Filtros creados para fail2ban

Posted on | By kbs | No comments
¿En qué podemos ayudarte?
< Regresar
Estás aquí:
Imprimir
Created Onfebrero 7, 2020
Last Updated Onmayo 11, 2021
bykbs

Este es el archivo de configuracion de fail2ban

nano /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 2

[postfix-sasl]
enabled  = true
maxretry = 3
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
filter = postfix-sasl
logpath = /var/log/mail.log
bantime = 84600

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log
bantime = 84600
findtime = 60
maxretry = 3
backend  = polling
journalmatch =
banaction = iptables-multiport
action = %(action_)s

[named-refused-udp]
enabled  = true
port     = domain,953
filter   = named-refused
logpath  = /var/log/bind9.log
maxretry = 3
protocol = udp
ignoreip = 187.190.242.205/32

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
logpath  = /var/lib/roundcube/logs/userlogins

[postfix-flood-attack]
enabled  = true
bantime  = 87840
filter   = postfix-flood-attack
action   = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath  = /var/log/mail.log
maxretry = 2

[postfix]
enabled = true
maxretry = 2
bantime = 87840
filter = postfix
logpath = /var/log/mail.log

[postfix-rbl]
enabled = true
maxretry = 2
bantime = 87840
filter = postfix-rbl
logpath = /var/log/mail.log

[postscreen]
port = smtp,465,submission
enabled = true
maxretry = 1
logpath = /var/log/mail.log
filter = postscreen
bantime = 87840

[dnsblog]
port = smtp,465,submission
enabled = true
maxretry = 1
logpath = /var/log/mail.log
filter = dnsblog
bantime = 87840

filtros que van en /etc/fail2ban/filter.d

nano pureftpd.conf
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

nano dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

nano postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
ignoreregex =

nano phpmyadmin.conf
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

nano named-refused.conf
# Fail2Ban filter file for named (bind9).
#

# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };

[Definition]

# Daemon name
_daemon=named

# Shortcuts for easier comprehension of the failregex

__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
            ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
            ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$

ignoreregex =

# DEV Notes:
# Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko

nano roundcube.conf
[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

nano postfix-flood-attack.conf
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

nano postfix.conf
# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Cyril Jaquier

nano postfix-rbl.conf
# Fail2Ban filter for Postfix's RBL based Blocked hosts
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

ignoreregex =

# Author: Lee Clemens

nano postscreen.conf
[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/postscreen
failregex = ^%(__prefix_line)sPREGREET \d+ after \d+\.\d+ from \[<HOST>\]:\d+: EHLO User\\r\\n
ignoreregex =

nano dnsblog.conf
[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/dnsblog
failregex = ^%(__prefix_line)saddr <HOST> listed .*
ignoreregex =
Etiquetas:
Table of Contents
Category: LINUX

Deja un comentario