SourceForge source: Prenesi si tukaj dodatni filtri za fail2ban požarni zid – klikni tukaj!

Pripravil sem vam nekaj mojih osebnih filtrov za Fail2Ban požarni zid, Apache Custom, WordPress, Error oz. filter za napake, mod_evasive oz. DDoS zaščita, itd…

Namestite za vaš Strežnik OS Linux aplikacijo Fail2Ban: info komande – Spodnji filtri po meri so napisani za lastni strežnik, vi si jih priredite za vašo uporabo ali integrirajte samo to kar boste potrebovali za vaš strežnik.

Primer namestitev Fail2Ban požarni zid za Linux operacijske sisteme (Debian Linux platforme):

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Začetek konfiguracije Fail2Ban – za komande glejte https://www.fail2ban.org/wiki/

sudo service fail2ban restart
sudo service fail2ban start
sudo service fail2ban status
sudo iptables -L -n --line
sudo service fail2ban stop
sudo fail2ban-client set recidive unbanip 107.170.186.79
sudo fail2ban-client set apache-auth unbanip 198.16.66.155
sudo fail2ban-client set wordpress unbanip 104.236.195.72
sudo fail2ban-client set webmin-auth unbanip 89.212.137.96
###itd... odblokirat Blokiran IP v določenem filtru f2b!!! Ali odblokirat vse:
sudo fail2ban-client unban --all

Fail2Ban.conf konfiguracijska datoteka – Začetek: (spremenite samo na koncu spremenljivko dbpurgeage = 1d na več)

sudo nano /etc/fail2ban/fail2ban.conf
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = DEBUG
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: ERROR
#
loglevel = INFO

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log

# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
#        auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ]  Default: auto
syslogsocket = auto

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory 
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 15d

#usedns = no

Fail2Ban zaščita phpMyAdmin (apache-myadmin.conf) filter – Lahko brez problemov uporabite za filter, če imate nameščen phpmyadmin

Apache phpMYAdmin Filter.d fail2ban zaščita vašega phpMyAdmin:

sudo nano /etc/fail2ban/filter.d/apache-myadmin.conf

Kopiraj v filter apache-myadmin.conf zaščitne direktive spodaj:

[Definition]

failregex = .*\[client <HOST>:[0-9]+\] phpmyadmin: authentification failed.*
	    [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*PMA*
            [[]client <HOST>[]] File does not exist: /\S*pma*
            [[]client <HOST>[]] File does not exist: /\S*admin*
            [[]client <HOST>[]] File does not exist: /\S*dbadmin*
            [[]client <HOST>[]] File does not exist: /\S*sql*
            [[]client <HOST>[]] File does not exist: /\S*mysql*
            [[]client <HOST>[]] File does not exist: /\S*myadmin*
            [[]client <HOST>[]] File does not exist: /\S*MyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
            [[]client <HOST>[]] File does not exist: /\S*php-my-admin*
            [[]client <HOST>[]] File does not exist: /\S*sqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*PMA2005*
            [[]client <HOST>[]] File does not exist: /\S*pma2005*
            [[]client <HOST>[]] File does not exist: /\S*phpmanager*
            [[]client <HOST>[]] File does not exist: /\S*php-myadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
            [[]client <HOST>[]] File does not exist: /\S*webadmin*
            [[]client <HOST>[]] File does not exist: /\S*sqlweb*
            [[]client <HOST>[]] File does not exist: /\S*websql*
            [[]client <HOST>[]] File does not exist: /\S*webdb*
            [[]client <HOST>[]] File does not exist: /\S*mysqladmin*
            [[]client <HOST>[]] File does not exist: /\S*mysql-admin*

ignoreregex =

Filter aktivirate v datoteki jail.local: sudo nano /etc/fail2ban/jail.local kopiraj spodnjo direktivo na koncu datoteke:

sudo nano /etc/fail2ban/jail.local 
[apache-myadmin]
enabled  = true
filter   = apache-myadmin
port	 = http,https
logpath  = %(apache_access_log)s
#logpath  = /var/log/apache2/access.log
maxretry = 3
bantime  = -1
#action 	 = %(action_mwl)s
#banaction = %(banaction_allports)s
sudo service fail2ban restart
sudo service fail2ban status
Namesto tega spodnjega filtra za Dos napade rajši uporabite za Apache modul evasive lahko tudi modul security apache, ta filter vam bo blokiral tudi uporabnike, če niso njihovi IP Naslovi v fail2ban configuraciji odobreni oz. ignorirani. ODSVETUJEM UPORABO TEGA FILTRA.

Fail2Bam – GET/POST limit

Filter.d fail2ban http-dos.conf za GET – POST na mesto Napade npr. s tem primerom velja 300 zahtevkov v 300 sekundah ban oz. prepoved 1 uro vi si nastavite po svoje local.jail parametre filtra:

sudo nano /etc/fail2ban/filter.d/http-dos.conf

Kopirajte v datoteko http-dos.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

[Definition]

failregex = ^<HOST> -.*"(GET|POST).* 

ignoreregex =

sudo service fail2ban restart
sudo service fail2ban status

Za local.jail dodajte samo na koncu spodnjo direktivo – 300 ali get ali post ali kombinirano v 300 sekundah ban oz. prepoved za 1uro, dajte večje nastavitve npr. 600 – 600 – 24:

sudo nano /etc/fail2ban/jail.local 
[http-dos]
enabled = true
filter = http-dos 
port = http,https
logpath = %(apache_access_log)s
maxretry = 300
findtime = 300
bantime = 1h
banaction = %(banaction_allports)s

Fail2Ban Apache-Custom.conf – Zaščita zoper XY povpraševanj (lastni filter) – Ta filter je napisan po lastnih logih strežnikov – Pozor blokira tudi 404 povpraševanja oz. odgovore.

Apache-Custom filter – osebno napisan filter za zaščito Apache (po osebnih log datotekah). POZOR!!! Ta filter vam bo blokiral tudi stranke oz. prijatelje, ki se povezujejo preko normalnih poti za prijavo. Zakomentirajte argumente, ki jih ne rabite oz. vam blokirajo dostop do spletnega mesta oz. prijavnega mesta!!! Primer pred vsako direktivo, ki jo ne rabite oz. vam blokira stranke ali uporabnike strežnika – DODAJ ZNAK: # TER ČISTO NA KONCU ZBRIŠITE IGNORE REGEX = te dve direktive (^<HOST> .* “GET /assets/.* in ^<HOST> .* “GET /img/.*)

Filter.d fail2ban apache-custom.conf – Napišite si za vaše spletne aplikacije lastne filtre oz. parametre:

sudo nano /etc/fail2ban/filter.d/apache-custom.conf

Kopirajte v datoteko apache-custom.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

# Fail2Ban configuration file
#
# Custom regex patterns to ban known (and unwanted) access attempts.
# Based off my own server logs. By Boris Perc HomeCraftSoft@2000
 
[Definition]
 
badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*|AspiegelBot.*|SemrushBot.*|PHP/.*|Abonti|aggregator|AhrefsBot|asterias|BDCbot|BLEXBot|BuiltBotTough|Bullseye|BunnySlippers|ca\-crawler|CCBot|Cegbfeieh|CheeseBot|CherryPicker|CopyRightCheck|cosmos|Crescent|discobot|DittoSpyder|DotBot|Download Ninja|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|ExtractorPro|Fasterfox|FeedBooster|Foobot|Genieo|grub\-client|Harvest|hloader|httplib|HTTrack|humanlinks|ieautodiscovery|InfoNaviRobot|IstellaBot|Java/1\.|JennyBot|k2spider|Kenjin Spider|Keyword Density/0\.9|larbin|LexiBot|libWeb|libwww|LinkextractorPro|linko|LinkScan/8\.1a Unix|LinkWalker|LNSpiderguy|lwp\-trivial|magpie|Mata Hari|MaxPointCrawler|MegaIndex|Microsoft URL Control|MIIxpc|Mippin|Missigua Locator|Mister PiX|MJ12bot|moget|MSIECrawler|NetAnts|NICErsPRO|Niki\-Bot|NPBot|Nutch|Offline Explorer|Openfind|panscient\.com|PHP/5\.\{|ProPowerBot/2\.14|ProWebWalker|Python\-urllib|QueryN Metasearch|RepoMonkey|SISTRIX|sitecheck\.Internetseer\.com|SiteSnagger|SnapPreviewBot|Sogou|SpankBot|spanner|spbot|Spinn3r|suzuran|Szukacz/1\.4|Teleport|Telesoft|The Intraformant|TheNomad|TightTwatBot|Titan|toCrawl/UrlDispatcher|True_Robot|turingos|TurnitinBot|UbiCrawler|UnisterBot|URLy Warning|VCI|WBSearchBot|Web Downloader/6\.9|Web Image Collector|WebAuto|WebBandit|WebCopier|WebEnhancer|WebmasterWorldForumBot|WebReaper|WebSauger|Website Quester|Webster Pro|WebStripper|WebZip|Wotbox|wsr\-agent|WWW\-Collector\-E|Xenu|Zao|Zeus|ZyBORG|coccoc|Incutio|lmspider|memoryBot|serf|Unknown|uptime files
 
failregex = ^<HOST> .*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
            ^<HOST>  \[.*\] \"\\n\" .*$
            ^<HOST> .*"(GET|POST|HEAD) /*[pP][hH][pP][mM][yY][aA][dD][mM][iI][nN].*$
            ^<HOST> .*"(GET|POST|HEAD) /+wp-login\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /.git/HEAD.*$
            ^<HOST> .*"(GET|POST|HEAD) /TP/public/index\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /admin/login\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /allstat\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /cfg/.*$
            ^<HOST> .*"(GET|POST|HEAD) /cisco/.*$
            ^<HOST> .*"(GET|POST|HEAD) /config.*/.*$
            ^<HOST> .*"(GET|POST|HEAD) /firmware/.*$
            ^<HOST> .*"(GET|POST|HEAD) /linksys/.*$
            ^<HOST> .*"(GET|POST|HEAD) /login\.cgi.*$
            ^<HOST> .*"(GET|POST|HEAD) /phone/.*$
            ^<HOST> .*"(GET|POST|HEAD) /polycom/.*$
            ^<HOST> .*"(GET|POST|HEAD) /provision.*/.*$
            ^<HOST> .*"(GET|POST|HEAD) /run\.py.*$
            ^<HOST> .*"(GET|POST|HEAD) /struts.*$
            ^<HOST> .*"(GET|POST|HEAD) /wls-wsat.*$
            ^<HOST> .*"(GET|POST|HEAD) /wp-config\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /wuwu11\.php.*$
            ^<HOST> .*"(GET|POST|HEAD) /wwwroot\.rar.*$
            ^<HOST> .*"(GET|POST|HEAD) http:.*/[pP][hH][pP][mM][yY][aA][dD][mM][iI][nN].*$            
            ^<HOST> .*"POST /rpc/trackback/.*$
            ^<HOST> .*"(GET|POST|HEAD) /boaform.*$
            ^<HOST> .*"(GET|POST|HEAD) /manager.*$
            ^<HOST> .*"(GET|POST|HEAD) /jenkins.*$
            ^<HOST> .*"(GET|POST|HEAD) /HNAP1.*$           

            ^<HOST> .*"(GET|POST|HEAD) /login.*$
            ^<HOST> .*"GET /.env HTTP/1.1"
            ^<HOST> .*"GET /.git HTTP/1.1"
 	    ^<HOST> .*"GET /systembc/password.php.*$
	    ^<HOST> .*"(GET|POST|HEAD) /systembc/.*$
            ^<HOST> .*"(GET|POST|HEAD) /autodiscover.*$
            ^<HOST> .*"(GET|POST|HEAD) .*/etc/passwd.*$
            ^<HOST> .*"(GET|POST|HEAD) /actuator.*$
            ^<HOST> .*"(GET|POST|HEAD) /ReportServer.*$
            ^<HOST> .*"(GET|POST|HEAD) /manager.*$
            ^<HOST> .*"(GET|POST|HEAD) /portal.*$
            ^<HOST> .*"(GET|POST|HEAD) /cpanel.*$
            ^<HOST> .*"(GET|POST|HEAD) /owa.*$
            ^<HOST> .*"(GET|POST|HEAD) /owa/auth/.*$
 	    ^<HOST> .*"(GET|POST|HEAD) .*"file:///etc/passwd".*
            ^<HOST> .*"(GET|POST|HEAD) /actuator/health.*$
            ^<HOST> .*"(GET|POST|HEAD) /goform/.*/.*$
            ^<HOST> .*"(GET|POST|HEAD) /adm/.*$
            
ignoreregex =   ^<HOST> .* "GET /assets/.*
		^<HOST> .* "GET /img/.*

Za local.jail dodajte samo na koncu spodnjo direktivo – Apache Custom oz. Po meri zaščita za apache strežnik:

sudo nano /etc/fail2ban/jail.local 
[apache-custom]
enabled   = true
filter    = apache-custom
port      = http,https
logpath   = %(apache_access_log)s
findtime  = 86400
maxretry  = 1
bantime   = 1h
banaction = %(banaction_allports)s
#action	  = %(action_mwl)s
sudo service fail2ban restart
sudo service fail2ban status
Spodnji filter je po meni napisan za lastno uporabo – Pozor blokira večina botov, ki sami po sebi niso nevarni ali izvajajo nekih težkih preslikav vašega sistema – Filter je napisan po lastnih logih. Dodajte si še ostale slabe bote v sekciji

Fail2Bam – Apache badbots.conf – Konfiguracija oz. zaščita zoper slabih botov

Filter.d fail2ban badbots.conf za zaščito vašega apache serverja oz. strežnika zoper slabih botov – Pozor filter je napisan po lastnih logih in za lastno zaščico ITS – V kolikor vam blokira vaše stranke obvezno njihova omrežja dodajte v allow za fail3ban oz. ignore IP:

sudo nano /etc/fail2ban/filter.d/badbots.conf

Kopirajte v datoteko badbots.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

# Boris Perc Custom Settings BADBOTS for fail2ban fail regex for apache malicious search by bad bots
# A filter is simply a collection of Python regular expressions that are matched against a log
# Download any good scripts and free software on SurceForge by Boris Perc HomeCraftSoft@2000

[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee|LivelapBot
badbots = backdoor|bandit|blackwidow|BOT for JCE|core-project|dts agent|emailmagnet|exploit|extract|flood|grabber|arvest|httrack|havij|hunter|indy library|LoadTimeBot|mfibot|Microsoft URL Control|Miami Style|morfeus|nessus|NetLyzer|pmafind|scanner|semrushbot|siphon|spbot|sqlmap|survey|teleport|updown_tester|xovibot|zgrap|zmap|aggregator|ca\-crawler|Download Ninja|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|Fasterfox|grub\-client|httplib|ieautodiscovery|IstellaBot|Java/1\.|k2spider|Kenjin Spider|Keyword Density/0\.9|libwww|linko|LinkScan/8\.1a Unix|magpie|Mata Hari|MaxPointCrawler|MegaIndex|Microsoft URL Control|Mippin|Missigua Locator|Mister PiX|moget|Niki\-Bot|Offline Explorer|panscient\.com|PHP/5\.\{|ProPowerBot/2\.14|Python\-urllib|QueryN Metasearch|sitecheck\.Internetseer\.com|SnapPreviewBot|Sogou|Szukacz/1\.4|The Intraformant|toCrawl/UrlDispatcher|UbiCrawler|URLy Warning|Web Downloader/6\.9|Web Image Collector|Website Quester|Pro|wsr\-agent|WWW\-Collector\-E|Incutio|memoryBot|serf|Unknown|uptime files|LivelapBot|01h4x.com|360Spider|404checker|404enemy|80legs|Abonti|Aboundex|Aboundexbot|Acunetix|ADmantX|AfD-Verbotsverfahren|AhrefsBot|AIBOT|AiHitBot|Aipbot|Alexibot|Alligator|AllSubmitter|AlphaBot|Anarchie|Anarchy|Anarchy99|Ankit|Anthill|Apexoo|archive.org_bot|arquivo.pt|arquivo-web-crawler|Aspiegel|ASPSeek|Asterias|Attach|autoemailspider|AwarioRssBot|AwarioSmartBot|BackDoorBot|Backlink-Ceck|backlink-check|BacklinkCrawler|BackStreet|BackWeb|Badass|Bandit|Barkrowler|BatchFTP|Battleztar\ Bazinga|BBBike|BDCbot|BDFetch|BetaBot|Bigfoot|Bitacle|Blackboard|Black\ Hole|BlackWidow|BLEXBot|Blow|BlowFish|Boardreader|Bolt|BotALot|Brandprotect|Brandwatch|Buck|Buddy|BuiltBotTough|BuiltWith|Bullseye|BunnySlippers|BuzzSumo|Calculon|CATExplorador|CazoodleBot|CCBot|Cegbfeieh|CensysInspect|check1.exe|CheeseBot|CherryPicker|CheTeam|ChinaClaw|Chlooe|Claritybot|Cliqzbot|Cloud\ mapping|coccocbot-web|Cocolyzebot|CODE87|Cogentbot|cognitiveseo|Collector|com.plumanalytics|Copier|CopyRightCheck|Copyscape|Cosmos|Craftbot|crawler4j|crawler.feedback|crawl.sogou.com|CrazyWebCrawler|Crescent|CrunchBot|CSHttp|Curious|Custo|CyotekWebCopy|DatabaseDriverMysqli|DataCha0s|DBLBot|demandbase-bot|Demon|Deusu|Devil|Digincore|DigitalPebble|DIIbot|Dirbuster|Disco|Discobot|Discoverybot|Dispatch|DittoSpyder|DnyzBot|DomainAppender|DomainCrawler|DomainSigmaCrawler|Domains\ Project|domainsproject.org|DomainStatsBot|Dotbot|Download\ Wonder|Dragonfly|Drip|DSearch|DTS\ Agent|EasyDL|Ebingbong|eCatch|ECCP/1.0|Ecxi|EirGrabber|EMail\ Siphon|EMail\ Wolf|EroCrawler|evc-batch|Evil|Exabot|Express\ WebPictures|ExtLinksBot|Extractor|ExtractorPro|Extreme\ Picture\ Finder|EyeNetIE|Ezooms|facebookscraper|FDM|FemtosearchBot|FHscan|Fimap|Firefox/7.0|FlashGet|Flunky|Foobot|Freeuploader|FrontPage|Fuzz|FyberSpider|Fyrebot|GalaxyBot|Genieo|GermCrawler|Getintent|GetRight|GetWeb|Gigablast|Gigabot|G-i-g-a-b-o-t|Go-Ahead-Got-It|gopher|Gotit|GoZilla|Go!Zilla|Grabber|GrabNet|Grafula|GrapeFX|GrapeshotCrawler|GridBot|GT::WWW|Haansoft|HaosouSpider|Harvest|Havij|HEADMasterSEO|heritrix|Heritrix|Hloader|HMView|HTMLparser|HTTP::Lite|HTTrack|Humanlinks|HybridBot|Iblog|IDBot|IDBTE4M|Id-search|IlseBot|Image\ Fetch|Image\ Sucker|IndeedBot|Indy\ Library|InfoNaviRobot|InfoTekies|instabid|Intelliseek|InterGET|Internet\ Ninja|InternetSeer|internetVista\ monitor|ips-agent|Iria|IRLbot|isitwp.com|Iskanie|IstellaBot|JamesBOT|Jbrofuzz|JennyBot|JetCar|Jetty|JikeSpider|JOC\ Web\ Spider|Joomla|Jorgee|JustView|Jyxobot|Kenjin\ Spider|Keyword\ Density|Kinza|Kozmosbot|Lanshanbot|Larbin|LeechFTP|LeechGet|LexiBot|Lftp|LibWeb|Libwhisker|LieBaoFast|Lightspeedsystems|Likse|Linkbot|Linkdexbot|LinkextractorPro|LinkpadBot|LinkScan|LinksManager|LinkWalker|LinqiaMetadataDownloaderBot|LinqiaRSSBot|LinqiaScrapeBot|Lipperhey|Lipperhey\ Spider|Litemage_walker|Lmspider|LNSpiderguy|Ltx71|lwp-request|LWP::Simple|lwp-trivial|Magnet|Mag-Net|magpie-crawler|Mail.RU_Bot|Majestic12|Majestic-SEO|Majestic\ SEO|MarkMonitor|MarkWatch|Masscan|Mass\ Downloader|Mata\ Hari|MauiBot|Mb2345Browser|meanpathbot|Meanpathbot|MeanPath\ Bot|Mediatoolkitbot|mediawords|MegaIndex.ru|Metauri|MFC_Tear_Sample|MicroMessenger|Microsoft\ Data\ Access|Microsoft\ URL\ Control|MIDown\ tool|MIIxpc|Mister\ PiX|MJ12bot|Mojeek|Mojolicious|Morfeus\ Fucking\ Scanner|Mozlila|MQQBrowser|Mr.4x3|MSFrontPage|MSIECrawler|Msrabot|MTRobot|muhstik-scan|Musobot|Name\ Intelligence|Nameprotect|Navroad|NearSite|Needle|Nessus|NetAnts|Netcraft|netEstate\ NE\ Crawler|NetLyzer|NetMechanic|NetSpider|Nettrack|Net\ Vampire|Netvibes|NetZIP|NextGenSearchBot|Nibbler|NICErsPRO|Niki-bot|Nikto|NimbleCrawler|Nimbostratus|Ninja|Nmap|NPbot|Nuclei|Nutch|oBot|Octopus|Offline\ Explorer|Offline\ Navigator|OnCrawl|Openfind|OpenLinkProfiler|Openvas|OpenVAS|OPPO A33|OrangeBot|OrangeSpider|OutclicksBot|OutfoxBot|PageAnalyzer|Page\ Analyzer|PageGrabber|page\ scorer|PageScorer|PageThing.com|Pandalytics|Panscient|Papa\ Foto|Pavuk|pcBrowser|PECL::HTTP|PeoplePal|Petalbot|PHPCrawl|Picscout|Picsearch|PictureFinder|Piepmatz|Pimonster|Pi-Monster|Pixray|PleaseCrawl|plumanalytics|Pockey|POE-Component-Client-HTTP|polaris\ version|probe-image-size|Probethenet|ProPowerBot|ProWebWalker|Psbot|Pu_iN|Pump|PxBroker|PyCurl|QueryN\ Metasearch|Quick-Crawler|RankActive|RankActiveLinkBot|RankFlex|RankingBot|RankingBot2|Rankivabot|RankurBot|RealDownload|Reaper|RebelMouse|Recorder|RedesScrapy|ReGet|RepoMonkey|Re-re|Ripper|ripz|RocketCrawler|Rogerbot|RSSingBot|s1z.ru|SalesIntelligent|satoristudio.net|SBIder|scalaj-http|ScanAlert|Scanbot|scan.lol|ScoutJet|Scrapy|Screaming|ScreenerBot|Searchestate|SearchmetricsBot|Semrush|SemrushBot|SentiBot|SEOkicks|SEOkicks-Robot|SEOlyticsCrawler|Seomoz|SEOprofiler|seoscanners|SeoSiteCheckup|SEOstats|serpstatbot|sexsearcher|Shodan|Siphon|SISTRIX|Sitebeam|SiteCheckerBotCrawler|sitechecker.pro|SiteExplorer|Siteimprove|SiteLockSpider|siteripz|SiteSnagger|SiteSucker|Site\ Sucker|Sitevigil|SlySearch|SmartDownload|SMTBot|Snake|Snapbot|Snoopy|SocialRankIOBot|Sociscraper|sogouspider|Sogou\ web\ spider|Sosospider|Sottopop|SpaceBison|Spammen|SpankBot|Spanner|sp_auditbot|Spbot|Spinn3r|SputnikBot|spyfu|Sqlmap|Sqlworm|Sqworm|Steeler|Stripper|Sucker|Sucuri|SuperBot|SuperHTTP|Surfbot|SurveyBot|Suzuran|Swiftbot|sysscan|Szukacz|T0PHackTeam|T8Abot|tAkeOut|Teleport|TeleportPro|Telesoft|Telesphoreo|Telesphorep|The\ Intraformant|TheNomad|Thumbor|TightTwatBot|Titan|Toata|Toweyabot|Tracemyfile|Trendiction|Trendictionbot|trendiction.com|trendiction.de|True_Robot|Turingos|Turnitin|TurnitinBot|TwengaBot|Twice|Typhoeus|UnisterBot|Upflow|URLy.Warning|URLy\ Warning|Vacuum|Vagabondo|VB\ Project|VCI|VelenPublicWebCrawler|VeriCiteCrawler|VidibleScraper|Virusdie|VoidEYE|Voil|Voltron|Wallpapers/3.0|WallpapersHD|WASALive-Bot|WBSearchBot|Webalta|WebAuto|Web\ Auto|WebBandit|WebCollage|Web\ Collage|WebCopier|WEBDAV|WebEnhancer|Web\ Enhancer|WebFetch|Web\ Fetch|WebFuck|Web\ Fuck|WebGo\ IS|WebImageCollector|WebLeacher|WebmasterWorldForumBot|webmeup-crawler|WebPix|Web\ Pix|WebReaper|WebSauger|Web\ Sauger|Webshag|WebsiteExtractor|WebsiteQuester|Website\ Quester|Webster|WebStripper|WebSucker|Web\ Sucker|WebWhacker|WebZIP|WeSEE|Whack|Whacker|Whatweb|Who.is\ Bot|Widow|WinHTTrack|WiseGuys\ Robot|WISENutbot|Wonderbot|Woobot|Wotbox|Wprecon|WPScan|WWW-Collector-E|WWW-Mechanize|WWW::Mechanize|WWWOFFLE|x09Mozilla|x22Mozilla|Xaldon_WebSpider|Xaldon\ WebSpider|Xenu|xpymep1.exe|YoudaoBot|Zade|Zauba|zauba.io|Zermelo|Zeus|zgrab|Zitebot|ZmEu|ZoomBot|ZoominfoBot|ZumBot|ZyBorg

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badbotscustom)s|%(badbots)s).*"$
#			^<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badbotscustom)s|%(badbots)s).*"$
			# Large file analyse 1 minute 100 MB log file apache 
#			^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
			# Custom Perc Settings slow scan 30 minute log file 100MB uper
#			^<HOST> - - \[\] "(GET|POST) /(\S+?)? HTTP/(1\.[01]|2)" \d{3} \S+? "\S+?" ".*(?i)(%(badbots)s|%(badbotscustom)s)
            # Custom settings uper settings apache-badbots config original slow scan 100MB log 30 minutes
            (?i)<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badbotscustom)s|%(badbots)s).*"$
            # Down failregex apche log fast scan traversal and other attacks blocking apache
            <HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;
            (?i)^<HOST> -.*"[^"]+(?:union[^"]+select[^"]*|select[^"]+concat[^"]*)(?:%%2[8C]|[,(])
            (?i)^<HOST> -.*"(?:(?:GET|POST|HEAD) https?:|CONNECT [a-z0-9.-]+:[0-9]+)
            
ignoreregex = 

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}

# This filter is made particulary to protect your apache server for malicious search
# The expresion log file for example:
# 101.33.59.9 - - [17/Jan/2020:14:10:41 +0000] "GET http://google.com/ HTTP/1.1" 400 3494 "-" "Mozilla"
# 101.33.59.9 - - [17/Jan/2020:14:10:44 +0000] "CONNECT yahoo.com:80" 400 3499 "-" "Mozilla"
#
# A regular expression such as the one up can match these easily down:
# (?i)^<HOST> -.*"(?:(?:GET|POST|HEAD) https?:|CONNECT [a-z0-9.-]+:[0-9]+)
#
# Bots scanning for Shellshock often send out requests like:
# 10.11.12.13 - - [17/Jan/2020:16:00:00 +0000] "GET /cgi-bin/printenv.cgi HTTP/1.0" 200 1 "-" "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/rm -rf /var/www/"
# A regular expression like this will match the pattern for Shellshock:
# <HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;
#
# Author: Boris Perc - HomeCraftSoft@2000 Slovenia (GitHub&SourceForge)

Za local.jail dodajte samo na koncu spodnjo direktivo badbots apache zaščica zoper slabih botov:

sudo nano /etc/fail2ban/jail.local 
[badbots]
enabled   = true
filter    = badbots
port      = http,https
logpath   = %(apache_access_log)s

findtime  = 3600
maxretry  = 1
bantime   = 6h
banaction = %(banaction_allports)s
#action 	  = %(action_mwl)s
sudo service fail2ban restart
sudo service fail2ban status
Ta filter ni namenjen za nobeno komercialno spletno mesto – Blokira redne zadetke na strani z napakami 400 – 401 – 403 ! Pozor uporabite višje parametre za blokirat npr. 24 napak blokada 1h oz. ura

Fail2Bam – error.conf

Filter.d fail2ban error.conf za blokirat neveljavne zahteve oz. IPje, ki pogosto skenirajo ali delajo napake:

sudo nano /etc/fail2ban/filter.d/error.conf

Kopirajte v datoteko error.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

[Definition]

failregex =     ^<HOST> .* "(GET|HEAD|POST) .* (403|400|401) .*
		^<HOST> .* "GET .*country.html .* 
		^<HOST> .* "GET .*error.html .* 
		^<HOST> .* "GET .*400.html .* 
		^<HOST> .* "GET .*401.html .* 
		^<HOST> .* "GET .*403.html .* 
                ^<HOST> .* "GET /error.php HTTP/1.1" .*
                ^<HOST> .* "GET .* 403
                ^<HOST> .* "GET .* 400
                ^<HOST> .* "GET .* 401
            
ignoreregex =

Za local.jail dodajte samo na koncu spodnjo direktivo error.conf Apache Strani z napakami 400-401-403-in po meni error.html ipd.. Zakomentirajte vse direktive pod prvo ^<HOST> .* “(GET|HEAD|POST) .* (403|400|401) .* vse pod to direktivo zbrišite ali določite vaše strani z napakami, če jih imate narejene. Ta filter ni dobro uporabljat za komercialna spletna mesta – best uporaba za privatne domače strežnike (ne-poslovna uporaba ITS)

sudo nano /etc/fail2ban/jail.local 
[error]
enabled  = true
filter   = error
port 	 = http,https
logpath  = %(apache_access_log)s
maxretry = 12
bantime  = 6h

#action    = %(action_mwl)s
#banaction = %(banaction_allports)s
sudo service fail2ban restart
sudo service fail2ban status
Zaščita Prijavnega mesta WordPress – wordpress.conf – V kolikor je vaše prijavno mesto WordPress že blokirano za direktni dostop do wp-login.php in spremenjena prijavna pot, dodajte še vašo pot za prijavo v WordPress

Fail2Bam – wordpress.conf – Zaščita prijavnega mesta WordPress CMS

Filter.d fail2ban wordpress.conf za zaščito vašega CMS WordPress (prijava):

sudo nano /etc/fail2ban/filter.d/wordpress.conf

Kopirajte v datoteko wordpress.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
#            ^<HOST> .* "POST .*/prijava/*
ignoreregex =

sudo service fail2ban restart
sudo service fail2ban status

Za local.jail dodajte samo na koncu spodnjo direktivo za vklopit zaščito prijava v wordpress:

sudo nano /etc/fail2ban/jail.local 
[wordpress]
enabled  = true
filter   = wordpress
port 	 = http,https
logpath  = %(apache_access_log)s
maxretry = 6
bantime  = 48h

#action 	 = %(action_mwl)s
#banaction = %(banaction_allports)s
Apache 2.x modul evasive – če ste namestili za modul za apache server lahko podaljšate ban oz. prepoved preko modula apache-auth

Fail2Bam – Apache Mod_Evasive – filter za podaljšat BAN za DDoS napade na server

Filter.d fail2ban apache-dosevasive.conf konfiguracija za podaljšat prepoved dostopa iz izklop IPja za vse porte:

sudo nano /etc/fail2ban/filter.d/apache-dosevasive.conf

Kopirajte v datoteko apache-dosevasive.conf spodnje direktive – shranite in zaženite ponovno fail2ban program:

# Fail2Ban configuration file

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#

failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Za local.jail dodajte samo na koncu spodnjo direktivo – Vklop podaljšanja blokade IP (masovno skeniranje vašega sistema DDoS napad):

sudo nano /etc/fail2ban/jail.local 
[apache-dosevasive]
enabled  = true
filter   = apache-dosevasive
port 	 = http,https
logpath  = %(apache_error_log)s
maxretry = 10
bantime  = 24h
banaction = %(banaction_allports)s
sudo service fail2ban restart
sudo service fail2ban status

Malware Trail – Zaščita sistema zoper znanih napadalcev

Dodatek zaščita vašega strežnika preko MALTRAIL – Poberite in namestite App preko GitHub: https://github.com/stamparm/maltrail

Gremo zaščitit naš strežnik zoper znanih napadalcev in različnih SCAN – Skenirnih sistemov vašega omrežja. Ko ste namestili program zdaj ga skonfigurirajte tako, da bo vaš požarni zid blokiral takoj vse znane napadalce in XY omrežja, ki so na črni listi oz. “Slaba omrežja”.

Vse spodnje parametre si spremenite v vaš IP naslov strežnika in routerja oz. svičerja ali usmerjevalnika. Tukaj so predstavljene moje osebne nastavitve ne enem izmed strežnikov. Vi spremenite moj naslov strežnika IP 192.168.0.111 v vaš IP naslov in moj host strežnika piramidestudio spremenite v vaš host strežnika. Se prav za primer moj Router IP standard 192.168.0.1 – strežnik IP 192.168.0.111

Fail2Bam – mailtrail.conf – Zaščita vašega strežnika zoper znanih napadalcev omrežij

Filter.d fail2ban mailtrail.conf za zaščito vašega strežnika zoper znanih napadalcev informacijskih sistemov:

sudo nano /etc/fail2ban/filter.d/mailtrail.conf

Kopirajte v datoteko mailtrail.conf spodnje direktive – shranite in zaženite ponovno fail2ban program ko ste aktivirali filter v jail.local:

# /etc/fail2ban/filter.d/maltrial.conf
#
# Fail2Ban filter for maltrail
#

[Definition]

failregex = ^.*piramidestudio <HOST> \d+ 192\.168\.0\.111 .*(known|attacker|mass|scanner|reputation|malware|andromeda|sinkhole|conficker|potential|remote|code|execution|directory|traversal|probe|config|file|access|systembc|xss|injection).*
            ^.*piramidestudio <HOST> .* 192.168.0.111 .*(known|attacker|scanner|reputation|malware|andromeda|mass|sinkhole|conficker|potential|remote|code|execution|directory|traversal|probe|config|file|access|systembc|xss|injection).*
                        
ignoreregex =

Zdaj še aktiviraj novi filter, local.jail fail2ban:

sudo nano /etc/fail2ban/jail.local

Kopirajte spodnje direktive na koncu datoteke:

[maltrail]
enabled 	= true
filter 		= maltrail
logpath 	= /var/log/maltrail/*-*-*.log
port 		= all
maxretry 	= 1
bantime  	= -1
banaction 	= %(banaction_allports)s
#action 	 	= %(action_mwl)s

Drugo, je še aktivacija za vaš FTP račun, če ste namestili server, preglejte celotno datoteko local.jail – vklopite samo filtre aplikacij, ki so nameščene na vašem strežniku, ne vklapljat brezveznih filtrov f2b, če nimate npr. programa oz. app za FTP, ali webmin npr. port 10000 itd…, če aplikacije nimate jo ne vklapljate oz. filtra ne vklopit

enabled = true
filter = ime-filtra

Za dodatne zaščite strežnika si poglejte dokumentacijo na naših straneh za direktne prenose in izmenjavo datotek PCS – NET Portorož – HCS@2000 Perc Scripts 1999 Slovenia – Vse informacije boste dobili v pdf obliki ali doc!!!

Dodatna zaščita Spletna Aplikacija DDL Enigma oz. Direct Downloads sFTP skolzi WWW:

Fail2Ban aplikacijo lahko uporabite za zaščito vsake vaše aplikacije na strežniku WEBMail oz. Pošta, FTP računi,… itd… skratka vse spletne aplikacije se da odlično zaščititi s Požarnim Zidom Fail2Ban v sodelovanju z UFW. Primer spodaj, če ste si namestili DDL Enigma program, ne pozabit pri namestitvi menjat predpono tablefrefix ddl_ zamenjajte pri namestitvi v vašo karkoli npr. mojetabele_

Zdaj. ko ste namestili aplikacijo na vaš strežnik, še ustvarite novi filter.d za Fail2Ban, ki se bo klical ddlenigma.conf – če ste aplikacjo za Direktne Prenose Datotek namestili npr. v mapo na strežniku /home/www/prenosi/ — Pol obvezno railregex vpišete za pot-mapa-prenosi samo .* “POST .*/prenosi/* ali drugo mapo npr. /htdocs/ddlenigma/ vpišete samo .* “POST .*/ddlenigma/* za filter zaščita prijavnega mesta: (Kopirajte spodnje direktive v filter.d/ddlenigma.conf, če ne uporabljate nobene dodatne mape za DDL enigma in je nameščena kot edina WEB App se pravi /htdocs/index.php ??? V TEM PRIMERU SPUSTITE PRVO DIREKTIVO ^ HOST .* “POST .*/pot-mapa-prenosi/* ZBRIŠITE TO IN VSE SPODNJE DIREKTIVE POD loginpage.php!!!

[Definition]
failregex = ^<HOST> .* "POST .*/pot-mapa-prenosi/*
            ^<HOST> .* "POST .*/index.php?login 
            ^<HOST> .* "POST .*index.php
            ^<HOST> .* "POST .*login.php
            ^<HOST> .* "POST .*process.php
            ^<HOST> .* "POST .*loginpage.php

<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /pot-mapa-prenosi/* HTTP/1.1" 200
<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /pot-mapa-prenosi/index.php?login HTTP/1.1" 200
	    ^<HOST> .* "POST /pot-mapa-prenosi/index.php?login 

ignoreregex =   

# Ta filter bi naredili v action.d, ma ne rabi, odvisno je od vaše 
# konfiguracije strežnika in zaščite - načinov je ogromno...
#actionstart =
#actionstop =
#actioncheck =
#actionban = ufw insert 1 deny from <ip> to any
#actionunban = ufw delete deny from <ip> to any

Zdaj ko smo shranili naš filter za zaščito prenosov in izmenjavo datotek FTP računi in spletni prenosi aplikacij do 2048 megabajtov na datoteko preko php transporta podatkov na FTP. Drugače FTP direktno vsi računi nimajo nobenih omejitev na datoteko, se pravi tudi 1 TB in več na datoteko je možen – Preberite si dobro navodila za uporabo in konfiguracijo php skriptov ter povezavo z vašimi FTP računi. Integracija Direktni Prenosi Datotek z Fail2Ban jail.local filtri aktivacija ddlenigma:

sudo nano /etc/fail2ban/jail.local

Na koncu datoteke jail.local Fail2Ban aktivacija programa in filtrov kopirajte spodnje direktive:

[ddlenigma]
enabled	= true
filter = enigma
port = http,https
logpath = %(apache_access_log)s
maxretry = 6
bantime = -1
banaction = %(banaction_allports)s
action = iptables-multiport[name=ddlenigma, port="http,https"]
#findtime = 12
## Apache - terminal uporabne komande:
sudo apache2ctl configtest
sudo apache2ctl -t
sudo apache2ctl graceful
sudo service apache2 reload
sudo service apache2 restart

Dodatne direktive filter.d Fail2Ban za napake oz. IPje, ki prejemajo stran 403 – primer lastna konfiguracija – NI POTREBNO:

Ustvarite si nov filter za napade in neavtorizirane poizvedbe na vašem strežniku – Blokada vseh IP, ki prejmejo s tem primeru stran error.html ali napaka.html oz. stran 403 – NEAVTORIZIRANI PRISTOP

sudo nano /etc/fail2ban/filter.d/napaka.conf

Dodajte spodnje direktive oz. vaše strani 401 – 402 – 403 – 404 – 500 v filter.d Fail2Ban napaka.conf:

[Definition]

failregex = ^<HOST> .* "GET .*error.html
            ^<HOST> .* "GET .*napaka.html
            ^<HOST> .* "GET .* HTTP/1.1" 403
            <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "GET /* HTTP/1.1" 403
            <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "GET /error.html HTTP/1.1" 200
            <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "GET /napaka.html HTTP/1.1" 200
            
            ^<HOST> -.* "GET /error.html .* 
            ^<HOST> .* "GET .* HTTP/1.1" 403


ignoreregex =

Zdaj še vklopit vaš filter za napake v jail.local – fail2ban:

sudo nano /etc/fail2ban/jail.local

Dodajte na koncu spodnji filter napaka, kateri bo vsak IP ki dobi 24 krat stran NEAVTORIZIRAN 403 – BLOKADA ZA DVA DNI:

[napaka]
enabled	= true
filter = napaka
port = http,https
logpath	= %(apache_access_log)s
maxretry = 24
bantime = 48h
action = iptables-multiport[name=napaka, port="http,https"]
banaction = %(banaction_allports)s

Zdaj še ključne mape in aplikacije zaščitite preko .htaccess datoteke tako, da npr. v vsako mapo, ki jo želite zaščititi za dostop kopirate spodnje direktive, shranite to spodaj v .htaccess ime datoteke!!!

sudo nano /var/www/app/mapa/.htaccess
#AuthUserFile /dev/null
#AuthGroupFile /dev/null
#AuthName "PCSNET Admin Access Control"
#AuthType Basic

<LIMIT GET HEAD POST>
order deny,allow
deny from all
# whitelist PiramideStudioNET address
allow from 192.168.0.1
allow from 192.168.0.100
allow from 192.168.0.111
allow from 192.168.0.101
allow from 192.168.0.123
allow from 192.168.0.200
allow from 192.168.0.222
allow from 93.103.113.142
allow from 89.212.137.96
deny from all
</Limit>
ErrorDocument 403 https://oglasi.hopto.org/403.html
ErrorDocument 400 https://oglasi.hopto.org/400.html
ErrorDocument 401 https://oglasi.hopto.org/401.html
ErrorDocument 402 https://oglasi.hopto.org/402.html
ErrorDocument 404 https://oglasi.hopto.org/404.html
ErrorDocument 500 https://oglasi.hopto.org/500.html


<Files .htaccess>
Order allow,deny
Deny from all
</Files>

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Options All -Indexes

AddLanguage sl .sl

Te gor direktive, če dodate v vaš .htaccess pomenijo, da nihče izven vašega omrežja ne more skenirati vaše mreže, in ne more dostopati do te mape, če poizkusi dostopati ga vrže na stran error.html oz. 403 !!!

 

PercNETForumiAudioMediaOglasiWEBDiskDDLeWDiskMServerPSTubePSDDLMediaPSMForumsPSMediaPCSNETMedia

 

Več s strani tega avtorja

Oglejte si vse prispevke