Toujours et encore du fail2ban !
Pour bloquer des tentatives d’authentification et donc de l’énumération d’utilisateur type brute force sur des authentifications Apache / httpd, il existe déjà le fichier de filtre suivant :
[20:18 user@server ~] > vim /etc/fail2ban/filter.d/apache-auth.conf
Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
ignoreregex =
Il suffit ensuite d’activer le filtre fans la configuration globale de fail2ban :
[20:53 user@serveur ~] > vim /etc/fail2ban/jail.conf
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/httpd/*/*error_log
action = iptables-multiport[name=Apache-auth, port="http,https", protocol=tcp]
sendmail-whois[name=Apache-auth, dest=user@beufa.net, sender=sender@beufa.net]
maxretry = 6
Ceci permet de bloquer l’IP source sur le port 80 et 443 dans la chaîne iptables dédiée (ici : fail2ban-Apache-auth), ainsi que d’envoyer un mail contenant un whois de l’IP source au bout de 6 authentifications échouées :
[20:56 user@serveur ~] > iptables -L fail2ban-Apache-auth Chain fail2ban-Apache-auth (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Malheureusement avec fail2ban, toujours pas de compatibilité IPv6 native (cela est possible, mais via un patch fourni sur le wiki de fail2ban).
Comments closed
