Fail2ban: настройка ручных фильтров на примере NGINX

Автор: | 05/02/2015
 

Linux SecureЗадача — добавить свои собственные правила для Fail2ban, по которым будет выполняться поиск в логах.

Например — очень много ботов сканируют URL-ы на предмет поиска панели управления phpMyAdmin, что бы потом побрутфорсить её.

Добавляем файл /etc/fail2ban/filter.d/nginx-proxy.local:

[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =

Файл /etc/fail2ban/filter.d/nginx-noscript.local:

[Definition]
failregex = ^<HOST> -.*GET.*(.asp|.exe|.pl|.cgi|scgi)
ignoreregex =

И файл /etc/fail2ban/filter.d/nginx-auth.local:

[Definition]

failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>

ignoreregex =

Файл /etc/fail2ban/filter.d/nginx-login.local:

[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1.." 200
ignoreregex =

Файл /etc/fail2ban/filter.d/nginx-manual.local:

[Definition]

failregex = .*client: <HOST>.*GET.*phpMyAdmin/scripts/
            .*client: <HOST>.*GET.*pma/scripts/
            .*client: <HOST>.*GET.*MyAdmin/scripts/
            .*client: <HOST>.*GET.*myadmin/scripts/
            .*client: <HOST>.*GET.*wp-content/uploads/_cache.php
            .*client: <HOST>.*GET.*wp-content/uploads/_wp_cache.php

ignoreregex =

Напомню — есть чудесный сервис по составлению и проверке регулярных выражений.

Редактируем /etc/fail2ban/jail.local:

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 86400 # 1 day
maxretry = 1

[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port="http,https"]
filter = nginx-noscript
logpath = /var/log/nginx*/*access*.log
maxretry = 6
bantime  = 86400 # 1 day

[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx*/*access*.log
maxretry = 0
bantime  = 86400 # 1 day
[nginx-manual]
enabled = true
filter = nginx-manual
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx/*error.log
bantime = 86400
maxretry = 2

Проверяем:

# fail2ban-regex /var/log/nginx/rtfm.co.ua-error.log /etc/fail2ban/filter.d/nginx-manual.local
...
Failregex: 8 total
|-  #) [# of hits] regular expression
|   1) [1] .*client: <HOST>.*GET.*phpMyAdmin/scripts/
|   2) [1] .*client: <HOST>.*GET.*pma/scripts/
|   3) [2] .*client: <HOST>.*GET.*MyAdmin/scripts/
|   4) [2] .*client: <HOST>.*GET.*myadmin/scripts/
|   5) [1] .*client: <HOST>.*GET.*wp-content/uploads/_cache.php
|   6) [1] .*client: <HOST>.*GET.*wp-content/uploads/_wp_cache.php
`-
...
Lines: 19 lines, 0 ignored, 7 matched, 12 missed

Перезапускаем Fail2ban:

# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban:                                         [  OK  ]

Проверяем:

# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:           exim-spam, pam-generic, ssh-iptables, dovecot-auth, nginx-manual, dovecot, exim
# fail2ban-client status nginx-manual
Status for the jail: nginx-manual
|- filter
|  |- File list:        /var/log/nginx/webmail.domain.org.ua-error.log /var/log/nginx/testing.domain.org.ua-error.log /var/log/nginx/postfixadmin.domain.org.ua-error.log /var/log/nginx/domain.org.ua-error.log /var/log/nginx/domain.kiev.ua-error.log /var/log/nginx/domain.kiev.ua-error.log /var/log/nginx/domain.org.ua-error.log /var/log/nginx/forum.domain.kiev.ua-error.log /var/log/nginx/error.log /var/log/nginx/testing.domain.kiev.ua-error.log /var/log/nginx/domain.co.ua-error.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

UPD Писалась эта статья несколько месяцев тому, лежала в черновиках. За это время — хостов ~50 отправилось в бан, в основном — при попытках найти phpMyAdmin.