Suite du quatrième épisode
Continuons cette série de billets de notes d'installation et configuration du serveur, avec l'installation et la configuration du Firewall logiciel.
iptables pour netfilter :
- Créer le fichier : /etc/init.d/makotoiptables
#!/bin/bash
########################
# MaKoTo - 14/12/2009
# Regle de Firewall
# Serveur hebergeant:
# - SSH
# - HTTP
# - HTTPS
# - IMAP
########################
# Debut
#Autoriser le trafic des packets entrants relatifs à des connexions déjà établies
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Autoriser le trafic local
iptables -I INPUT 2 -i lo -j ACCEPT
# Autoriser les pings
iptables -A INPUT -p icmp -j ACCEPT
#------------------------------
# Autorise les flux entrant
#------------------------------
# SSH serveur déporté en 1025
iptables -A INPUT -p tcp -i eth0 --dport 1025 -j ACCEPT
# Web serveur en 80
iptables -A INPUT -p tcp -i eth0 --dport http -j ACCEPT
# Web serveur sécurisé en 443
iptables -A INPUT -p tcp -i eth0 --dport https -j ACCEPT
# serveur de reception de messagerie en 143
iptables -A INPUT -p tcp -i eth0 --dport imap2 -j ACCEPT
#ajout sinon reception de mail marche pas malgres le 143 ouvert
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
#---------------------------------------
# Bloquer les flux entrant restants
#---------------------------------------
iptables -P INPUT DROP
# Fin
- Appliquer les règles au démarrage :
Rendre ce script exécutable :
#chmod +x /etc/init.d/makotoiptables
Éditer /etc/rc.local pour ajouter la ligne (juste avant exit 0) :
#/etc/init.d/makotoiptables
# iptables -L (ou #iptables -L -v -n)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:666
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
fail2ban :
#apt-get install fail2ban
Démarrer fail2ban :
#/etc/init.d/fail2ban start
- Vérifier le fichier de configuration : /etc/fail2ban/fail2ban.conf
[Definition]
loglevel = 1
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
- Configurer les règles des prisons dans le fichier : /etc/fail2ban/jail.conf
[DEFAULT]
# IP à ne pas bannir
ignoreip = 127.0.0.1 192.168.0.0/24
#temps de bannissement en seconde
bantime = 3600
# nombre d’essais max avant bannissement
maxretry = 3
backend = polling
# le mail qui recevra les alertes fail2ban
destemail = root@localhost
# l’action par défaut quand on ban
banaction = iptables-multiport
# la commande pour envoyer des mail (ici avec sendmail ou postfix)
mta = sendmail
# le protocole a surveiller
protocol = tcp
#
# JAILS
#
[ssh]
# activé ou non (false)
enabled = true
# le port sur lequel le service écoute
port = 1025
# le fichier .conf présent dans filter.d
filter = sshd
# le fichier de log a analyser
logpath = /var/log/auth.log
maxretry = 3
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 1
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 1
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 1
[apache-noscript]
#si true, video itheora deconnent!
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 1
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 1
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
# DNS Servers
[named-refused-udp]
enabled = false
port = domain,953
protocol = udp
filter = named-refused
logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
#MES REGLES
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 1
[apache-scan]
enabled = true
filter = apache-scan
action = iptables[name=Apache-scan,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 1
[dos]
enabled = true
port = 80,49152
filter = dos
logpath = /var/log/kern.log
maxretry = 1
[apache-admin]
enabled = true
port = http,https
filter = apache-admin
logpath = /var/log/apache2/*error.log
maxretry = 1
[apache-headers]
enabled = true
port = http,https
filter = apache-headers
logpath = /var/log/apache2/*error.log
maxretry = 1
[apache-invalid]
enabled = true
port = http,https
filter = apache-invalid
logpath = /var/log/apache2/*error.log
maxretry = 1
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
Jail.conf est le fichier de définitions des services a surveiller. Il s’appuie sur des filtres préalablement définis dans /etc/fail2ban/filter.d
apache-w00tw00t.conf :
[Definition]
failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
ignoreregex =
apache-scan.conf :
[Definition]
failregex = ^<HOST> -.*"GET \/nonexistenshit.*".*
^<HOST> -.*"GET .*xmlrpc\.php.*".*
^<HOST> -.*"GET .*html2text\.php.*".*
ignoreregex =
dos.conf :
[Definition]
failregex = TCP: Treason uncloaked! Peer
ignoreregex =
apache-admin.conf :
[Definition]
failregex = [[]client <HOST>[]] File does not exist: .*(admin|PMA|mysql)
ignoreregex =
apache-headers.conf :
[Definition]
failregex = [[]client <HOST>[]] request failed: error reading the headers
ignoreregex =
apache-invalid.conf :
[Definition]
failregex = [[]client <HOST>[]] Invalid URI in request .*
ignoreregex =
dovecot-pop3imap.conf :
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
À suivre…