[[Fail2ban et Firewalld]]
Trace: Samba 4 DC
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:fail2ban_firewalld [2022/06/26 18:36]
adminjp [resultat operationel] 		docpublic:systemes:fail2ban_firewalld [2022/06/27 16:40] (current)
adminjp [references]
Line 3: Line 3:
 l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress
  
-helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut +helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut, il faut proceder a des adaptations
  
  
Line 14: Line 14:
 </code> </code>
  
 +
 +==== configuration ====
 +
 +il a fallu adapter les regles par defaut , notament sur les actions firewalld
 +
 +<code>
 +[root@wmu fail2ban]# cat /etc/fail2ban/jail.d/00-firewalld.conf
 +# This file is part of the fail2ban-firewalld package to configure the use of
 +# the firewalld actions as the default actions.  You can remove this package
 +# (along with the empty fail2ban meta-package) if you do not use firewalld
 +[DEFAULT]
 +banaction = firewallcmd-rich-rules[actiontype=<multiport>]
 +banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
 +</code>
 +
 +ceci est a associer a /etc/fail2ban/action.d/firewallcmd-rich-rules.conf qui lui reste inchangé 
 +
 +
 +
 +==== jail wordpress ====
 +
 +toutes les lignes en commentaires representent les divers essais / echec des valeurs proposées par defaut sur plusieurs sites ...
 +
 +<code>
 +[root@wmu ~]# cat /etc/fail2ban/jail.d/wordpress.conf 
 +# https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
 +[wordpress]
 +enabled = true
 +#banaction = iptables-multiport
 +#banaction = firewallcmd-new
 +#banaction = firewallcmd-ipset
 +#banaction = firewallcmd-rich-rules
 +port = http,https
 +filter = wordpress
 +#action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
 +#action =  %(action_mwl)s
 +logpath = /var/log/httpd/ssl_access_log
 +maxretry = 3
 +findtime = 120
 +bantime = 120
 +</code>
 +
 +filtre associé 
 +
 +<code>
 +[root@wmu ~]# cat /etc/fail2ban/filter.d/wordpress.conf 
 +[Definition]
 +failregex = ^<HOST> .* "POST .*wp-login.php
 +            ^<HOST> .* "POST .*xmlrpc.php
 +ignoreregex =
 +</code>
 +==== séparateur de ports  ====
 +
 +il faut aussi corriger une erreur d'interpretation des multiports avec le séparateur "-" au lieu de ":" , cf references [2] 
 +
 +1) dans jail.local
 +
 +<code>
 +[root@wmu fail2ban]# vim /etc/fail2ban/jail.local 
 +
 +# Ports to be banned
 +# Usually should be overridden in a particular jail
 +##port = 0:65535
 +#https://bugzilla.redhat.com/show_bug.cgi?id=1823746 JP
 +port = 0-65535
 +</code>
 +
 +2) mais aussi dans firewallcmd-common.conf
 +
 +<code>
 +[root@wmu fail2ban]# vim /etc/fail2ban/action.d/firewallcmd-common.conf
 +
 +# JP comment : to  - 
 +#port = 1:65535
 +port = 1-65535
 +</code>
 ==== resultat operationel ==== ==== resultat operationel ====
  
Line 55: Line 131:
 </code> </code>
  
 +
 +car c'est bien nft qui tourne au final, cf : 
 +
 +<code>
 +[root@wmu fail2ban]# grep -i 'FirewallBackend' /etc/firewalld/firewalld.conf
 +# FirewallBackend
 +FirewallBackend=nftables
 +</code>
 +
 +
 +etat du jail wordpress
 +
 +<code>
 +[root@wmu ~]# fail2ban-client status wordpress
 +Status for the jail: wordpress
 +|- Filter
 +|  |- Currently failed: 3
 +|  |- Total failed: 1244
 +|  `- File list: /var/log/httpd/ssl_access_log
 +`- Actions
 +   |- Currently banned: 7
 +   |- Total banned: 410
 +   `- Banned IP list: 37.15.142.43 137.184.237.153 69.36.169.138 147.182.230.210 62.171.169.89 207.46.234.202 188.68.47.175
 +</code>
 ===== erreur , echecs ==== ===== erreur , echecs ====
  
Line 104: Line 204:
   - https://github.com/fail2ban/fail2ban/issues/3047   - https://github.com/fail2ban/fail2ban/issues/3047
   - https://serverfault.com/questions/1057765/is-fail2ban-working-without-firewalld   - https://serverfault.com/questions/1057765/is-fail2ban-working-without-firewalld
 +  - https://stackoverflow.com/questions/70523740/fail2ban-with-epel-package-fail2ban-firewalld-on-linux-redhat-8-ip-is-in-jail-b
 +  - https://bugzilla.redhat.com/show_bug.cgi?id=1823746
 +  - https://serverfault.com/questions/852755/fail2ban-doesnt-add-ips-to-ipset-firewalld
 +  - https://github.com/fail2ban/fail2ban/issues/1474
 +  - https://github.com/fail2ban/fail2ban/pull/2620
 +  - https://serverfault.com/questions/620091/fail2ban-is-not-adding-iptables-rules
   - https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall   - https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
 +  - https://blog.rimuhosting.com/2016/11/02/using-fail2ban-on-wordpress-wp-login-php-and-xmlrpc-php/
 +  - https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
 +  - https://wpbeaches.com/block-wp-login-php-and-xmlrpc-php-via-fail2ban-on-runcloud/
 +  - https://osric.com/chris/accidental-developer/2019/07/block-wordpress-scanners-fail2ban/
 +  - https://osric.com/chris/accidental-developer/2017/09/using-blocklist-de-with-fail2ban/
docpublic/systemes/fail2ban_firewalld.1656268605.txt.gz · Last modified: 2022/06/26 18:36 by adminjp
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0