Настройка Fail2ban для защиты WordPress

Февраль 21st, 2016

Evgeniy Kamenev

1.Настройка конфигурационного файла fail2ban

# grep -E -v '(#|^$)' /etc/fail2ban/fail2ban.conf

1	# grep -E -v '(#\|^$)' /etc/fail2ban/fail2ban.conf

[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400

[Definition]

loglevel = INFO

logtarget = /var/log/fail2ban.log

syslogsocket = auto

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

dbpurgeage = 86400

2.Настройка Fail2ban-фильтров для мониторинга логов

Защита против brutoforce админки

# nano /etc/fail2ban/filter.d/wordpress-wp-login.conf

1	# nano /etc/fail2ban/filter.d/wordpress-wp-login.conf

[Definition]
failregex = .*POST /wp-login.php
ignoreregex =

[Definition]

failregex = .*POST /wp-login.php

ignoreregex =

Защита против атаки brutoforce XMLRPC
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

# nano /etc/fail2ban/filter.d/wordpress-wp-xmlrpc.conf

1	# nano /etc/fail2ban/filter.d/wordpress-wp-xmlrpc.conf

[Definition]
failregex = .*POST /xmlrpc.php
ignoreregex =

[Definition]

failregex = .*POST /xmlrpc.php

ignoreregex =

Защита против проверки возможности создания WordPress-аккаунта

# nano /etc/fail2ban/filter.d/wordpress-wp-register.conf

1	# nano /etc/fail2ban/filter.d/wordpress-wp-register.conf

[Definition]
failregex = ^ .* "GET /wp-login.php\?action=register HTTP/.*" .*$
ignoreregex =

[Definition]

failregex = ^ .* "GET /wp-login.php\?action=register HTTP/.*" .*$

ignoreregex =

3. Настройка Fail2ban для мониторинга логов

# nano /etc/fail2ban/jail.conf

1	# nano /etc/fail2ban/jail.conf

[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 159.224.XXX.YYY
ignorecommand =
bantime = 86400
findtime = 7200
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = myname@mydomain.com
sender = root@mydomain.com
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
action = %(action_)s

####Этот блок касается непосредственно защиты Wordpress

[wordpress-wp-login]
port = http,https
logpath = /var/log/nginx/*.log
maxretry = 3
enabled = true
filter = wordpress-wp-login
action = %(action_mwl)s
bantime = 86400
findtime = 7200
maxretry = 3

[wordpress-wp-xmlrpc]
port = http,https
logpath = /var/log/nginx/*.log
maxretry = 3
enabled = true
filter = wordpress-wp-xmlrpc
action = %(action_mwl)s
bantime = 86400
findtime = 7200
maxretry = 3

[wordpress-wp-register]
port = http,https
logpath = /var/log/nginx/*.log
maxretry = 3
enabled = true
filter = wordpress-wp-register
action = %(action_mwl)s
bantime = 86400
findtime = 7200
maxretry = 3

[INCLUDES]

before = paths-fedora.conf

[DEFAULT]

ignoreip = 127.0.0.1/8 159.224.XXX.YYY

ignorecommand =

bantime = 86400

findtime = 7200

maxretry = 5

backend = auto

usedns = warn

logencoding = auto

enabled = false

filter = %(__name__)s

destemail = myname@mydomain.com

sender = root@mydomain.com

mta = sendmail

protocol = tcp

chain = INPUT

port = 0:65535

banaction = iptables-multiport

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]

action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]

action = %(action_)s

####Этот блок касается непосредственно защиты Wordpress

[wordpress-wp-login]

port = http,https

logpath = /var/log/nginx/*.log

maxretry = 3

enabled = true

filter = wordpress-wp-login

action = %(action_mwl)s

bantime = 86400

findtime = 7200

maxretry = 3

[wordpress-wp-xmlrpc]

port = http,https

logpath = /var/log/nginx/*.log

maxretry = 3

enabled = true

filter = wordpress-wp-xmlrpc

action = %(action_mwl)s

bantime = 86400

findtime = 7200

maxretry = 3

[wordpress-wp-register]

port = http,https

logpath = /var/log/nginx/*.log

maxretry = 3

enabled = true

filter = wordpress-wp-register

action = %(action_mwl)s

bantime = 86400

findtime = 7200

maxretry = 3

Перезапускаем fail2ban

# /etc/init.d/fail2ban restart

1	# /etc/init.d/fail2ban restart

4.Проверка работы фильтра

# fail2ban-regex /var/log/nginx/mydomain.com.log /etc/fail2ban/filter.d/wordpress-wp-login.conf

1	# fail2ban-regex /var/log/nginx/mydomain.com.log /etc/fail2ban/filter.d/wordpress-wp-login.conf

Если необходимо посмотреть строки,которые попадают под фильтр,то используем параметр

--print-all-matched

1	--print-all-matched

# fail2ban-regex --print-all-matched /var/log/nginx/mydomain.com.log /etc/fail2ban/filter.d/wordpress-wp-login.conf

1	# fail2ban-regex --print-all-matched /var/log/nginx/mydomain.com.log /etc/fail2ban/filter.d/wordpress-wp-login.conf

С тестового сервера (52.52.52.52) произведем обращеник к wp-login.php

# curl --silent --request POST 'http://mydomain.com/wp-login.php'

1	# curl --silent --request POST 'http://mydomain.com/wp-login.php'

В логах fail2ban-сервера

# grep '52.52.52.52' /var/log/fail2ban.log

1	# grep '52.52.52.52' /var/log/fail2ban.log

2016-02-21 22:43:45,222 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52
2016-02-21 22:43:50,930 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52
2016-02-21 22:43:55,430 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52
2016-02-21 22:43:56,014 fail2ban.actions [12363]: NOTICE [wordpress-wp-login] Ban 52.52.52.52

2016-02-21 22:43:45,222 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52

2016-02-21 22:43:50,930 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52

2016-02-21 22:43:55,430 fail2ban.filter [12363]: INFO [wordpress-wp-login] Found 52.52.52.52

2016-02-21 22:43:56,014 fail2ban.actions [12363]: NOTICE [wordpress-wp-login] Ban 52.52.52.52

5.Просмотр существующих Jail

# fail2ban-client status

1	# fail2ban-client status

Status
|- Number of jail: 3
`- Jail list: wordpress-wp-login, wordpress-wp-register, wordpress-wp-xmlrpc

Status

|- Number of jail: 3

`- Jail list: wordpress-wp-login, wordpress-wp-register, wordpress-wp-xmlrpc

6.Детальный просмотр конкретного Jail, например wordpress-wp-login

# fail2ban-client status wordpress-wp-login

1	# fail2ban-client status wordpress-wp-login

Status for the jail: wordpress-wp-login
|- Filter
| |- Currently failed: 3
| |- Total failed: 6
| `- File list: /var/log/nginx/error.log /var/log/nginx/access.log /var/log/nginx/mydomain.com.log /var/log/nginx/default.log /var/log/nginx/qatutorial.org.ua.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 52.52.52.52

Status for the jail: wordpress-wp-login

|- Filter

| |- Currently failed: 3

| |- Total failed: 6

| `- File list: /var/log/nginx/error.log /var/log/nginx/access.log /var/log/nginx/mydomain.com.log /var/log/nginx/default.log /var/log/nginx/qatutorial.org.ua.log

`- Actions

|- Currently banned: 1

|- Total banned: 1

`- Banned IP list: 52.52.52.52

Проверка наличия блокировки в Iptables

# iptables –S | less

1	# iptables –S \| less

.......
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-register
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-xmlrpc
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-login
.......
-A f2b-wordpress-wp-login -s 52.52.52.52/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-wordpress-wp-login -j RETURN
-A f2b-wordpress-wp-register -j RETURN
-A f2b-wordpress-wp-xmlrpc -j RETURN
......

.......

-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-register

-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-xmlrpc

-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-wp-login

.......

-A f2b-wordpress-wp-login -s 52.52.52.52/32 -j REJECT --reject-with icmp-port-unreachable

-A f2b-wordpress-wp-login -j RETURN

-A f2b-wordpress-wp-register -j RETURN

-A f2b-wordpress-wp-xmlrpc -j RETURN

......

7.Разблокировка требуемого IP-адреса в указанном Jail

# fail2ban-client set wordpress-wp-login unbanip <IP-address>

1	# fail2ban-client set wordpress-wp-login unbanip <IP-address>

# fail2ban-client set wordpress-wp-login unbanip 52.52.52.52

1	# fail2ban-client set wordpress-wp-login unbanip 52.52.52.52

Проверка отсутствия адреса в iptables

# iptables -S | grep 52.52.52.52

1	# iptables -S \| grep 52.52.52.52

8. Блокировка требуемого IP-адреса в указанном Jail

# fail2ban-client set wordpress-wp-login banip <IP-address>

1	# fail2ban-client set wordpress-wp-login banip <IP-address>

9.Настройка ротации файла /var/log/fail2ban.log

# nano /etc/logrotate.d/fail2ban

1	# nano /etc/logrotate.d/fail2ban

/var/log/fail2ban.log {
rotate 7
daily
dateext
missingok
notifempty
compress
postrotate
/usr/bin/fail2ban-client flushlogs 1&gt;/dev/null || true
endscript
}

/var/log/fail2ban.log {

rotate 7

daily

dateext

missingok

notifempty

compress

postrotate

/usr/bin/fail2ban-client flushlogs 1>/dev/null || true

endscript

}

Опубликовано в рубрике Centos, Debian/Ubuntu, Security, Security, Security

Метки: brutoforce, fail2ban, security, wordpress

Комментирование и размещение ссылок запрещено.

Комментарии закрыты.

Настройка Fail2ban для защиты WordPress

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель