Ki jan yo an sekirite NGINX ak Custom Filters Fail2ban

Fail2Ban se yon gwo mezi sekirite pou deplwaye pou sèvè aplikasyon w lan. Li vini ak yon seri de karakteristik, filtè default, ak aksyon ki ka imedyatman afekte entèdiksyon move web bots, drenaj resous sistèm ou a, ak sispann atak, ki se pati ki pi enpòtan nan nenpòt sit entènèt.

Sepandan, pifò moun administratè sistèm ak pwopriyetè sit entènèt yo ap chèche pafwa yon ti jan plis anplis pase sa fail2ban te ofri. Nan leson patikilye sa a, ou pral aprann ki jan yo kreye epi sèvi ak filtè koutim sou sèvè Nginx ou a, ki ka amann ajiste selon pwòp bezwen ou yo epi elaji pita.

Asire w ke w teste epi itilize ak prekosyon nenpòt nouvo filtè fail2ban. Remake byen ke paramèt yo pral bezwen ajiste selon bezwen ou yo.

Ajoute nouvo prizon Fail2Ban

Tutorial la sipoze ou gen Fail2ban enstale epi ou abitye ak fason pou konfigirasyon prizon ak paramèt. Anba la a se kèk prizon adisyonèl ou pral bezwen ajiste jan ou renmen si w ap itilize plis aksyon entèdiksyon tankou Cloudflare oswa rapòte bay AbuseIPDB.org elatriye.

Ajoute prizon sa yo ke ou vle itilize nan fichye /fail2ban/jail.local ou a.

sudo nano /etc/fail2ban/jail.local
[nginx-403]
 enabled = true
 port     = http,https
 filter = nginx-403
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 4

[nginx-noagent]
 enabled = true
 port     = http,https
 filter = nginx-noagent
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[nginx-noauth]
 enabled = true
 filter = nginx-noauth
 action = iptables-allports
 logpath = %(nginx_error_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

[nginx-nologin]
 enabled = true
 filter = nginx-nologin
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

[nginx-noscript]
 enabled = true
 action = iptables-allports
 filter = nginx-noscript
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[nginx-noproxy]
 enabled = true
 action = iptables-allports
 filter = nginx-noproxy
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 0

[nginx-nowordpress]
 enabled = true
 action = iptables-allports
 filter = nginx-nowordpress
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[portscan-block]
 enabled = true
 action = iptables-allports
 filter = portscan-block
 logpath = %(ufw_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

reklam


Kreye nouvo Filtè Fail2Ban

Apre sa, ou bezwen fè yon nouvo fichye filtre pou chak nan filtè sa yo epi mete .konf nan fen dosye a.

Remake byen, fichye a kreye se yon bagay ou bezwen fè tèt ou.

create file /location/fail2ban/filter.d/nginx-403.conf

 [Definition]
 failregex = ^ -."(GET|POST|HEAD).HTTP.*" 403
 ignoreregex =

create file /location/fail2ban/filter.d/nginx-noagent.conf

 [Definition]
 failregex = ^ -."-" "-"$             ^ -."-" "curl.*"$
 ignoreregex =

create file /location/fail2ban/filter.d/nginx-noauth.conf

 [Definition]
 failregex = no user/password was provided for basic authentication.client:              user . was not found in.client:              user . password mismatch.*client: 
 ignoreregex =

create file /location/fail2ban/filter.d/nginx-nologin.conf
 [Definition]
 failregex = ^ -.*POST /sessions HTTP/1.." 200
 ignoreregex =

create file /location/fail2ban/filter.d/nginx-noscript.conf
 [Definition]
 failregex = ^ -.GET.(.php|.asp|.exe|.pl|.cgi|\scgi)
 ignoreregex =

 create file /location/fail2ban/filter.d/nginx-noproxy.conf
 [Definition]
 failregex = ^ -.GET http.
 ignoreregex =

create file /location/fail2ban/filter.d/nginx-nowordpress.conf

 [Definition]
 failregex = ^ .* "(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc.php|\?author=1)
             ^ .* "(GET|POST|HEAD|PROPFIND) /+(?i)(a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb)
             ^ .* "(GET|POST|HEAD) /[^"]+.(asp|cgi|exe|jsp|mvc|pl)( |\?)
             ^ .*(?i)(/bash|burger-imperia|changelog|hundejo|hvd-store|jorgee|masscan|pizza-imperia|pizza-tycoon|servlet|testproxy|uploadify)
 ignoreregex =
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx

create file /location/fail2ban/filter.d/portscan-block.conf

 [Definition]
 failregex = .[UFW BLOCK] IN=. SRC=
 ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
 still ban non-local (WAN) calls to any associated ports
 ignoreregex = SRC=(10.|172.1[6-9].|172.2[0-9].|172.3[0-1].|192.168.|fe\w:). DST=(static.ip.address.here|224.0.0.). PROTO=(2|UDP)(\s+|.* DPT=(1900|3702|5353|5355) LEN=\d*\s+)$

Teste nouvo prizon/filtè Fail2ban

Pou fini li, asire w ke ou rekòmanse fail2ban nan sistèm opere ou a atravè lòd li yo.

Pou pifò distribisyon Linux, lòd sa a ta dwe travay si w ap kouri systemd.

sudo systemctl restart fail2ban

Lòt distribisyon ki pa systemd oswa lòt sistèm rekòmanse sistèm ou oswa sèvis fail2ban.

Yon fwa fail2ban te rekòmanse, kouri lòd sa a fail2ban-client estati pou wè prizon an.

sudo fail2ban-client status nginx-noscripts

Egzanp pwodiksyon:

Status for the jail: nginx-noscripts
 |- Filter
 | |- Currently failed: 0
 | |- Total failed: 0
 | - File list: /var/log/nginx/access.log - Actions
 |- Currently banned: 95
 |- Total banned: 107
 `- Banned IP list:

Kòm pwodiksyon ki anwo a te montre, ou gen 95 adrès IP entèdi, ak yon total de 107 ki gen ladan entèdiksyon istorik aktif ak inaktif.


reklam


Kòmantè ak konklizyon

Ou te aprann kijan pou konfigirasyon kèk prizon adisyonèl nan konfigirasyon fail2ban ou a pou sèvè Nginx ou a nan leson patikilye a. An jeneral, ou ka reyalize kèk ekselan sekirite bò sèvè, filtè yo ka ajiste ak tweaked, ak sa ki te montre se jis yon grate nan sa ki plis ka fè nan kostim sitiyasyon espesifik ak bezwen.

Dezavantaj nan sèlman ak fail2ban se kouri grap nan sèvè, pou kounye a, sa a se pa solid sof si ou itilize Cloudflare epi bloke yo nan proxy la ranvèse, pou egzanp, men pou operatè sèvè sèl, ou ka pratikman fèmen sèvè ou tankou Fort Knox.

Ban-m pran abònman
Notifye nan
15 kòmantè
Aliye komantè
Wè tout kòmantè

Salut la! Èske ou ta lide si mwen pataje blog ou a ak myspace mwen an
gwoup? Gen anpil moun ke mwen panse ta vrèman apresye ou
kontni. Tanpri fè m konnen. Mèsi

Hello,
habe bereits Fail2Ban laufen mit 13 Jails.
Ou pral jwenn nginx-nowordpress Jail nan meine Jail.local hinzugefügt und auch die nginx-nowordpress erstellt.
Nach service fail2ban restart habe ich aber auf einmal nur noch 12 Jails, eigentlich müssten es aber 14 sein.

2 Jails die nicht in der Jail.local sind, sondern in xy.local und xyz.local sind tou weg...

Hi,

Mwen tcheke prizon ki pa gen okenn wordpress la ankò. Retire "journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx" nan filtè a. => Apre sa youn nan prizon mwen deja egziste yo pa travay ankò. Enfim prizon ki pa gen okenn wordpress ou a => tout prizon mwen yo ap travay ankò.

Eseye portscan-block prizon ou enkli. filtè a. => Fail2ban pa rekòmanse ankò. Gen pou enfim prizon ou ankò.

Eseye prizon san wordpress ou ankò, retire "journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx" nan filtè a. => youn nan prizon mwen deja egziste yo pa travay ankò. Enfim prizon ki pa gen okenn wordpress ou a, tout prizon mwen yo ap travay ankò.

Eseye tou portscan-block jail => fail2ban pa kòmanse ankò. Gen pou enfim prizon ou ankò ak tout bagay anfòm ankò

Mèsi Jozye, mwen pral prepare sa jou kap vini yo

I have sent you a mail with the files:) Many Thanks!

Wow, se te yon repons rapid, mèsi.
Mwen sou Ubuntu 20.4 LTS ak Fail2Ban V 1.57 (dènye a ou jwenn ak aktyalizasyon apt).
Non, mwen gen 11 nan 13 prizon nan jail.local. Se sèlman 2 prizon ki nan prizon separe pou kèlkeswa rezon...

Mèsi pou tcheke

Michael

Padon fail2ban-client -V montre mwen 0.11.1

Wi ak Nginx, mwen pral eseye chanje sentaks la pou filtè a jan yo pwopoze nan premye quote ou a ...

Men pou kounye a mwen oblije ale nan kabann :)

Mèsi pou èd rapid la jiskaprezan :)

15
0
Ta renmen panse ou, tanpri fè kòmantè.x