SMEServer Fail2Ban

From Realm Business Systems Ltd
Jump to: navigation, search
db configuration setprop sshd AutoBlock disabled
signal-event remoteaccess-update

mkdir -p  /etc/e-smith/templates-custom/etc/fail2ban/jail.conf
cp /etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
vim /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/30Service10ssh

and do this to expland templates 

expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
signal-event fail2ban-conf

cat /etc/fail2ban/jail.conf

ls /etc/fail2ban/filter.d/

ls -al /etc/e-smith/templates/etc/fail2ban/jail.conf/

List Banned IP 

fail2ban-client status imap

Unban an IP 

fail2ban-client set imap unbanip 54.32.1.20

Check regex 

fail2ban-regex /var/log/qpsmtpd/current /etc/fail2ban/filter.d/qpsmtpd.conf



# config show fail2ban 
  fail2ban=service
  Mail=enabled
  status=enabled

Available options are below: 

IgnoreIP - a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Exemple: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted

FilterLocalNetworks - can be enabled or disabled (default is disabled). If set to enabled, local networks won't be whitelisted, and fail2ban can also ban hosts from the internal networks. Note that networks allowed to access the server-manager are not affected (they will never be blocked)

BanTime - Duration (in seconds) of a ban. Default to 1800

FindTime - The window fail2ban will check, in seconds. Default is 900. So, this means fail2ban will only check for the number of failed login attempts in the last 15 minutes

MaxRetry - Number of failed attempts in the last FindTime seconds to trigger a ban. Default is 3

Mail - can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail

MailRecipient - if Mail is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)

After changing one of these settings, you need to apply it: 

signal-event fail2ban-conf

for example : 

config setprop fail2ban IgnoreIP 12.15.22.4,17.20.0.0/16
signal-event fail2ban-conf


xmlrpc

cat /var/log/httpd/access_log |grep xmlrpc 

server.local p3nlwpweb335.prod.phx3.secureserver.net - - [23/Aug/2018:12:36:34 +0100] "POST /xmlrpc.php HTTP/1.0" 403 212 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
server.local 62.210.152.119 - - [22/Aug/2018:07:25:13 +0100] "POST /xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

https://forums.contribs.org/index.php?topic=52709.0
in the main folder of wordpress there's a xmlrpc.php file which is often used to brute force attacks..

to mitigate: This causes the denied to be logged in error_log - in .htaccess, add 

<Files "xmlrpc.php">
        Order Deny,Allow
        Deny from all
        Allow from localhost
        Allow from 127.0.0.1
</Files>


i.e:/home/e-smith/files/ibays/wordpress/html# cat .htaccess 

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<Files "xmlrpc.php">
        Order Deny,Allow
        Deny from all
        Allow from localhost
        Allow from 127.0.0.1
</Files>

# END WordPress


cat /var/log/httpd/error_log |grep xmlrpc 

[Thu Aug 23 14:33:50 2018] [error] [client 107.180.120.55] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php
[Thu Aug 23 16:56:38 2018] [error] [client 89.240.14.206] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php

add to apache-scan.conf; failregex = \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$ 

vim /etc/fail2ban/filter.d/apache-scan.conf

[Definition]
re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)? 
|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager) 
(\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)?
re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php
re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php
re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php

failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$
            \[client <HOST>\] client denied by server configuration: .*\/(%(re_admin)s|%(re_proxy)s)$
            \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$
            \[client <HOST>\] client sent HTTP/1.1 request without hostname \(see RFC2616 section 14.23\):

ignoreregex =

signal-event fail2ban-conf

Test; 

localpc:/home/e-smith/files/ibays/wordpress/html# fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-scan.conf

Running tests
=============

Use   failregex filter file : apache-scan, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/error_log
Use         encoding : UTF-8


Results

=======

Failregex: 14950 total
|-  #) [# of hits] regular expression
|   3) [14930] \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$
|   4) [20] \[client <HOST>\] client sent HTTP/1.1 request without hostname \(see RFC2616 section 14.23\):
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [14975] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 14975 lines, 0 ignored, 14950 matched, 25 missed
[processed in 5.20 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 25 lines

openvpn jail

http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN

vim /etc/fail2ban/filter.d/openvpn.conf 

# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =


mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/

vim /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/30Service55OpenVPN 


[openvpn]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /var/log/openvpn-bridge/current
maxretry = 3
action   = smeserver-iptables[port=1194,protocol=udp,bantime=1800]
{
$OUT .= "           smeserver-sendmail[name=\"OpenVPN\",dest=$maildest]\n"
    if ($mail eq 'enabled');
}



signal-event fail2ban-conf

cat /etc/fail2ban/jail.conf

fail2ban-client status

fail2ban-client status openvpn

tail -f /var/log/openvpn-bridge/current |tai64nlocal
Retrieved from "https://2clever.uk/index.php?title=SMEServer_Fail2Ban&oldid=3956"