Fail2ban¶
Fail2ban esegue la scansione dei file di log (ad esempio /var/log/apache/error_log
) e blocca gli IP che manifestano comportamenti potenzialmente dannosi: troppi errori di password, ricerca di exploit, ecc. In generale Fail2Ban viene quindi utilizzato per aggiornare le regole del firewall per rifiutare le richieste da questi indirizzi IP per un determinato periodo di tempo, sebbene sia possibile configurare qualsiasi altra azione arbitraria (ad esempio l’invio di un’e-mail). Fail2Ban viene fornito con a bordo una serie filtri per vari servizi (Apache, Dovecot, Ssh, Postfix, ecc.).
Fail2ban is able to reduce the rate of incorrect authentications attempts however, it cannot eliminate the risk that weak authentication presents. To improve the security, open the access to service only for secure networks using the firewall or Servizi.
Configuration¶
Access Settings button of Fail2ban application. The configuration is split into two pages:
and click on the- Settings: general configuration options
- Jails: manage available jails
A jail is enabled and start to protect a service when you install a new module, the relevant jail (if existing) is automatically activated after the package installation. All jails can be disabled individually in the Jails settings.
Available settings are:
IP Whitelist: IPs listed in the text area will be never banned by fail2ban (one IP per line).
Recidive ban: extend the ban of persistent abusers. Recidive ban can have 2 different behaviors:
- **Tempo di ban statico: blocca gli host recidivi per 2 settimane, come i bot eseguono attachi di forza bruta. La regola si applica quando un IP è già stato bloccato più volte.
- Temp di ban incrementale: aumenta il tempo di blocco ad ogni tentativo fallito nel log. Quando abilitato, se si configura un tempo di blocco breve, un utente valido sarà bloccato per poco tempo mentre un attaccante verrà bloccato per un periodo molto lungo.
Allow bans on the LAN: by default the failed attempts from your Local Network are ignored, except when you enabled the option. Trusted networks are considered part of the LAN.
Logging Level: increase or decrease the log level
Number of attempts: number of matches (i.e. value of the counter) which triggers ban action on the IP.
Time span: the counter is set to zero if no match is found within «findtime» seconds.
Ban time: duration for IP to be banned for.
Mail notifications
Mail notification are disabled by default. To enable them, click on the Email notifications button, then add one ore more mail address using the Add an email button and filling the Notify to field. Existing mail addresses can be removed by clicking on the - button.
To receive also notification when a jail is enabled or disabled, check the Notify jail start/stop events option.
Unban IP¶
IPs are banned when they are found several times in log, during a specific find time. They are stored in a database to be banned again each time the server is restarted. List of current bans is available inside the Unban page. To unban an IP just click on the corresponding Unban button.
Command line tools¶
fail2ban-client
fail2ban-client
gives the state of fail2ban and all available jails:
fail2ban-client status
Per ispezionare una jail specifica:
fail2ban-client status sshd
Per verificare quali file di log siano monitorati da una jail:
fail2ban-client get nginx-http-auth logpath
fail2ban-listban
fail2ban-listban
counts the IPs currently and totally banned in all activated jails, at the end it shows the IPs which are still banned by shorewall.
fail2ban-listban
fail2ban-regex
fail2ban-regex
is a tool which is used to test the regex on you logs, it is a part of fail2ban software. Only one filter is allowed per jail, but it is possible to specify several actions, on separate lines.
The documentation is available at the fail2ban project.
fail2ban-regex /var/log/YOUR_LOG /etc/fail2ban/filter.d/YOUR_JAIL.conf --print-all-matched
E” possibile anche testare direttamente una regex personalizzata:
fail2ban-regex /var/log/secure '^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$'
fail2ban-unban
fail2ban-unban
is used to unban an IP when the ban must be removed manually.
fail2ban-unban <IP>
È possibile utilizzare anche il comando integrato con fail2ban-client:
fail2ban-client set <JAIL> unbanip <IP>
Whois
Se si desidera ottenere informazioni sull’origine dell’IP bannato via e-mail, è possibile utilizzare il database whois
installando l’rpm whois
.