Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- docpublic:systemes:fail2ban_firewalld [2022/06/26 18:31]
adminjp [erreur , echecs]
+++ docpublic:systemes:fail2ban_firewalld [2022/06/27 16:40] (current)
adminjp [references]
@@ Line 3: / Line 3: @@
 l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress
-helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut
+helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut, il faut proceder a des adaptations
@@ Line 15: / Line 15: @@
+==== configuration ====
+il a fallu adapter les regles par defaut , notament sur les actions firewalld
+<code>
+[root@wmu fail2ban]# cat /etc/fail2ban/jail.d/00-firewalld.conf
+# This file is part of the fail2ban-firewalld package to configure the use of
+# the firewalld actions as the default actions.  You can remove this package
+# (along with the empty fail2ban meta-package) if you do not use firewalld
+[DEFAULT]
+banaction = firewallcmd-rich-rules[actiontype=<multiport>]
+banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
+</code>
+ceci est a associer a /etc/fail2ban/action.d/firewallcmd-rich-rules.conf qui lui reste inchangé
+==== jail wordpress ====
+toutes les lignes en commentaires representent les divers essais / echec des valeurs proposées par defaut sur plusieurs sites ...
+<code>
+[root@wmu ~]# cat /etc/fail2ban/jail.d/wordpress.conf
+# https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
+[wordpress]
+enabled = true
+#banaction = iptables-multiport
+#banaction = firewallcmd-new
+#banaction = firewallcmd-ipset
+#banaction = firewallcmd-rich-rules
+port = http,https
+filter = wordpress
+#action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
+#action =  %(action_mwl)s
+logpath = /var/log/httpd/ssl_access_log
+maxretry = 3
+findtime = 120
+bantime = 120
+</code>
+filtre associé
+<code>
+[root@wmu ~]# cat /etc/fail2ban/filter.d/wordpress.conf
+[Definition]
+failregex = ^<HOST> .* "POST .*wp-login.php
+            ^<HOST> .* "POST .*xmlrpc.php
+ignoreregex =
+</code>
+==== séparateur de ports  ====
+il faut aussi corriger une erreur d'interpretation des multiports avec le séparateur "-" au lieu de ":" , cf references [2]
+) dans jail.local
+<code>
+[root@wmu fail2ban]# vim /etc/fail2ban/jail.local
+# Ports to be banned
+# Usually should be overridden in a particular jail
+##port = 0:65535
+#https://bugzilla.redhat.com/show_bug.cgi?id=1823746 JP
+port = 0-65535
+</code>
+) mais aussi dans firewallcmd-common.conf
+<code>
+[root@wmu fail2ban]# vim /etc/fail2ban/action.d/firewallcmd-common.conf
+# JP comment : to  -
+#port = 1:65535
+port = 1-65535
+</code>
+==== resultat operationel ====
+quand cela marche, on doit voir dans les log fail2ban le "match" de notre regle suivit par un Ban si le maxtry est atteint :
+<code>
+[root@wmu fail2ban]# tail -f /var/log/fail2ban.log
+-06-26 20:30:46,881 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 139.59.109.241
+-06-26 20:31:12,698 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:12
+-06-26 20:31:13,300 fail2ban.filter         [503794]: INFO    [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:13
+-06-26 20:31:13,451 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 34.68.4.41
+-06-26 20:31:31,007 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 188.164.193.182
+-06-26 20:31:33,333 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:32
+-06-26 20:31:33,338 fail2ban.actions        [503794]: NOTICE  [wordpress] Unban 206.81.3.84
+-06-26 20:31:34,138 fail2ban.filter         [503794]: INFO    [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:33
+-06-26 20:31:34,294 fail2ban.actions        [503794]: NOTICE  [wordpress] Ban 159.89.132.193
+</code>
+et cela se traduit par une regle correspondante dans le firewall
+<code>
+[root@wmut2 fail2ban]# firewall-cmd --list-rich-rules
+rule family="ipv4" source address="188.164.193.182" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="174.138.27.203" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="85.25.211.247" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="157.159.0.0/17" service name="ssh" log prefix="ssh157/17" accept
+rule family="ipv4" source address="139.59.109.241" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="34.68.4.41" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="206.81.3.84" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
+rule family="ipv4" source address="157.159.10.0/24" service name="snmp" log prefix="snmp10" accept
+</code>
+visible egalement dans les regles natives netfilter/nftable
+<code>
+chaichain filter_IN_public_deny {
+		ip saddr 143.244.147.196 tcp dport 443 ct state { new, untracked } reject
+		ip saddr 148.72.244.104 tcp dport 443 ct state { new, untracked } reject
+		ip saddr 123.25.115.29 tcp dport 443 ct state { new, untracked } reject
+</code>
+car c'est bien nft qui tourne au final, cf :
+<code>
+[root@wmu fail2ban]# grep -i 'FirewallBackend' /etc/firewalld/firewalld.conf
+# FirewallBackend
+FirewallBackend=nftables
+</code>
+etat du jail wordpress
+<code>
+[root@wmu ~]# fail2ban-client status wordpress
+Status for the jail: wordpress
+|- Filter
+|  |- Currently failed:	3
+|  |- Total failed:	1244
+|  `- File list:	/var/log/httpd/ssl_access_log
+`- Actions
+   |- Currently banned:	7
+   |- Total banned:	410
+   `- Banned IP list:	37.15.142.43 137.184.237.153 69.36.169.138 147.182.230.210 62.171.169.89 207.46.234.202 188.68.47.175
+</code>
 ===== erreur , echecs ====
@@ Line 64: / Line 204: @@
   - https://github.com/fail2ban/fail2ban/issues/3047
   - https://serverfault.com/questions/1057765/is-fail2ban-working-without-firewalld
+  - https://stackoverflow.com/questions/70523740/fail2ban-with-epel-package-fail2ban-firewalld-on-linux-redhat-8-ip-is-in-jail-b
+  - https://bugzilla.redhat.com/show_bug.cgi?id=1823746
+  - https://serverfault.com/questions/852755/fail2ban-doesnt-add-ips-to-ipset-firewalld
+  - https://github.com/fail2ban/fail2ban/issues/1474
+  - https://github.com/fail2ban/fail2ban/pull/2620
+  - https://serverfault.com/questions/620091/fail2ban-is-not-adding-iptables-rules
   - https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
+  - https://blog.rimuhosting.com/2016/11/02/using-fail2ban-on-wordpress-wp-login-php-and-xmlrpc-php/
+  - https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
+  - https://wpbeaches.com/block-wp-login-php-and-xmlrpc-php-via-fail2ban-on-runcloud/
+  - https://osric.com/chris/accidental-developer/2019/07/block-wordpress-scanners-fail2ban/
+  - https://osric.com/chris/accidental-developer/2017/09/using-blocklist-de-with-fail2ban/

docpublic/systemes/fail2ban_firewalld.1656268311.txt.gz · Last modified: 2022/06/26 18:31 by adminjp

Show page Old revisions

[unknown link type]Back to top