- Ingresamos como ugit->root
ssh -l ugit poseidon.siua.ac.cr
apt-get install fail2ban -y
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[proxmox]
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 172800
- Buscamos la linea y remplazamos
ignoreip = 127.0.0.1/8
X
ignoreip = ignoreip = 127.0.0.1 10.20.190.0/24 10.20.200.0/24 181.193.87.0/28 201.237.206.56
bantime = 600
X
bantime = 172800
maxretry = 5
X
maxretry = 3
destemail = root@localhost
X
destemail = interuniversitariadealajuela@gmail.com
sendername = POSEIDON_Fail2Ban
action = %(action_)s
X
action = %(action_mw)s
- Ahora abrimos el archivo de jail para habilitar servicios
nano /etc/fail2ban/jail.d/defaults-debian.conf
- Agregamos los jail que queremos activar para este caso SSH / APACHE / POSTFIX / PROXMOX
#***********************************
#*********** SSH ******************
#***********************************
[sshd]
enabled = true
[sshd-ddos]
enabled = true
#***********************************
#********** APACHE ****************
#***********************************
[apache-auth]
enabled = true
[apache-badbots]
enabled = true
[apache-noscript]
enabled = true
[apache-overflows]
enabled = true
[apache-nohome]
enabled = true
[apache-botsearch]
enabled = true
[apache-fakegooglebot]
enabled = true
[apache-modsecurity]
enabled = true
[apache-shellshock]
enabled = true
#***********************************
#********** NGINX ****************
#***********************************
[nginx-http-auth]
enabled = true
[nginx-botsearch]
enabled = true
#***********************************
#********** PHP ****************
#***********************************
[php-url-fopen]
enabled = true
[lighttpd-auth]
enabled = true
#***********************************
#********** POSTFIX ***************
#***********************************
[postfix]
enabled = true
[postfix-rbl]
enabled = true
#***********************************
#********** PROXMOX ***************
#***********************************
[proxmox]
enabled = true
- Ahora creamos el filtro para proxmox
nano /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
- Ahora puede intentar ingresar en proxmox mas de 3 veces y correr el comando para ver el bloqueo
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
- Si quiere conocer cuales jaulas están activadas
fail2ban-client status
- Si quiere ver el estado de una jaula especifica
fail2ban-client status sshd
- Si quiere saber que el servicio esta activo
systemctl status fail2ban
- Ahora creamos una nuevo aliases
nano /etc/aliases
fail2ban: root
newaliases
/etc/init.d/postfix reload
- Personalizamos el asunto de los correos
cd /etc/fail2ban/action.d/
nano sendmail-whois-ipjailmatches.conf
nano sendmail-whois-ipmatches.conf
nano sendmail-whois-lines.conf
nano sendmail-whois-matches.conf
nano sendmail-whois.conf
nano sendmail.conf
nano sendmail-buffered.conf
nano sendmail-common.conf
nano sendmail-geoip-lines.conf
nano mail.conf
nano mail-whois.conf
nano mail-whois-lines.conf
nano mail-buffered.conf
[Fail2Ban]
X
[fail2ban_POSEIDON]
service fail2ban restart