Update fail2ban files

2025-12-05 17:18:13 +01:00 · 2025-03-28 22:47:39 +01:00
parent cadc4d4acb
commit dc1ad0eaa8
10 changed files with 89 additions and 18 deletions
--- a/dev/setup/fail2ban/filter.d/web-accesslog-limit403.conf
+++ b/dev/setup/fail2ban/filter.d/web-accesslog-limit403.conf
@@ -3,7 +3,6 @@
 # Regexp to detect forbidden access on pages (public or not) so we can add mitigation on IP making too much
 # access to your a Dolibarr instance.

-
 [Definition]

 # To test, you can inject this example into log
--- a/dev/setup/fail2ban/filter.d/web-accesslog-limit404.conf
+++ b/dev/setup/fail2ban/filter.d/web-accesslog-limit404.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+# Regexp to detect not found access on pages (public or not) so we can add mitigation on IP making too much
+# access to a Dolibarr instance.
+
+[Definition]
+
+# To test, you can inject this example into log
+# echo 'myvirtualhost.com:443 1.2.3.4 - - [15/Dec/2022:09:57:47 +0000] "GET /attemptedpage HTTP/1.1" 404 123 "-" "Mozilla"' >> /var/log/apache2/other_vhosts_access.log
+# echo '1.2.3.4 - - [18/Jul/2024:00:17:15 +0000] "GET /attemptedpage HTTP/1.1" 404 4142 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"' >> /var/log/apache2/access_ssl.log
+# WARNING: Set the date in log that is current date
+#
+# then
+# fail2ban-client status web-accesslog-limit404
+#
+# To test rule file on a existing log file
+# fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/web-accesslog-limit404.conf
+
+failregex = <HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 404
+ignoreregex =
--- a/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf
+++ b/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf
@@ -3,7 +3,6 @@
 # Regexp to detect access on public pages so we can add mitigation on IP making too much
 # access to your a Dolibarr instance.

-
 [Definition]

 # To test, you can inject this example into log
--- a/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf
+++ b/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf
@@ -3,7 +3,6 @@
 # Regexp to detect access on passwordforgotten.php page so we can add mitigation on IP making too much
 # access to this Dolibarr page.

-
 [Definition]

 # To test, you can inject this example into log
@@ -13,7 +12,7 @@
 # fail2ban-client status web-dolibarr-rulespassforgotten
 #
 # To test rule file on a existing log file
-# fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf --print-all-matched
+# fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-passf.conf --print-all-matched

 failregex = ^ [A-Z\s]+ <HOST>\s+--- Access to .*/passwordforgotten.php - action=buildnewpassword
 ignoreregex =
--- a/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf
+++ b/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf
@@ -3,14 +3,13 @@
 # Regexp to detect try to check a couple login/password so we can add mitigation
 # on IP making too much tries.

-
 [Definition]

 # To test, you can inject this example into log
 # echo `date +'%Y-%m-%d %H:%M:%S'`" INFO    1.2.3.4         functions_dolibarr::check_user_password_abcd Authentication KO" >> /mypath/documents/dolibarr.log
 #
 # then
-# fail2ban-client status web-dolibarr-rulesbruteforce 
+# fail2ban-client status web-dol-bruteforce
 #
 # To test rule file on a existing log file
 # fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf --print-all-matched
--- a/dev/setup/fail2ban/jail.d/web-accesslog-limit403.conf
+++ b/dev/setup/fail2ban/jail.d/web-accesslog-limit403.conf
@@ -0,0 +1,11 @@
+[web-accesslog-limit403]
+
+; rule against call of 403 forbidden access (for all servers)
+enabled = true
+port    = http,https
+filter  = web-accesslog-limit403
+logpath = /var/log/apache2/*access*_log
+action  = %(action_mw)s
+bantime  = 600    ;
+findtime = 30     ;
+maxretry = 100    ; 100 error 403 in 30 second, we can ban
--- a/dev/setup/fail2ban/jail.d/web-accesslog-limit404.conf
+++ b/dev/setup/fail2ban/jail.d/web-accesslog-limit404.conf
@@ -0,0 +1,11 @@
+[web-accesslog-limit404]
+
+; rule against call of 404 forbidden access (for all servers)
+enabled = true
+port    = http,https
+filter  = web-accesslog-limit404
+logpath = /var/log/apache2/*access*_log
+action  = %(action_mw)s
+bantime  = 600    ;
+findtime = 30     ;
+maxretry = 100    ; 100 error 404 in 30 second, we can ban
--- a/dev/setup/fail2ban/jail.d/web-dolibarr-limitpublic.conf
+++ b/dev/setup/fail2ban/jail.d/web-dolibarr-limitpublic.conf
@@ -0,0 +1,11 @@
+[web-dol-limitpublic]
+
+; rule to add rate limit on some public pages
+enabled = true
+port    = http,https
+filter  = web-dolibarr-limitpublic
+logpath = /home/dolibarr/asso.dolibarr.org/dolibarr_documents/dolibarr.log
+action  = %(action_mw)s
+bantime  = 86400     ; 1 day
+findtime = 86400     ; 1 day
+maxretry = 500       ; 500 access to a public page in the same day, we ban
--- a/dev/setup/fail2ban/jail.d/web-dolibarr-passf.conf
+++ b/dev/setup/fail2ban/jail.d/web-dolibarr-passf.conf
@@ -0,0 +1,11 @@
+[web-dol-passf]
+
+; rule against call of password forgotten page
+enabled = true
+port    = http,https
+filter  = web-dolibarr-passf
+logpath = /home/dolibarr/asso.dolibarr.org/dolibarr_documents/dolibarr.log
+action  = %(action_mw)s
+bantime  = 4320000   ; 50 days
+findtime = 86400     ; 1 day
+maxretry = 10
--- a/dev/setup/fail2ban/jail.d/web-dolibarr-rulesbruteforce.conf
+++ b/dev/setup/fail2ban/jail.d/web-dolibarr-rulesbruteforce.conf
@@ -0,0 +1,11 @@
+[web-dol-bruteforce]
+
+; rule against bruteforce hacking (login + api)
+enabled = true
+port    = http,https
+filter  = web-dolibarr-rulesbruteforce
+logpath = /home/dolibarr/asso.dolibarr.org/dolibarr_documents/dolibarr.log
+action  = %(action_mw)s
+bantime  = 86400     ; 1 day
+findtime = 3600      ; 1 hour
+maxretry = 20        ; 10 login error in 1 hour, we ban