===== Fail2ban et Firewalld =====
l'objectif initial est de bannir les acces en bruteforce au login frauduleux sur wordpress
helas, l'installation des packages fail2ban et fail2-firewalld ne fonctionne pas par defaut, il faut proceder a des adaptations
==== install =====
yum install fail2ban fail2ban-firewalld
fail2ban-0.11.2-1.el8.noarch
fail2ban-firewalld-0.11.2-1.el8.noarch
==== configuration ====
il a fallu adapter les regles par defaut , notament sur les actions firewalld
[root@wmu fail2ban]# cat /etc/fail2ban/jail.d/00-firewalld.conf
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]
ceci est a associer a /etc/fail2ban/action.d/firewallcmd-rich-rules.conf qui lui reste inchangé
==== jail wordpress ====
toutes les lignes en commentaires representent les divers essais / echec des valeurs proposées par defaut sur plusieurs sites ...
[root@wmu ~]# cat /etc/fail2ban/jail.d/wordpress.conf
# https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
[wordpress]
enabled = true
#banaction = iptables-multiport
#banaction = firewallcmd-new
#banaction = firewallcmd-ipset
#banaction = firewallcmd-rich-rules
port = http,https
filter = wordpress
#action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
#action = %(action_mwl)s
logpath = /var/log/httpd/ssl_access_log
maxretry = 3
findtime = 120
bantime = 120
filtre associé
[root@wmu ~]# cat /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^ .* "POST .*wp-login.php
^ .* "POST .*xmlrpc.php
ignoreregex =
==== séparateur de ports ====
il faut aussi corriger une erreur d'interpretation des multiports avec le séparateur "-" au lieu de ":" , cf references [2]
1) dans jail.local
[root@wmu fail2ban]# vim /etc/fail2ban/jail.local
# Ports to be banned
# Usually should be overridden in a particular jail
##port = 0:65535
#https://bugzilla.redhat.com/show_bug.cgi?id=1823746 JP
port = 0-65535
2) mais aussi dans firewallcmd-common.conf
[root@wmu fail2ban]# vim /etc/fail2ban/action.d/firewallcmd-common.conf
# JP comment : to -
#port = 1:65535
port = 1-65535
==== resultat operationel ====
quand cela marche, on doit voir dans les log fail2ban le "match" de notre regle suivit par un Ban si le maxtry est atteint :
[root@wmu fail2ban]# tail -f /var/log/fail2ban.log
2022-06-26 20:30:46,881 fail2ban.actions [503794]: NOTICE [wordpress] Ban 139.59.109.241
2022-06-26 20:31:12,698 fail2ban.filter [503794]: INFO [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:12
2022-06-26 20:31:13,300 fail2ban.filter [503794]: INFO [wordpress] Found 34.68.4.41 - 2022-06-26 20:31:13
2022-06-26 20:31:13,451 fail2ban.actions [503794]: NOTICE [wordpress] Ban 34.68.4.41
2022-06-26 20:31:31,007 fail2ban.actions [503794]: NOTICE [wordpress] Unban 188.164.193.182
2022-06-26 20:31:33,333 fail2ban.filter [503794]: INFO [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:32
2022-06-26 20:31:33,338 fail2ban.actions [503794]: NOTICE [wordpress] Unban 206.81.3.84
2022-06-26 20:31:34,138 fail2ban.filter [503794]: INFO [wordpress] Found 159.89.132.193 - 2022-06-26 20:31:33
2022-06-26 20:31:34,294 fail2ban.actions [503794]: NOTICE [wordpress] Ban 159.89.132.193
et cela se traduit par une regle correspondante dans le firewall
[root@wmut2 fail2ban]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="188.164.193.182" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="174.138.27.203" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="85.25.211.247" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.0.0/17" service name="ssh" log prefix="ssh157/17" accept
rule family="ipv4" source address="139.59.109.241" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="34.68.4.41" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="206.81.3.84" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="157.159.10.0/24" service name="snmp" log prefix="snmp10" accept
visible egalement dans les regles natives netfilter/nftable
chaichain filter_IN_public_deny {
ip saddr 143.244.147.196 tcp dport 443 ct state { new, untracked } reject
ip saddr 148.72.244.104 tcp dport 443 ct state { new, untracked } reject
ip saddr 123.25.115.29 tcp dport 443 ct state { new, untracked } reject
car c'est bien nft qui tourne au final, cf :
[root@wmu fail2ban]# grep -i 'FirewallBackend' /etc/firewalld/firewalld.conf
# FirewallBackend
FirewallBackend=nftables
etat du jail wordpress
[root@wmu ~]# fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
| |- Currently failed: 3
| |- Total failed: 1244
| `- File list: /var/log/httpd/ssl_access_log
`- Actions
|- Currently banned: 7
|- Total banned: 410
`- Banned IP list: 37.15.142.43 137.184.237.153 69.36.169.138 147.182.230.210 62.171.169.89 207.46.234.202 188.68.47.175
===== erreur , echecs ====
apres 2 premieres corrections sur le passage a une action de type ** firewallcmd-rich-rules** et remplacement sur ":" par "-" pour le multiport
l'ajout de regle continue d'echouer
[root@wmu ~]# fail2ban-client -d | grep 'wordpres'
['add', 'wordpress', 'auto']
['set', 'wordpress', 'usedns', 'warn']
['multi-set', 'wordpress', 'addfailregex', ['^ .* "POST .*wp-login.php', '^ .* "POST .*xmlrpc.php']]
['set', 'wordpress', 'maxretry', 12]
['set', 'wordpress', 'maxmatches', 12]
['set', 'wordpress', 'findtime', '120']
['set', 'wordpress', 'bantime', '120']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head']
['set', 'wordpress', 'addaction', 'firewallcmd-rich-rules']
['multi-set', 'wordpress', 'action', 'firewallcmd-rich-rules', [['actionstart', ''], ['actionstop', ''], ['actioncheck', ''], ['actionban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family=\'\' source address=\'\' port port=\'$p\' protocol=\'tcp\' reject type=\'\'"; done'], ['actionunban', 'ports="$(echo \'1-65535\' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family=\'\' source address=\'\' port port=\'$p\' protocol=\'tcp\' reject type=\'\'"; done'], ['name', 'wordpress'], ['actname', 'firewallcmd-rich-rules'], ['port', '1-65535'], ['protocol', 'tcp'], ['family', 'ipv4'], ['chain', 'INPUT_direct'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with '], ['rich-blocktype', "reject type=''"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable']]]
['start', 'wordpress']
2022-06-26 19:44:24,776 fail2ban.actions [501990]: NOTICE [wordpress] Ban 165.232.177.194
2022-06-26 19:44:24,847 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}
nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp \} ip saddr @addr-set-wordpress reject
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: 'add set inet f2b-table addr-set-wordpress { type ipv4_addr; }'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: 'Error: No such file or directory'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: 'add rule inet f2b-table f2b-chain meta l4proto { tcp } ip saddr @addr-set-wordpress reject'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- stderr: ' ^^^^^^^^^^^^^^^^^^^'
2022-06-26 19:44:24,848 fail2ban.utils [501990]: ERROR 7ff7ae172030 -- returned 1
2022-06-26 19:44:24,848 fail2ban.actions [501990]: ERROR Failed to execute ban jail 'wordpress' action 'nftables-allports' info 'ActionInfo({'ip': '165.232.177.194', 'family': 'inet4', 'fid': at 0x7ff7aca6fe18>, 'raw-ticket': at 0x7ff7aca70510>})': Error starting action Jail('wordpress')/nftables-allports: 'Script error'
2022-06-26 19:44:33,372 fail2ban.filter [501990]: WARNING [wordpress] Simulate NOW in operation since found time has too large deviation 1656265398 ~ 1656265473.3721204 +/- 60
===== references =====
- https://github.com/fail2ban/fail2ban/issues/3047
- https://serverfault.com/questions/1057765/is-fail2ban-working-without-firewalld
- https://stackoverflow.com/questions/70523740/fail2ban-with-epel-package-fail2ban-firewalld-on-linux-redhat-8-ip-is-in-jail-b
- https://bugzilla.redhat.com/show_bug.cgi?id=1823746
- https://serverfault.com/questions/852755/fail2ban-doesnt-add-ips-to-ipset-firewalld
- https://github.com/fail2ban/fail2ban/issues/1474
- https://github.com/fail2ban/fail2ban/pull/2620
- https://serverfault.com/questions/620091/fail2ban-is-not-adding-iptables-rules
- https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
- https://blog.rimuhosting.com/2016/11/02/using-fail2ban-on-wordpress-wp-login-php-and-xmlrpc-php/
- https://www.dogsbody.com/blog/how-to-set-up-fail2ban-for-a-wordpress-site/
- https://wpbeaches.com/block-wp-login-php-and-xmlrpc-php-via-fail2ban-on-runcloud/
- https://osric.com/chris/accidental-developer/2019/07/block-wordpress-scanners-fail2ban/
- https://osric.com/chris/accidental-developer/2017/09/using-blocklist-de-with-fail2ban/