===== Fail2ban =====

Exemple d'installation et de configuration sous Debian avec apache :

Installation :
  apt-get install fail2ban

Editer le fichier :
  vim /etc/fail2ban/jail.conf

Exemple de configuration :
  [apache]
  
  enabled = true
  port    = http,https
  filter  = apache-auth
  logpath = /var/log/apache*/*error*.log
  action   = iptables-allports[name=apache, protocol=all]
             mail[name=$HOSTNAME, dest="abuse@domain.com", sender=$HOSTNAME]
  maxretry = 5
  bantime = 600


Si besoin modifier le fichier filter pour optimiser l'analyse des logs :
  vim /etc/fail2ban/filter.d/apache-auth.conf

Exemple :
  # Fail2Ban configuration file
  #
  # Author: Cyril Jaquier
  #
  # $Revision: 728 $
  #
  
  [Definition]
  
  # Option:  failregex
  # Notes.:  regex to match the password failure messages in the logfile. The
  #          host must be matched by a group named "host". The tag "<HOST>" can
  #          be used for standard IP/hostname matching and is only an alias for
  #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
  # Values:  TEXT
  #
  failregex = [[[client <HOST>[]] user .* authentication failure
              [[]client <HOST>[]] user .* not found
              [[]client <HOST>[]] user .* password mismatch
              [[[client <HOST>[]] Digest: user .* authentication failure
              [[]client <HOST>[]] Digest: user .* not found
              [[]client <HOST>[]] Digest: user .* password mismatch
  
  # Option:  ignoreregex
  # Notes.:  regex to ignore. If this regex matches, the line is ignored.
  # Values:  TEXT
  #
  ignoreregex =

Redémarrer fail2ban :

  /etc/init.d/fail2ban restart