Frank Daten

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen:
fail2ban

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung		Vorhergehende Überarbeitung
fail2ban [31.01.2024] – [Beste Vorgehensweise] hochrathfail2ban [31.01.2024] (aktuell) – [Quellen] hochrath
Zeile 211: Zeile 211:
  
 <code> <code>
-# Fail2Ban filter for URLs with a URL as a script parameters 
-# which can be an indication of a fopen url php injection 
-# 
-# Example of web requests in Apache access log: 
-# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/p> 
- 
 [Definition] [Definition]
  
-#failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ 
-# 30.01.2024 
-#failregex = ^<HOST> -.*"404.*$ 
-#failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/404 .*$ 
 failregex = ^<HOST> -.*"(GET|POST).*404*.*$ failregex = ^<HOST> -.*"(GET|POST).*404*.*$
- 
-#beispiel: 
-# 192.168.178.36 - - [31/Jan/2024:15:30:33 +0100] "GET /test2adf.php HTTP/1.1" 404 496 "-" "Mozilla/5.0 > 
- 
  
 ignoreregex = ignoreregex =
- 
-# DEV Notes: 
-# 
-# Version 2 
-# fixes the failregex so REFERERS that contain =http:// don't get blocked 
-# (mentioned by "fasuto" (no real email provided... blog comment) in this entry: 
-# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 
-# 
-# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> 
  
 datepattern = ^[^\[]*\[({DATE}) datepattern = ^[^\[]*\[({DATE})
Zeile 249: Zeile 226:
 </code> </code>
  
 +\\
 +\\
 +Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten:\\
 +**service fail2ban status**
 +<code>
 +root@raspberrypi3:/home/pi# service fail2ban status
 +● fail2ban.service - Fail2Ban Service
 +     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
 +     Active: active (running) since Wed 2024-01-31 15:32:26 CET; 1h 1min ago
 +       Docs: man:fail2ban(1)
 +    Process: 23835 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 +   Main PID: 23836 (fail2ban-server)
 +      Tasks: 7 (limit: 1595)
 +        CPU: 5.115s
 +     CGroup: /system.slice/fail2ban.service
 +             └─23836 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
  
 +Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
 +Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service.
 +Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: Server ready
 +</code>
  
 +\\
 +**iptables -L**
 +<code>
 +root@raspberrypi3:/home/pi# iptables -L
 +Chain INPUT (policy ACCEPT)
 +target     prot opt source               destination
 +f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https
  
 +Chain FORWARD (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain OUTPUT (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain f2b-apache404 (1 references)
 +target     prot opt source               destination
 +RETURN     all  --  anywhere             anywhere
 </code> </code>
 +
 +\\
 +**fail2ban-client status apache404**
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status apache404
 +Status for the jail: apache404
 +|- Filter
 +|  |- Currently failed: 1
 +|  |- Total failed:     3
 +|  `- File list:        /var/log/apache2/access.log
 +`- Actions
 +   |- Currently banned: 0
 +   |- Total banned:     1
 +   `- Banned IP list:
 +
 +</code>
 +
 +\\
 +\\
 +nun die Webseite nach fehlenden Seiten abfragen:
 +\\
 +**tail -f /var/log/fail2ban.log**
 +<code>
 +2024-01-31 16:36:58,105 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:36:58
 +2024-01-31 16:38:13,892 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:38:13
 +2024-01-31 16:38:14,032 fail2ban.actions        [23836]: NOTICE  [apache404] Ban 192.168.178.36**Fetter Text**
 +
 +</code>
 +
 +\\
 +**fail2ban-client status apache404**
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status apache404
 +Status for the jail: apache404
 +|- Filter
 +|  |- Currently failed: 0
 +|  |- Total failed:     5
 +|  `- File list:        /var/log/apache2/access.log
 +`- Actions
 +   |- Currently banned: 1
 +   |- Total banned:     2
 +   `- Banned IP list:   192.168.178.36
 +
 +</code>
 +
 +\\
 +**iptables -L**
 +<code>
 +root@raspberrypi3:/home/pi# iptables -L
 +Chain INPUT (policy ACCEPT)
 +target     prot opt source               destination
 +f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https
 +
 +Chain FORWARD (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain OUTPUT (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain f2b-apache404 (1 references)
 +target     prot opt source               destination
 +REJECT     all  --  DESKTOP-PQ44AIL.fritz.box  anywhere             reject-with icmp-port-unreachable
 +RETURN     all  --  anywhere             anywhere
 +
 +</code>
 +
 +
 +
  
  
    
  
 +\\
 +\\
 ==== Quellen ==== ==== Quellen ====
  
 https://wiki.ubuntuusers.de/fail2ban/\\ https://wiki.ubuntuusers.de/fail2ban/\\
 https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04\\ https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04\\
fail2ban.1706712048.txt.gz · Zuletzt geändert: 31.01.2024 von hochrath