Protéger apache avec fail2ban

Cet article fait suite à l’article sur la sécuristion de son VPS, où l’on avait installé le service fail2ban et sécurisé le service SSH. On s’attaque maintenant à la protection d’Apache.

Pour éloigner les relous qui essaie d’accéder à w00tw00t ou à phpMyAdmin, Il faut ajouter les deux filtres suivant dans le répertoire /etc/fail2ban/filter.d/.

  • Fichier /etc/fail2ban/filter.d/apache-pma.conf
    # Fail2Ban configuration file
    # Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
    #
    [Definition]
    # Option: failregex
    # Notes.: Regexp to match often probed and not available phpmyadmin paths.
    # Values: TEXT
    #
    failregex = [[]client []] File does not exist: .*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2)
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =
    
  • Fichier /etc/fail2ban/filter.d/apache-w00tw00t.conf
    [Definition]
    # Option:  failregex
    # Notes.:  regex to match the w00tw00t scan messages in the logfile. The
    #          host must be matched by a group named "host". The tag "" can
    #          be used for standard IP/hostname matching.
    # Values:  TEXT
    failregex = ^ -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    ignoreregex =
    

Maintenant pour activer les règles concernant apache (incluses dans fail2ban) et nos 2 règles personnelles, on ajoute au fichier jail.local, les lignes suivantes.

Fichier /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 X.X.X.X
...
[apache-auth]
enabled      = true
maxretry     = 2
journalmatch =
backend      = polling

[apache-badbots]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-noscript]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-overflows]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-nohome]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-botsearch]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-modsecurity]
enabled      = true
maxretry     = 2
journalmatch =
backend      = polling

[apache-shellshock]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling

[apache-pma]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling
logpath      = %(apache_error_log)s
bantime      = 172800
findtime     = 172800

[apache-w00tw00t]
enabled      = true
maxretry     = 1
journalmatch =
backend      = polling
logpath      = %(apache_access_log)s
bantime      = 172800
findtime     = 172800

Les règles qui nécessitent d’avoir accès à des fichiers de log, devront impérativement avoir les définitions backend = polling et journalmatch = car le backend par défaut est réglé sur auto (c’est à dire systemd). D’ailleurs le fichier jail.conf contient les lignes suivantes

# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200

C.Q.F.D…

Leave a Comment

Your email address will not be published. Required fields are marked *