Salut,
Juste un pense-bête à mon attention, mais qui pourrait vous être utiles.
Comment protéger son interface d’administration Ispconfig3 des attaques de type Kevin (si vous en avez, car c’est tellement simple de se protéger de ce genre d’attaque simplement en changeant le port 8080 par un autre…).
L’astuce vient du forum allemand de Howtoforge:
- Créez un script chargé de récupérer les « Failed » dans les logs de Ispconfig, de les rendre compréhensibles par fail2ban et de les placer dans syslog:
# cat /usr/local/bin/ispcnf_auth_to_syslog.sh
#!/bin/bash
#
# Script for transfer ispconfig/auth.log FAILED LOGIN events to syslog
#
# ————————————————————————-
# Copyright (c) 2013 Daniel Plominski <Daniel (at) Plominski (dot) de>
# This script is licensed under BSD style.
# ————————————————————————-
#
# Name: ispcnf_auth_to_syslog.sh
#
# Date: Fri Mar 22 22:59:09 CET 2013
/bin/grep « Failed » /var/log/ispconfig/auth.log > /var/log/ispconfig/auth.log_mod1
/bin/sed -i « /Failed/d » /var/log/ispconfig/auth.log
/usr/bin/awk ‘{print $9,$10,$1,$2,$3,$5,$6,$7}’ < /var/log/ispconfig/auth.log_mod1 > /var/log/ispconfig/auth.log_mod2
HOST=$(hostname -s)
/bin/sed -i « s/Failed/${HOST} ispconfig-auth: FAILED/g » /var/log/ispconfig/auth.log_mod2
# syslog compatible generic date
#
# delete current year value
CURRENTYEAR=$(date +%Y)
/bin/sed -i « s/${CURRENTYEAR}-//g » /var/log/ispconfig/auth.log_mod2
#
# change to abbreviated month name
#
/bin/sed -i « s/01-/Jan /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/02-/Feb /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/03-/Mar /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/04-/Apr /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/05-/May /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/06-/June /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/07-/July /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/08-/Aug /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/09-/Sept /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/10-/Oct /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/11-/Nov /g » /var/log/ispconfig/auth.log_mod2
/bin/sed -i « s/12-/Dec /g » /var/log/ispconfig/auth.log_mod2
#
/bin/sed -i « s/’//g » /var/log/ispconfig/auth.log_mod2
#
# syslog compatible generic date EOS
/bin/grep « FAILED » /var/log/ispconfig/auth.log_mod2 >> /var/log/syslog
### /bin/echo -n « » > /var/log/ispconfig/auth.log
/bin/echo -n « » > /var/log/ispconfig/auth.log_mod1
/bin/echo -n « » > /var/log/ispconfig/auth.log_mod2
- Rendez ce script exécutable, protégez-le et placez le dans crontab pour une exécution régulière:
# chmod +x /usr/local/bin/ispcnf_auth_to_syslog.sh
# chmod 550 /usr/local/bin/ispcnf_auth_to_syslog.sh
# crontab -e
# Script for transfer ispconfig/auth.log FAILED LOGIN events to syslog
* * * * * /usr/local/bin/ispcnf_auth_to_syslog.sh
# nano /etc/fail2ban/filter.d/ispconfig-auth.conf
#
# Author: www.sbshosting.biz
#
# $Revision:
#
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = ^%(__prefix_line)sispconfig-auth: FAILED login for .* from $
ignoreregex =
# nano /etc/fail2ban/jail.local
[ispconfig-auth]
enabled = true
filter = ispconfig-auth
action = iptables-multiport[name=ispconfig-auth, port= »80,443,8080,xxx,xxx », protocol=tcp]
logpath = /var/log/syslog
bantime = 3600
maxretry = 10
- Redémarrez Fail2ban et vérifiez que la règle est bien en place
# /etc/init.d/fail2ban restart
# iptables -S | grep fail2ban-ispconfig-auth
-N fail2ban-ispconfig-auth
-A INPUT -p tcp -m multiport –dports 80,443,8080,xxx,xxx -j fail2ban-ispconfig-auth
-A fail2ban-ispconfig-auth -j RETURN
root@mail:/var/log# grep ispconfig-auth /var/log/syslog
Apr 09 13:03:55 mail ispconfig-auth: FAILED login for kevin from xxx.xxx.xxx.xxx
Apr 09 13:04:46 mail ispconfig-auth: FAILED login for kevin from xxx.xxx.xxx.xxx
Apr 09 13:04:46 mail ispconfig-auth: FAILED login for kevin from xxx.xxx.xxx.xxx
Apr 09 13:05:21 mail ispconfig-auth: FAILED login for kevin from xxx.xxx.xxx.xxx
Apr 09 13:06:15 mail ispconfig-auth: FAILED login for kevin from xxx.xxx.xxx.xxx
root@mail:/var/log# grep ispconfig-auth /var/log/fail2ban.log
2015-04-09 13:07:43,318 fail2ban.jail [12012]: INFO Creating new jail ‘ispconfig-auth’
2015-04-09 13:07:43,318 fail2ban.jail [12012]: INFO Jail ‘ispconfig-auth’ uses pyinotify
2015-04-09 13:07:43,364 fail2ban.jail [12012]: INFO Jail ‘ispconfig-auth’ started
2015-04-09 13:08:16,816 fail2ban.actions[12012]: WARNING [ispconfig-auth] Ban xxx.xxx.xxx.xxx
root@mail:~# iptables -S | grep ispconfig-auth
-N fail2ban-ispconfig-auth
-A INPUT -p tcp -m multiport –dports 80,443,8080,xxx,xxx -j fail2ban-ispconfig-auth
-A fail2ban-ispconfig-auth -s xxx.xxx.xxx.xxx/32 -j REJECT –reject-with icmp-port-unreachable
-A fail2ban-ispconfig-auth -j RETURN
- S’il faut dé-bannir l’IP:
root@mail:/var/log# iptables -D fail2ban-ispconfig-auth -s xxx.xxx.xxx.xxx -j REJECT
root@mail:/var/log# iptables -S | grep ispconfig-auth
-N fail2ban-ispconfig-auth
-A INPUT -p tcp -m multiport –dports 80,443,8080,xxx,xxx -j fail2ban-ispconfig-auth
-A fail2ban-ispconfig-auth -j RETURN