Archive

Articles taggués ‘fail2ban’

Postfix + fail2ban = win

02/07/2020 Aucun commentaire
source: http://blog.dp.cx/25/postfix-fail2ban-win

Recently, I had to lease a new server. My old one was ok, but it was 5 years old, and showing it’s age. The most recent bout of problems was due to postfix, and a specific domain that I host mail for.

I had previously set up Policyd in an attempt to stop the influx of spam before it ever hit the server, but it wasn’t doing anything at this point. So approximately 800 messages per minute were getting directly to Postfix, and then running queries against MySQL (I use virtual maps for users, aliases, domains, etc). 99% of these messages were to non-existant users, so Postfix would bounce them. But the little 2.0GHz Celeron couldn’t handle it. The load shot up to 8 for around 3 weeks, and stayed there. I wish the fail2ban idea had come to me sooner… Lire la suite…

Protéger votre serveur ssh contre les attaques brute-force

30/06/2020 Aucun commentaire

ssh est excellent pour accéder à distance à ses fichiers, ou même utiliser son ordinateur à distance.

Mais que faire contre les attaques de type brute-force ?
(Essai de toutes les combinaisons de lettre pour trouver le mot de passe).

C’est simple:

sudo aptitude install fail2ban

Et voilà !

Si quelqu’un fait 6 essais ratés de connexion sur le serveur ssh, son adresse IP sera bannie pendant 10 minutes.
C’est suffisant pour rendre inutile ce genre d’attaque.

Pour voir les actions du programme, faites:

sudo cat /var/log/fail2ban.log

Aller plus loin

En fait, fail2ban peut être configuré pour faire plein d’autres choses.
Dans le principe, il surveille les fichiers log de votre choix, et déclenche alors des actions.

Dans le cas de ssh, il surveille /var/log/auth.log et lance des commandes iptables pour bannir les adresses IP.

Regardez le fichier /etc/fail2ban/jail.conf
Il contient déjà les lignes pour bloquer les attaques sur les serveurs ftp (vsftpd, wuftpd, proftpd…), postfix, apache…
Vous pouvez les activer en remplaçant enabled = false par enabled = true.

Monitorer fail2ban

25/06/2020 Comments off

Source: arscenic.org

Nous avons installé fail2ban sur chacun de nos serveurs en utilisant ce tutoriel

Le script de monitoring que nous allons utiliser se trouve ici : http://blog.sinnwidrig.org/?p=50. C’est un script générique permettant de créer un graphique distinct par action de fail2ban.

On décide de placer les plugins supplémentaires pour munin dans le répertoire  /opt/share/munin/plugins
#Créer le répertoire des plugins dans le cas ou il n'existe pas déjà
sudo mkdir -p /opt/share/munin/plugins
cd /opt/share/munin/plugins
# Récupérer le script
sudo wget http://blog.sinnwidrig.org/files/fail2ban_-0.1
# Rendre exécutable le script
sudo chmod +x fail2ban_-0.1

Lire la suite…

Fail2ban – Block unwanted attacks

18/06/2020 Comments off

source: Paul’s blog

Up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.

As i use a 3rd party repostories – EPEL (how to add repositories) i can just use yum to install it

yum install fail2ban

once installed i just needed to change the configuration to my liking, the config files can be found at “/etc/fail2ban”

first i edit “/etc/fail2ban/fail2ban.conf” and ensure the “logtarget” is set correctly

logtarget = /var/log/fail2ban.log

The default behaviour of fail2ban is configured in the file “/etc/fail2ban/jail.conf”. There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections. Lire la suite…

Howto: Geolocation for Fail2ban

12/06/2020 Comments off

source: fail2ban.org

 

Using geolocation to locate your attackers.

I use fail2ban on my servers to protect them from would-be attackers, if you don’t your either insanely nieve to the fact that somebody wants in your system, or your just wanting to see if you can get hacked. Most of the attackers I would assume are just after another “bot” in their “net”, or maybe a place to host files.

Durzo hosts a script that allows you to log the attacks on you into a mysql database with geocoding, I thought this would be cool to use as I could see from where I was being attacked. I then got this working and another script to display the table in a web page so I could view the data easily.

I then found some scripts from Google to pull data from MySQL in a geolocation table and generate an XML file used to import into Google Maps. With some tweaking and customizing, I now have a map with the geolocation data as markers on the map. Not all the markers are right on a building, but they are close enough for me to see the areas from which attacks are coming.

Now on to the good stuff… Lire la suite…