Rework ssh page

2024-09-03 20:06:26 +02:00 · 2019-01-07 16:55:18 +01:00 · 2019-01-07 16:55:18 +01:00 · ec8e01ea76
commit ec8e01ea76
parent b192d42837
2 changed files with 40 additions and 90 deletions
--- a/fail2ban.md
+++ b/fail2ban.md
@ -1,57 +1,32 @@
 # Fail2ban
-For a number of reasons, an IP adresse may be wrongly blacklisted. If you wish to access your server through this specify IP you will need to unblock it.
+Fail2Ban is an intrusion prevention software that protects computer servers from brute-force attacks. It monitors some log files and will ban IP addresses that shows brute-force-like behavior.
-## IP unblock
+In particular, Fail2ban monitors SSH connection attempts. After 5 failed login attempts on SSH, Fail2ban will ban the corresponding IP address from connecting through SSH for 10 minutes. If this IP is found to recidive several times, it might get ban for a week.
-First, list all iptables rules with: `iptables -L --line-numbers` :
+## Unban an IP
 To unban an IP from fail2ban, you first need to access your server by some mean (e.g. from another IP by the one being banned).
 Then look at fail2ban's log to identify in which jail the IP was put : 
 ```bash
-root@beudi:~# iptables -L --line-numbers
+$ tail /var/log/fail2ban.log
-Chain INPUT (policy ACCEPT)
+2019-01-07 16:24:47 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-num  target     prot opt source               destination         
+2019-01-07 16:24:49 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-1    fail2ban-yunohost  tcp  --  anywhere             anywhere             multiport dports http,https
+2019-01-07 16:24:51 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-2    fail2ban-nginx  tcp  --  anywhere             anywhere             multiport dports http,https
+2019-01-07 16:24:54 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-3    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+2019-01-07 16:24:57 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-4    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+2019-01-07 16:24:57 fail2ban.actions [1837]: NOTICE  [sshd] Ban 11.22.33.44
-5    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
+2019-01-07 16:24:57 fail2ban.filter  [1837]: NOTICE  [recidive] Ban 11.22.33.44
 Chain FORWARD (policy ACCEPT)
 num  target     prot opt source               destination         
 Chain OUTPUT (policy ACCEPT)
 num  target     prot opt source               destination         
 Chain fail2ban-dovecot (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-nginx (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-sasl (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-ssh (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-yunohost (1 references)
 num  target     prot opt source               destination         
 1    DROP       all  --  80.215.197.201       anywhere            
 2    RETURN     all  --  anywhere             anywhere 
 ```
-Here, Ip adress `80.215.197.201` is banned in the `fail2ban-yunohost` rule.
+Here, the IP `11.22.33.44` was banned in the `sshd` and `recidive` jails.
-To unblock:
+
 Then unban the IP with the following commands : 
 ```bash
-iptables -D rule_name entry_number
+$ fail2ban-client set sshd unbanip 11.22.33.44
 $ fail2ban-client set recidive unbanip 11.22.33.44
 ```
 For intance:
 ```bash
 iptables -D fail2ban-yunohost 1
 ```
--- a/fail2ban_fr.md
+++ b/fail2ban_fr.md
@ -1,57 +1,32 @@
 # Fail2ban
-Pour diverses raisons, il peut arriver qu’une adresse IP ait été blacklistée. Si vous souhaitez accéder à votre serveur depuis cette IP, il faudra la débloquer.
+Fail2Ban est un logiciel de prévention des intrusions qui protège les serveurs informatiques contre les attaques de brute-force. Il surveille certains journaux et bannira les adresses IP qui montrent un comportement de brute-forcing.
-## Débloquer une IP
+En particulier, Fail2ban surveille les tentatives de connexion SSH. Après 5 tentatives de connexion échouées sur SSH, Fail2ban banniera l'IP de se connecter via SSH pendant 10 minutes. Si cette adresse récidive plusieurs fois, elle peut être bannie pendant une semaine.
-Tout d’abord on affiche le listing de toutes les règles iptables avec la commande `iptables -L --line-numbers` :
+## Débannir une IP
 Pour débloquer une IP de fail2ban, vous devez d'abord accéder à votre serveur par un moyen quelconque (par exemple à partir d'une autre IP que celle bannie).
 Ensuite, regardez le journal de fail2ban pour identifier dans quelle 'prison' (jail) l'IP a été bannie : 
 ```bash
-root@beudi:~# iptables -L --line-numbers
+$ tail /var/log/fail2ban.log
-Chain INPUT (policy ACCEPT)
+2019-01-07 16:24:47 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-num  target     prot opt source               destination         
+2019-01-07 16:24:49 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-1    fail2ban-yunohost  tcp  --  anywhere             anywhere             multiport dports http,https
+2019-01-07 16:24:51 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-2    fail2ban-nginx  tcp  --  anywhere             anywhere             multiport dports http,https
+2019-01-07 16:24:54 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-3    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+2019-01-07 16:24:57 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44
-4    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+2019-01-07 16:24:57 fail2ban.actions [1837]: NOTICE  [sshd] Ban 11.22.33.44
-5    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
+2019-01-07 16:24:57 fail2ban.filter  [1837]: NOTICE  [recidive] Ban 11.22.33.44
 Chain FORWARD (policy ACCEPT)
 num  target     prot opt source               destination         
 Chain OUTPUT (policy ACCEPT)
 num  target     prot opt source               destination         
 Chain fail2ban-dovecot (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-nginx (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-sasl (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-ssh (1 references)
 num  target     prot opt source               destination         
 1    RETURN     all  --  anywhere             anywhere            
 Chain fail2ban-yunohost (1 references)
 num  target     prot opt source               destination         
 1    DROP       all  --  80.215.197.201       anywhere            
 2    RETURN     all  --  anywhere             anywhere 
 ```
-Il nous indique que l’IP `80.215.197.201` est bannie dans la règle `fail2ban-yunohost`.    
+Ici, l'IP `11.22.33.44` a été bannie dans les jails `sshd` et `recidive`.
-Pour la débloquer :
+
 Puis débanissez l'IP avec les commandes suivantes :
 ```bash
-iptables -D nom_de_la_regle numéro_de_l_entrée
+$ fail2ban-client set sshd unbanip 11.22.33.44
 $ fail2ban-client set recidive unbanip 11.22.33.44
 ```
 Par exemple :
 ```bash
 iptables -D fail2ban-yunohost 1
 ```