Cet article fait suite à l’article sur la sécuristion de son VPS, où l’on avait installé le service fail2ban et sécurisé le service SSH. On s’attaque maintenant à la protection d’Apache.
Pour éloigner les relous qui essaie d’accéder à w00tw00t ou à phpMyAdmin, Il faut ajouter les deux filtres suivant dans le répertoire /etc/fail2ban/filter.d/.
-
# Fail2Ban configuration file # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # [Definition] # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client []] File does not exist: .*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
-
[Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching. # Values: TEXT failregex = ^ -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
Maintenant pour activer les règles concernant apache (incluses dans fail2ban) et nos 2 règles personnelles, on ajoute au fichier jail.local, les lignes suivantes.
[DEFAULT] ignoreip = 127.0.0.1/8 X.X.X.X ... [apache-auth] enabled = true maxretry = 2 journalmatch = backend = polling [apache-badbots] enabled = true maxretry = 1 journalmatch = backend = polling [apache-noscript] enabled = true maxretry = 1 journalmatch = backend = polling [apache-overflows] enabled = true maxretry = 1 journalmatch = backend = polling [apache-nohome] enabled = true maxretry = 1 journalmatch = backend = polling [apache-botsearch] enabled = true maxretry = 1 journalmatch = backend = polling [apache-modsecurity] enabled = true maxretry = 2 journalmatch = backend = polling [apache-shellshock] enabled = true maxretry = 1 journalmatch = backend = polling [apache-pma] enabled = true maxretry = 1 journalmatch = backend = polling logpath = %(apache_error_log)s bantime = 172800 findtime = 172800 [apache-w00tw00t] enabled = true maxretry = 1 journalmatch = backend = polling logpath = %(apache_access_log)s bantime = 172800 findtime = 172800
Les règles qui nécessitent d’avoir accès à des fichiers de log, devront impérativement avoir les définitions backend = polling
et journalmatch =
car le backend par défaut est réglé sur auto (c’est à dire systemd). D’ailleurs le fichier jail.conf contient les lignes suivantes
# Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200