Февраль 21st, 2016 
Evgeniy Kamenev 1.Настройка конфигурационного файла fail2ban
|
1 |
# grep -E -v '(#|^$)' /etc/fail2ban/fail2ban.conf |
|
1 2 3 4 5 6 7 8 |
[Definition] loglevel = INFO logtarget = /var/log/fail2ban.log syslogsocket = auto socket = /var/run/fail2ban/fail2ban.sock pidfile = /var/run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 dbpurgeage = 86400 |
2.Настройка Fail2ban-фильтров для мониторинга логов Защита против brutoforce админки
|
1 |
# nano /etc/fail2ban/filter.d/wordpress-wp-login.conf |
|
1 2 3 |
[Definition] failregex = .*POST /wp-login.php ignoreregex = |
Защита против атаки brutoforce XMLRPC https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
|
1 |
# nano /etc/fail2ban/filter.d/wordpress-wp-xmlrpc.conf |
|
1 2 3 |
[Definition] failregex = .*POST /xmlrpc.php ignoreregex = |
Защита против проверки возможности создания WordPress-аккаунта
|
1 |
# nano /etc/fail2ban/filter.d/wordpress-wp-register.conf |
|
1 2 3 |
[Definition] failregex = ^ .* "GET /wp-login.php\?action=register HTTP/.*" .*$ ignoreregex = |
3. Настройка Fail2ban для мониторинга логов
|
1 |
# nano /etc/fail2ban/jail.conf |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
[INCLUDES] before = paths-fedora.conf [DEFAULT] ignoreip = 127.0.0.1/8 159.224.XXX.YYY ignorecommand = bantime = 86400 findtime = 7200 maxretry = 5 backend = auto usedns = warn logencoding = auto enabled = false filter = %(__name__)s destemail = myname@mydomain.com sender = root@mydomain.com mta = sendmail protocol = tcp chain = INPUT port = 0:65535 banaction = iptables-multiport action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] action = %(action_)s ####Этот блок касается непосредственно защиты Wordpress [wordpress-wp-login] port = http,https logpath = /var/log/nginx/*.log maxretry = 3 enabled = true filter = wordpress-wp-login action = %(action_mwl)s bantime = 86400 findtime = 7200 maxretry = 3 [wordpress-wp-xmlrpc] port = http,https logpath = /var/log/nginx/*.log maxretry = 3 enabled = true filter = wordpress-wp-xmlrpc action = %(action_mwl)s bantime = 86400 findtime = 7200 maxretry = 3 [wordpress-wp-register] port = http,https logpath = /var/log/nginx/*.log maxretry = 3 enabled = true filter = wordpress-wp-register action = %(action_mwl)s bantime = 86400 findtime = 7200 maxretry = 3 |
Перезапускаем fail2ban
|
1 |
# /etc/init.d/fail2ban restart |
4.Проверка работы фильтра
|
1 |
# fail2ban-regex /var/log/nginx/mydomain.com.log /etc/fail2ban/filter.d/wordpress-wp-login.conf |
Если необходимо посмотреть строки,которые […]
Опубликовано в рубрике 
Метки: 