Actualizado el lunes, 25 junio, 2018
Las siguientes configuraciones serán a nivel del servidor web nginx, los objetivos son:
- Bloquear a todo aquel intentando ejecutar scripts (.pl, .cgi, .exe etc).
- Bloquear a todo aquel intentando usar el servidor como un proxy.
- Bloquear a todo aquel que falle al usar la autenticación básica de nginx.
- Bloquear a todo aquel que falle al autentificarse en nuestra aplicación.
- Bloquear bad bots.
En el fichero jail.local añadimos:
[nginx-auth] enabled = true filter = nginx-auth action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /var/log/nginx*/*error*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-login] enabled = true filter = nginx-login action = iptables-multiport[name=NoLoginFailures, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 86400 # 1 day maxretry = 1 [nginx-noscript] enabled = true action = iptables-multiport[name=NoScript, port="http,https"] filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 6 bantime = 86400 # 1 day [nginx-proxy] enabled = true action = iptables-multiport[name=NoProxy, port="http,https"] filter = nginx-proxy logpath = /var/log/nginx*/*access*.log maxretry = 0 bantime = 86400 # 1 day
y los filtros en /etc/fail2ban/filter.d/ (Cada uno en un fichero separado, con el mismo nombre que aparece en la primera línea):
# Proxy filter /etc/fail2ban/filter.d/proxy.conf: # # Block IPs trying to use server as proxy. # # Matches e.g. # 192.168.1.1 - - "GET # [Definition] failregex = ^<HOST> -.*GET http.* ignoreregex = # Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf: # # Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts. # # Matches e.g. # 192.168.1.1 - - "GET /something.php # [Definition] failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) ignoreregex = # # Auth filter /etc/fail2ban/filter.d/nginx-auth.conf: # # Blocks IPs that fail to authenticate using basic authentication # [Definition] failregex = no user/password was provided for basic authentication.*client: <HOST> user .* was not found in.*client: <HOST> user .* password mismatch.*client: <HOST> ignoreregex = # # Login filter /etc/fail2ban/filter.d/nginx-login.conf: # # Blocks IPs that fail to authenticate using web application's log in page # # Scan access log for HTTP 200 + POST /sessions => failed log in [Definition] failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200 ignoreregex =
Si queremos recibir un correo en cada bloqueo que se produzca, basta con añadir estas dos líneas al fichero jail.local:
destemail = direccion@correo mta = sendmail