente a segurança do seu servidor com o Fail2ban

Você pode gostar...

Deixe um comentário

Assuntos

Links

Aumente a segurança do seu servidor com o Fail2ban

Você pode gostar...

OwnCloud – Tenha sua própria nuvem – Alternativa ao Dropbox

Gmail + Postfix = Relay SMTP Autenticado

Instalando o OCS Inventory sem complicações!

Deixe um comentário

Assuntos

Links