L’installazione fa riferimento ad ubuntu 16.04 o superiori.
sudo apt-get install netdiscover nmap arpon ntopng
Fail2ban referente Guide Debian, syntaxtechnology.
sudo su
apt-get install fail2ban iptables -L
nano /etc/fail2ban/jail.conf
Ora basta abilitare le voci che vogliamo far controllare a fail2ban, inserendo true al posto di false!
Fonte se si verifica un blocco di fail2ban si puo procedere come segue:
rm -r /var/run/fail2ban
/etc/init.d/fail2ban start
Per aggiungere una protezione a webmin occore inserire queste righe di codice:
nano /etc/fail2ban/jail.d/webmin-iptables
[webmin-iptables] enabled = true filter = webmin-auth action = iptables-multiport[name=webmin,port="10000"] logpath = /var/log/auth.log
nano /etc/fail2ban/filter.d/webmin-auth.conf
# fail2ban configuration file
#
# Author: Tom Hendrikx
#
# $Revision$
#
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>S+)
# Values: TEXT
#
# Count all bans in the logfile
failregex = fail2ban.actions: WARNING [(.*)] Ban <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
# Ignore our own bans, to keep our counts exact. This means it doesn’t count any bans this jail issues.
# In your config, name your jail ‘fail2ban’, or change this line! This means in the jail added to jail.conf, the jail must be like this:
# [fail2ban], else this won’t work.
ignoreregex = fail2ban.actions: WARNING [fail2ban] Ban <HOST>
In alternativa:
# Fail2Ban filter for webmin
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = webmin
failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$
^%(__prefix_line)sInvalid login as .+ from \s*$
ignoreregex =
# DEV Notes:
#
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
# webmin[29544]: Invalid login as root from 86.0.6.217
#
# Rule Author: Delvit Guillaume
per avviare il servizio appena aggiunto digitare:
# fail2ban-client add webmin-auth
# fail2ban-client start webmin-auth
Per riavviare il servizio
service fail2ban restart
Un test da eseguire per verificarne l’effettiva funzione è:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/webmin-auth.conf