Skip to content →

Bloquer le brute force sur une authentification Apache

Toujours et encore du fail2ban !

Pour bloquer des tentatives d’authentification et donc de l’énumération d’utilisateur type brute force sur des authentifications Apache / httpd, il existe déjà le fichier de filtre suivant :

[20:18 user@server ~] > vim /etc/fail2ban/filter.d/apache-auth.conf
 
Fail2Ban apache-auth filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]


failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
            ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$

ignoreregex =

Il suffit ensuite d’activer le filtre fans la configuration globale de fail2ban :

[20:53 user@serveur ~] > vim /etc/fail2ban/jail.conf

[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/httpd/*/*error_log
action = iptables-multiport[name=Apache-auth, port="http,https", protocol=tcp]
         sendmail-whois[name=Apache-auth, dest=user@beufa.net, sender=sender@beufa.net]
maxretry = 6

Ceci permet de bloquer l’IP source sur le port 80 et 443 dans la chaîne iptables dédiée (ici : fail2ban-Apache-auth), ainsi que d’envoyer un mail contenant un whois de l’IP source au bout de 6 authentifications échouées :

[20:56 user@serveur ~] > iptables -L fail2ban-Apache-auth
Chain fail2ban-Apache-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Malheureusement avec fail2ban, toujours pas de compatibilité IPv6 native (cela est possible, mais via un patch fourni sur le wiki de fail2ban).

 

Published in Linux Sécurité

fr_FRFR