SMEServer Fail2Ban
db configuration setprop sshd AutoBlock disabled signal-event remoteaccess-update
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf cp /etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/ vim /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/30Service10ssh
and do this to expland templates
expand-template /etc/rc.d/init.d/masq /etc/init.d/masq restart signal-event fail2ban-conf
cat /etc/fail2ban/jail.conf
ls /etc/fail2ban/filter.d/ ls -al /etc/e-smith/templates/etc/fail2ban/jail.conf/
List Banned IP
fail2ban-client status imap
Unban an IP
fail2ban-client set imap unbanip 54.32.1.20
Check regex
fail2ban-regex /var/log/qpsmtpd/current /etc/fail2ban/filter.d/qpsmtpd.conf
# config show fail2ban fail2ban=service Mail=enabled status=enabled
Available options are below:
IgnoreIP - a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Exemple: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted FilterLocalNetworks - can be enabled or disabled (default is disabled). If set to enabled, local networks won't be whitelisted, and fail2ban can also ban hosts from the internal networks. Note that networks allowed to access the server-manager are not affected (they will never be blocked) BanTime - Duration (in seconds) of a ban. Default to 1800 FindTime - The window fail2ban will check, in seconds. Default is 900. So, this means fail2ban will only check for the number of failed login attempts in the last 15 minutes MaxRetry - Number of failed attempts in the last FindTime seconds to trigger a ban. Default is 3 Mail - can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail MailRecipient - if Mail is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)
After changing one of these settings, you need to apply it:
signal-event fail2ban-conf
for example :
config setprop fail2ban IgnoreIP 12.15.22.4,17.20.0.0/16 signal-event fail2ban-conf
xmlrpc
cat /var/log/httpd/access_log |grep xmlrpc
server.local p3nlwpweb335.prod.phx3.secureserver.net - - [23/Aug/2018:12:36:34 +0100] "POST /xmlrpc.php HTTP/1.0" 403 212 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" server.local 62.210.152.119 - - [22/Aug/2018:07:25:13 +0100] "POST /xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
https://forums.contribs.org/index.php?topic=52709.0 in the main folder of wordpress there's a xmlrpc.php file which is often used to brute force attacks..
to mitigate: This causes the denied to be logged in error_log - in .htaccess, add
<Files "xmlrpc.php"> Order Deny,Allow Deny from all Allow from localhost Allow from 127.0.0.1 </Files>
i.e:/home/e-smith/files/ibays/wordpress/html# cat .htaccess
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> <Files "xmlrpc.php"> Order Deny,Allow Deny from all Allow from localhost Allow from 127.0.0.1 </Files> # END WordPress
cat /var/log/httpd/error_log |grep xmlrpc
[Thu Aug 23 14:33:50 2018] [error] [client 107.180.120.55] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php [Thu Aug 23 16:56:38 2018] [error] [client 89.240.14.206] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php
add to apache-scan.conf; failregex = \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$
vim /etc/fail2ban/filter.d/apache-scan.conf
[Definition] re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)? |myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager) (\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)? re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$ \[client <HOST>\] client denied by server configuration: .*\/(%(re_admin)s|%(re_proxy)s)$ \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$ \[client <HOST>\] client sent HTTP/1.1 request without hostname \(see RFC2616 section 14.23\): ignoreregex =
signal-event fail2ban-conf
Test;
localpc:/home/e-smith/files/ibays/wordpress/html# fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-scan.conf Running tests ============= Use failregex filter file : apache-scan, basedir: /etc/fail2ban Use log file : /var/log/httpd/error_log Use encoding : UTF-8 Results ======= Failregex: 14950 total |- #) [# of hits] regular expression | 3) [14930] \[client <HOST>\] client denied by server configuration: /home/e-smith/files/ibays/wordpress/html/xmlrpc.php$ | 4) [20] \[client <HOST>\] client sent HTTP/1.1 request without hostname \(see RFC2616 section 14.23\): `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [14975] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 14975 lines, 0 ignored, 14950 matched, 25 missed [processed in 5.20 sec] Missed line(s): too many to print. Use --print-all-missed to print all 25 lines
openvpn jail
http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
vim /etc/fail2ban/filter.d/openvpn.conf
# Fail2Ban filter for selected OpenVPN rejections # # [Definition] # Example messages (other matched messages not seen in the testing server's logs): # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223 # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$ ^ <HOST>:\d+ Connection reset, restarting ^ <HOST>:\d+ TLS Auth Error ^ <HOST>:\d+ TLS Error: TLS handshake failed$ ^ <HOST>:\d+ VERIFY ERROR ignoreregex =
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
vim /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/30Service55OpenVPN
[openvpn] enabled = true port = 1194 protocol = udp filter = openvpn logpath = /var/log/openvpn-bridge/current maxretry = 3 action = smeserver-iptables[port=1194,protocol=udp,bantime=1800] { $OUT .= " smeserver-sendmail[name=\"OpenVPN\",dest=$maildest]\n" if ($mail eq 'enabled'); }
signal-event fail2ban-conf
cat /etc/fail2ban/jail.conf
fail2ban-client status
fail2ban-client status openvpn
tail -f /var/log/openvpn-bridge/current |tai64nlocal