tuning fail2ban

2021-08-28 13:34:37 +02:00 · 2021-08-28 13:34:37 +02:00 · 63255d321a
parent 60adba79a1
commit 63255d321a
9 changed files with 89 additions and 6 deletions
--- a/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
+++ b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
@ -0,0 +1,12 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>:.+
+miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>$
+ignoreregex =
+
+failregex = <miab-<mode>>
+
+mode = normal
--- a/conf/fail2ban/filter.d/miab-postfix-scanner.conf
+++ b/conf/fail2ban/filter.d/miab-postfix-scanner.conf
@ -0,0 +1,7 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[<HOST>\].*HTTP.*$
+ignoreregex =
--- a/conf/fail2ban/filter.d/nginx-badrequests.conf
+++ b/conf/fail2ban/filter.d/nginx-badrequests.conf
@ -0,0 +1,8 @@
+# Ban requests for non-existing or not-allowed resources
+# Ban requests for 40x results
+
+[Definition]
+# first regex for error.log, second for access.log
+failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
+	    ^<HOST> - .*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404) .*$
+ignoreregex = ^.*(robots.txt|favicon.ico).*$
--- a/conf/fail2ban/filter.d/nginx-missingresource.conf
+++ b/conf/fail2ban/filter.d/nginx-missingresource.conf
@ -0,0 +1,6 @@
+# Ban requests for non-existing or not-allowed resources
+
+[Definition]
+failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$ 
+ignoreregex = ^.*(robots.txt|favicon.ico).*$
+
--- a/conf/fail2ban/filter.d/webexploits.conf
+++ b/conf/fail2ban/filter.d/webexploits.conf
@ -97,7 +97,8 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
            ^<HOST> -.*(GET|POST|HEAD).*(/examples/file-manager\.html)
            ^<HOST> -.*(GET|POST|HEAD).*(/getcfg\.php)
            ^<HOST> -.*(GET|POST|HEAD).*(/get_password\.php)
-            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/info/)
+            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/info)
+            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/HEAD)
            ^<HOST> -.*(GET|POST|HEAD).*(/Hello\.World)
            ^<HOST> -.*(GET|POST|HEAD).*(/hndUnblock\.cgi)
            ^<HOST> -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg)
@ -231,7 +232,7 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
            ^<HOST> -.*(GET|POST|HEAD).*(\x22sanitize)
            ^<HOST> -.*(GET|POST|HEAD).*(\x22SimplePie)
            ^<HOST> -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers)
-            ^<HOST> -.*(GET).*(\.\./wp-config.php)
+            ^<HOST> -.*(GET|POST|HEAD).*(\.\./wp-config.php)


 ignoreregex =
--- a/conf/fail2ban/jail.d/badrequests.conf
+++ b/conf/fail2ban/jail.d/badrequests.conf
@ -0,0 +1,14 @@
+# Block clients that generate too many non existing resources
+# Do not deploy of you host many websites on your box
+# any bad html link will trigger a false positive.
+# This jail is meant to catch scanners that try many
+# sites.
+[badrequests]
+enabled  = true
+port     = http,https
+filter   = nginx-badrequests
+logpath = /var/log/nginx/error.log
+          /var/log/nginx/access.log
+maxretry = 8
+findtime = 15m
+bantime = 15m
--- a/conf/fail2ban/jail.d/postfix-extra.conf
+++ b/conf/fail2ban/jail.d/postfix-extra.conf
@ -0,0 +1,31 @@
+# typically non smtp commands. Block fast for access to postfix
+[miab-postfix-scanner]
+enabled  = true
+port     = smtp,465,587
+filter   = miab-postfix-scanner
+logpath = /var/log/mail.log
+maxretry = 2
+findtime = 1d
+bantime = 1h
+
+# ip lookup of hostname does not match. Go easy on block
+[miab-pf-rdnsfail]
+enabled  = true
+port     = smtp,465,587
+mode     = normal
+filter   = miab-postfix-rdnsfail
+logpath  = /var/log/mail.log
+maxretry = 8
+findtime = 12h
+bantime  = 30m
+
+# ip lookup of hostname does not match with failure. More strict block
+[miab-pf-rdnsfail-e]
+enabled  = true
+port     = smtp,465,587
+mode     = errors
+filter   = miab-postfix-rdnsfail[mode=errors]
+logpath  = /var/log/mail.log
+maxretry = 4
+findtime = 1d
+bantime  = 1h
--- a/conf/fail2ban/jail.d/webexploits.conf
+++ b/conf/fail2ban/jail.d/webexploits.conf
@ -1,8 +1,12 @@
+# Block clients based on a list of specific requests
+# The list contains applications that are not installed
+# only scanners and bad parties will try too often
+# so blocking can be fast and long
 [webexploits]
 enabled  = true
 port     = http,https
 filter   = webexploits
 logpath = /var/log/nginx/access.log
 maxretry = 2
-findtime = 240m
-bantime = 60m
+findtime = 4h
+bantime = 4h
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@ -5,7 +5,7 @@
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
-ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6 ADMIN_HOME_IP ADMIN_HOME_IPV6
+ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64
 bantime = 15m
 findtime = 120m
 maxretry = 4
@ -69,7 +69,7 @@ findtime = 15m
 enabled  = true
 maxretry = 10
 bantime  = 2w
-findtime = 3d
+findtime = 6d
 action   = iptables-allports[name=recidive]
 # In the recidive section of jail.conf the action contains:
 #