Fail2ban

Exemple d'installation et de configuration sous Debian avec apache :

Installation :

apt-get install fail2ban

Editer le fichier :

vim /etc/fail2ban/jail.conf

Exemple de configuration :

[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error*.log
action   = iptables-allports[name=apache, protocol=all]
           mail[name=$HOSTNAME, dest="abuse@domain.com", sender=$HOSTNAME]
maxretry = 5
bantime = 600

Si besoin modifier le fichier filter pour optimiser l'analyse des logs :

vim /etc/fail2ban/filter.d/apache-auth.conf

Exemple :

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[[client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch
            [[[client <HOST>[]] Digest: user .* authentication failure
            [[]client <HOST>[]] Digest: user .* not found
            [[]client <HOST>[]] Digest: user .* password mismatch

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Redémarrer fail2ban :

/etc/init.d/fail2ban restart