Aumente a segurança do seu servidor com o Fail2ban
Prezados Colegas,
Primeiramente saudações pinguianas a todos!
Nesse artigo, vou tentar explicar da maneira mais simples possível como implementar essa ótima solução de segurança chamada Fail2ban.
O que ele faz? O Fail2ban simplesmente bloqueia um determina IP que tentar logar no seu servidor através de protocolos (que você vai configurar) por um determinado número de tentativas (que você vai configurar) sem sucesso. Para saber mais, clique aqui.
Bom… Chega de bla, bla, bla e vamos colocar a mão na massa!
Instale o programa com o comando abaixo:
apt-get install fail2ban
Depois de instalado, vamos editar o principal arquivo de configuração:
vim /etc/fail2ban/jail.conf
No meu caso, o arquivo ficou assim:
[INCLUDES] before = paths-debian.conf [DEFAULT] ignoreip = 127.0.0.1/8, 158.64.239.238 ignorecommand = bantime = -1 findtime = 3600 maxretry = 3 backend = auto usedns = warn logencoding = auto enabled = false filter = %(__name__)s destemail = henrique@aprendendolinux.com sender = fail2ban@echelon.aprendendolinux.com mta = sendmail protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = iptables-multiport banaction_allports = iptables-allports action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action = %(action_)s [sshd] port = 22 logpath = %(sshd_log)s backend = %(sshd_backend)s [sshd-ddos] port = 22 logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] port = 22 logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = 22 logpath = %(auditd_log)s [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] #sendmail-whois[name=PHPMYADMIN, dest=henrique@aprendendolinux.com] logpath = /var/log/apache2/phpmyadmin.log maxretry = 3 [apache-auth] enabled = true port = http,https filter = apache-auth action = iptables-multiport[name=apache-auth, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, dest=henrique@aprendendolinux.com] logpath = /var/log/apache2/*/*_error.log maxretry = 3 [apache-noscript] enabled = true port = http,https filter = apache-noscript action = iptables-multiport[name=apache-noscript, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, dest=henrique@aprendendolinux.com] logpath = /var/log/apache2/*/*_error.log maxretry = 3 [apache-overflows] enabled = true port = http,https filter = apache-overflows action = iptables-multiport[name=apache-overflows, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, dest=henrique@aprendendolinux.com] logpath = /var/log/apache2/*/*_error.log maxretry = 3 [apache-badbots] enabled = true port = http,https filter = apache-badbots action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, dest=henrique@aprendendolinux.com] logpath = /var/log/apache2/*/*_error.log maxretry = 3 [wordpress-hard] enabled = true port = http,https action = iptables-multiport[name=wordpress-hard, port="http,https", protocol=tcp] #sendmail-whois[name=WORDPRESS, dest=henrique@aprendendolinux.com] filter = wordpress-hard logpath = /var/log/auth.log maxretry = 3 [wordpress-soft] enabled = true port = http,https action = iptables-multiport[name=wordpress-soft, port="http,https", protocol=tcp] #sendmail-whois[name=WORDPRESS, dest=henrique@aprendendolinux.com] filter = wordpress-soft logpath = /var/log/auth.log maxretry = 3 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 2 [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] port = http,https logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https [drupal-auth] port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data action = iptables-multiport[name=proftpd, port="ftp,ftp-data,ftps,ftps-data", protocol=tcp] #sendmail-whois[name=FTP, dest=henrique@aprendendolinux.com] filter = proftpd logpath = %(proftpd_log)s backend = %(proftpd_backend)s maxretry = 3 [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s [assp] port = smtp,465,submission logpath = /var/log/mail.log [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 [mysqld-auth] port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s [mongodb-auth] port = 27017 logpath = /var/log/mongodb/mongodb.log [recidive] logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s [pam-generic] banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] port = ftp,ftp-data,ftps,ftps-data knocking_url = /knocking/ filter = apache-pass[knocking_url="%(knocking_url)s"] logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP maxretry = 1 findtime = 1 [murmur] port = 64738 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps filter = slapd logpath = /var/log/slapd.log
No inicio do arquivo de configuração configura-se praticamente tudo, vejamos:
ignoreip -> Os IPS que não serão banidos em hipótese alguma
bantime -> O tem que os IPS banidos ficaram bloqueados
maxretry -> Quantas vezes um ip pode tentar logar antes de ser banido.
Bom… Deixei a minha colaboração nesse artigo, porém, digo que isso não é tudo.
O fail2ban possui inúmeras configurações que podem ser implementadas nesse artigo, mas aí, vai da criatividade de cada um.
Conforme a dica do colega Brivaldo Junior, este outro artigo demonstra mais algumas configurações do Fail2ban
Espero ter colaborado.
Esse artigo foi útil? Colabore com o nosso site para podermos continuar dando mais dicas como essa!
Formas de doação:
- Boleto / Cartão de crédito: https://pag.ae/7WRSPXdKp
- Pix: bradesco@henrique.com.br
- PicPay: @henrique_fagundes
- PagSeguro: magnatahp@gmail.com
- PayPal: magnatahp@gmail.com
- Bitcoin: 1Fzwag6pyAWKvUFcPc2Jh9GaSRFkcRQY2K
Favorecido: Luiz Henrique Marques Fagundes