Serveur internet @ la maison -5-
Par makoto doushite le samedi, 18 septembre 2010, 11:54 - Auto-Hébergement internet - Lien permanent
Suite du quatrième épisode
Continuons cette série de billets de notes d'installation et configuration du serveur, avec l'installation et la configuration du Firewall logiciel.
iptables pour netfilter :
- Créer le fichier : /etc/init.d/makotoiptables
#!/bin/bash ######################## # MaKoTo - 14/12/2009 # Regle de Firewall # Serveur hebergeant: # - SSH # - HTTP # - HTTPS # - IMAP ######################## # Debut #Autoriser le trafic des packets entrants relatifs à des connexions déjà établies iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Autoriser le trafic local iptables -I INPUT 2 -i lo -j ACCEPT # Autoriser les pings iptables -A INPUT -p icmp -j ACCEPT #------------------------------ # Autorise les flux entrant #------------------------------ # SSH serveur déporté en 1025 iptables -A INPUT -p tcp -i eth0 --dport 1025 -j ACCEPT # Web serveur en 80 iptables -A INPUT -p tcp -i eth0 --dport http -j ACCEPT # Web serveur sécurisé en 443 iptables -A INPUT -p tcp -i eth0 --dport https -j ACCEPT # serveur de reception de messagerie en 143 iptables -A INPUT -p tcp -i eth0 --dport imap2 -j ACCEPT #ajout sinon reception de mail marche pas malgres le 143 ouvert iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT #--------------------------------------- # Bloquer les flux entrant restants #--------------------------------------- iptables -P INPUT DROP # Fin
- Appliquer les règles au démarrage :
Rendre ce script exécutable :
#chmod +x /etc/init.d/makotoiptables
Éditer /etc/rc.local pour ajouter la ligne (juste avant exit 0) :
#/etc/init.d/makotoiptables
- Vérification :
# iptables -L (ou #iptables -L -v -n)
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:666 ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
fail2ban :
#apt-get install fail2ban
Démarrer fail2ban :
#/etc/init.d/fail2ban start
- Vérifier le fichier de configuration : /etc/fail2ban/fail2ban.conf
[Definition] loglevel = 1 logtarget = /var/log/fail2ban.log socket = /var/run/fail2ban/fail2ban.sock
- Configurer les règles des prisons dans le fichier : /etc/fail2ban/jail.conf
[DEFAULT] # IP à ne pas bannir ignoreip = 127.0.0.1 192.168.0.0/24 #temps de bannissement en seconde bantime = 3600 # nombre d’essais max avant bannissement maxretry = 3 backend = polling # le mail qui recevra les alertes fail2ban destemail = root@localhost # l’action par défaut quand on ban banaction = iptables-multiport # la commande pour envoyer des mail (ici avec sendmail ou postfix) mta = sendmail # le protocole a surveiller protocol = tcp # # JAILS # [ssh] # activé ou non (false) enabled = true # le port sur lequel le service écoute port = 1025 # le fichier .conf présent dans filter.d filter = sshd # le fichier de log a analyser logpath = /var/log/auth.log maxretry = 3 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 1 # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 1 [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 1 [apache-noscript] #si true, video itheora deconnent! enabled = false port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 1 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 1 # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log [courierauth] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log # DNS Servers [named-refused-udp] enabled = false port = domain,953 protocol = udp filter = named-refused logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log #MES REGLES [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp] logpath = /var/log/apache2/access*.log maxretry = 1 [apache-scan] enabled = true filter = apache-scan action = iptables[name=Apache-scan,port=80,protocol=tcp] logpath = /var/log/apache2/access*.log maxretry = 1 [dos] enabled = true port = 80,49152 filter = dos logpath = /var/log/kern.log maxretry = 1 [apache-admin] enabled = true port = http,https filter = apache-admin logpath = /var/log/apache2/*error.log maxretry = 1 [apache-headers] enabled = true port = http,https filter = apache-headers logpath = /var/log/apache2/*error.log maxretry = 1 [apache-invalid] enabled = true port = http,https filter = apache-invalid logpath = /var/log/apache2/*error.log maxretry = 1 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
Jail.conf est le fichier de définitions des services a surveiller. Il s’appuie sur des filtres préalablement définis dans /etc/fail2ban/filter.d
apache-w00tw00t.conf :
[Definition] failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* ignoreregex = apache-scan.conf : [Definition] failregex = ^<HOST> -.*"GET \/nonexistenshit.*".* ^<HOST> -.*"GET .*xmlrpc\.php.*".* ^<HOST> -.*"GET .*html2text\.php.*".* ignoreregex =
dos.conf :
[Definition] failregex = TCP: Treason uncloaked! Peer ignoreregex =
apache-admin.conf :
[Definition] failregex = [[]client <HOST>[]] File does not exist: .*(admin|PMA|mysql) ignoreregex =
apache-headers.conf :
[Definition] failregex = [[]client <HOST>[]] request failed: error reading the headers ignoreregex =
apache-invalid.conf :
[Definition] failregex = [[]client <HOST>[]] Invalid URI in request .* ignoreregex =
dovecot-pop3imap.conf :
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =