Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen gezeigt.

--- lpi2:fail2ban [2014/02/27 01:02]
ingo_wichmann
+++ lpi2:fail2ban [2026/01/10 22:35] (aktuell)
ingo_wichmann
@@ Zeile 1: / Zeile 1: @@
 Pakete:
-  * Debian (7): ''fail2ban''
+  * Debian (ab 12): ''fail2ban python3-pyinotify python3-systemd''
+Per default überwacht fail2ban bei debian ssh:
+  egrep -A7 '\[sshd?\]' /etc/fail2ban/jail.conf
+  less /etc/fail2ban/filter.d/sshd.conf
+<file txt /etc/fail2ban/jail.conf>
+…
+[DEFAULT]
+…
+banaction = iptables-multiport
+…
+</file>
+  less /etc/fail2ban/action.d/iptables-multiport.conf
+fail2ban Zusammenfassung der Konfiguration anzeigen:
+  fail2ban-client status
+  fail2ban-client status sshd
+====== Apache Basic Auth ======
+Pakete: apache2 fail2ban (Debian 9)
+  mkdir -p /srv/www/fail2ban
+  htpasswd -c /srv/www/htpasswd_fail2ban heinz
+<file txt /etc/apache2/conf-available/fail2ban-apache-auth-test.conf>
+<directory /srv/www/fail2ban>
+  AllowOverride AuthConfig
+  AuthType        Basic
+  AuthName        "Bitte Username und Passwort"
+  AuthBasicProvider file
+  AuthUserFile    /srv/www/htpasswd_fail2ban
+  Require         valid-user
+</directory>
+</file>
+<file html /srv/www/fail2ban/index.html>
+<html>
+  <head>
+    <title>Hello fail2ban!</title>
+  </head>
+  <body>
+    Hello fail2ban
+  </body>
+</html>
+</file>
+Zugriff lokal testen:
+  wget --user heinz --password xxx -nv -O - http://127.0.0.1/fail2ban-test/index.html
+<file txt /etc/fail2ban/jail.local>
+[apache-auth]
+enabled = true
+</file>
+  fail2ban-client reload
+  fail2ban-client status
+  fail2ban-client status apache-auth
+Von einem anderen Rechner aus:
+  ab -n 10 -A heinz:nono http://192.168.212.11/fail2ban-test/index.html
+  less /var/log/fail2ban.log
+====== Apache Log mit HTTP Status 400 (Bad Request) ======
+Beispiel für Zeile aus ''access.log'' mit Status 400:
+<file txt /var/log/apache/access.log>
+server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"
+</file>
+===== Filter =====
+<file txt /etc/fail2ban/filter.d/apache-badrequest.local>
+[Definition]
+failregex = ^\S+ <ADDR> - - \[[^\]]*\] "[^"]+" 400
+</file> (( ''<ADDR>'' siehe
+^Tag^Description^Example regex in filter file^
+|<HOST>|Matches IPv4/IPv6 address or hostname|''^Failed login from <HOST>$''|
+|<IP4>|Matches IPv4 address only|''^Failed login from <IP4>$''|
+|<IP6>|Matches IPv6 address only|''^Failed login from <IP6>$''|
+|<ADDR>|Matches IPv4/IPv6 address (no hostname)|''^Connection from <ADDR>$''|
+|<SUBNET>|Matches IP with optional CIDR notation|''^Connection from <SUBNET>$''|
+|<F-USER>...</F-USER>|Captures a username|''^Failed login for <F-USER>\S+</F-USER>$''|
+|<F-ID>...</F-ID>|Captures a failure ID|''^Error <F-ID>\d+</F-ID> from <HOST>$''|
+|<SKIPLINES>|Used for multi-line matching|''^Start pattern$<SKIPLINES>^End pattern$''|
+))
+Filter testen:
+  fail2ban-regex 'server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"' /etc/fail2ban/filter.d/apache-badrequest.local
+-> sollte ''1 matched'' ausgeben
+  fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-badrequest.local
+-> sollte die korrekte Anzahl Zeilen mit Status 400 ausgeben.
+===== Jail =====
+<file txt /etc/fail2ban/jail.d/apache-badrequest.local>
+[apache_bad_request]
+enabled = true
+port    = http,https
+filter  = apache-badrequest
+logpath = /var/log/apache*/*access.log
+maxretry = 3
+</file>
+Testen:
+  fail2ban-client reload
+-> ''OK''
+  fail2ban-client status
+-> ''Jail list: … apache_bad_request…''
+  fail2ban-client status apache_bad_request

Linuxhotel Wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge