Toujours et encore du fail2ban !<\/p>\n
Pour bloquer des tentatives d’authentification et donc de l’\u00e9num\u00e9ration d’utilisateur type brute force sur des authentifications Apache \/ httpd, il existe d\u00e9j\u00e0 le fichier de filtre suivant :<\/p>\n
[20:18 user@server ~] > vim \/etc\/fail2ban\/filter.d\/apache-auth.conf\r\n \r\nFail2Ban apache-auth filter\r\n#\r\n\r\n[INCLUDES]\r\n\r\n# Read common prefixes. If any customizations available -- read them from\r\n# apache-common.local\r\nbefore = apache-common.conf\r\n\r\n[Definition]\r\n\r\n\r\nfailregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for \"\\S*\": Password Mismatch(, referer: \\S+)?$\r\n ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH\\d+: )?Authorization of user \\S+ to access \\S* failed, reason: .*$\r\n ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for \"\\S*\":(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \\S+(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \\S*(, referer: \\S+)?\\s*$\r\n ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \\S+)?\\s*$\r\n\r\nignoreregex =\r\n<\/pre>\nIl suffit ensuite d’activer le filtre fans la configuration globale de fail2ban :<\/p>\n
[20:53 user@serveur ~] > vim \/etc\/fail2ban\/jail.conf\r\n\r\n[apache]\r\nenabled = true\r\nport = http,https\r\nfilter = apache-auth\r\nlogpath = \/var\/log\/httpd\/*\/*error_log\r\naction = iptables-multiport[name=Apache-auth, port=\"http,https\", protocol=tcp]\r\n sendmail-whois[name=Apache-auth, dest=user@beufa.net, sender=sender@beufa.net]\r\nmaxretry = 6\r\n<\/pre>\nCeci permet de bloquer l’IP source sur le port 80 et 443 dans la cha\u00eene iptables d\u00e9di\u00e9e (ici : fail2ban-Apache-auth), ainsi que d’envoyer un mail contenant un whois de l’IP source au bout de 6 authentifications \u00e9chou\u00e9es :<\/p>\n
[20:56 user@serveur ~] > iptables -L fail2ban-Apache-auth\r\nChain fail2ban-Apache-auth (1 references)\r\ntarget prot opt source destination\r\nRETURN all -- anywhere anywhere\r\n<\/pre>\nMalheureusement avec fail2ban, toujours pas de compatibilit\u00e9 IPv6 native (cela est possible, mais via un patch fourni sur le wiki de fail2ban<\/a>).<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Toujours et encore du fail2ban ! Pour bloquer des tentatives d’authentification et donc de l’\u00e9num\u00e9ration d’utilisateur type brute force sur des authentifications Apache \/ httpd,…<\/p>\n