Задача – добавить свои собственные правила для Fail2ban, по которым будет выполняться поиск в логах.
Например – очень много ботов сканируют URL-ы на предмет поиска панели управления phpMyAdmin, что бы потом побрутфорсить её.
Добавляем файл /etc/fail2ban/filter.d/nginx-proxy.local
:
[Definition] failregex = ^<HOST> -.*GET http.* ignoreregex =
Файл /etc/fail2ban/filter.d/nginx-noscript.local
:
[Definition] failregex = ^<HOST> -.*GET.*(.asp|.exe|.pl|.cgi|scgi) ignoreregex =
И файл /etc/fail2ban/filter.d/nginx-auth.local
:
[Definition] failregex = no user/password was provided for basic authentication.*client: <HOST> user .* was not found in.*client: <HOST> user .* password mismatch.*client: <HOST> ignoreregex =
Файл /etc/fail2ban/filter.d/nginx-login.local
:
[Definition] failregex = ^<HOST> -.*POST /sessions HTTP/1.." 200 ignoreregex =
Файл /etc/fail2ban/filter.d/nginx-manual.local
:
[Definition] failregex = .*client: <HOST>.*GET.*phpMyAdmin/scripts/ .*client: <HOST>.*GET.*pma/scripts/ .*client: <HOST>.*GET.*MyAdmin/scripts/ .*client: <HOST>.*GET.*myadmin/scripts/ .*client: <HOST>.*GET.*wp-content/uploads/_cache.php .*client: <HOST>.*GET.*wp-content/uploads/_wp_cache.php ignoreregex =
Напомню – есть чудесный сервис по составлению и проверке регулярных выражений.
Редактируем /etc/fail2ban/jail.local
:
[nginx-auth] enabled = true filter = nginx-auth action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /var/log/nginx*/*error*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-login] enabled = true filter = nginx-login action = iptables-multiport[name=NoLoginFailures, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 86400 # 1 day maxretry = 1 [nginx-noscript] enabled = true action = iptables-multiport[name=NoScript, port="http,https"] filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 6 bantime = 86400 # 1 day [nginx-proxy] enabled = true action = iptables-multiport[name=NoProxy, port="http,https"] filter = nginx-proxy logpath = /var/log/nginx*/*access*.log maxretry = 0 bantime = 86400 # 1 day
[nginx-manual] enabled = true filter = nginx-manual action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /var/log/nginx/*error.log bantime = 86400 maxretry = 2
Проверяем:
# fail2ban-regex /var/log/nginx/rtfm.co.ua-error.log /etc/fail2ban/filter.d/nginx-manual.local ... Failregex: 8 total |- #) [# of hits] regular expression | 1) [1] .*client: <HOST>.*GET.*phpMyAdmin/scripts/ | 2) [1] .*client: <HOST>.*GET.*pma/scripts/ | 3) [2] .*client: <HOST>.*GET.*MyAdmin/scripts/ | 4) [2] .*client: <HOST>.*GET.*myadmin/scripts/ | 5) [1] .*client: <HOST>.*GET.*wp-content/uploads/_cache.php | 6) [1] .*client: <HOST>.*GET.*wp-content/uploads/_wp_cache.php `- ... Lines: 19 lines, 0 ignored, 7 matched, 12 missed
Перезапускаем Fail2ban:
# service fail2ban restart Stopping fail2ban: [ OK ] Starting fail2ban: [ OK ]
Проверяем:
# fail2ban-client status Status |- Number of jail: 7 `- Jail list: exim-spam, pam-generic, ssh-iptables, dovecot-auth, nginx-manual, dovecot, exim
# fail2ban-client status nginx-manual Status for the jail: nginx-manual |- filter | |- File list: /var/log/nginx/webmail.domain.org.ua-error.log /var/log/nginx/testing.domain.org.ua-error.log /var/log/nginx/postfixadmin.domain.org.ua-error.log /var/log/nginx/domain.org.ua-error.log /var/log/nginx/domain.kiev.ua-error.log /var/log/nginx/domain.kiev.ua-error.log /var/log/nginx/domain.org.ua-error.log /var/log/nginx/forum.domain.kiev.ua-error.log /var/log/nginx/error.log /var/log/nginx/testing.domain.kiev.ua-error.log /var/log/nginx/domain.co.ua-error.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
UPD Писалась эта статья несколько месяцев тому, лежала в черновиках. За это время – хостов ~50 отправилось в бан, в основном – при попытках найти phpMyAdmin
.