changeset 337:a79ad974a548

Implement fail2ban for Apache as mod_rewrite We can't use pure iptables because IPv4 requests come through our proxy. BUT we're using PROXY, so Apache sees the true IP.
author IBBoard <dev@ibboard.co.uk>
date Sat, 16 May 2020 14:05:09 +0100
parents 43e11af9c85d
children 7e3c977e970a
files modules/fail2ban/files/apache-ip-banlist.log modules/fail2ban/files/apache-ip-banlist.pp modules/fail2ban/files/ibb-apache-ip-block.conf modules/fail2ban/files/jail.local modules/fail2ban/manifests/init.pp
diffstat 5 files changed, 55 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/apache-ip-banlist.log	Sat May 16 14:05:09 2020 +0100
@@ -0,0 +1,12 @@
+# Use `sudo audit2allow -i modules/fail2ban/files/apache-ip-banlist.log -o modules/fail2ban/files/apache-ip-banlist.pp` to update the .pp file
+# And run `sudo semodule -i /path/to/apache-ip-banlist.pp` to install (or `puppet-apply`)
+type=AVC msg=audit(1588787042.424:80973): avc:  denied  { read } for  pid=1394 comm="httxt2dbm" name="apache_banlist.txt" dev="vda2" ino=4933 scontext=system_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
+type=AVC msg=audit(1588945227.337:95373): avc:  denied  { open } for  pid=23216 comm="httxt2dbm" path="/tmp/apache_banlist.txt" dev="vda2" ino=4933 scontext=system_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
+type=AVC msg=audit(1589226761.304:117046): avc:  denied  { dac_override } for  pid=17887 comm="apache-ip-ban" capability=1  scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0
+type=AVC msg=audit(1589226761.308:117047): avc:  denied  { search } for  pid=17888 comm="httxt2dbm" name="httpd" dev="vda2" ino=132312 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
+type=AVC msg=audit(1589312768.808:123914): avc:  denied  { getattr } for  pid=6749 comm="httxt2dbm" path="/etc/httpd/conf.custom/apache_banlist.db" dev="vda2" ino=267967 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1      
+type=AVC msg=audit(1589569550.692:144422): avc:  denied  { dac_override } for  pid=2777 comm="apache-ip-ban" capability=1  scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0
+type=AVC msg=audit(1589569550.696:144423): avc:  denied  { search } for  pid=2778 comm="httxt2dbm" name="httpd" dev="vda2" ino=132312 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
+type=AVC msg=audit(1589572088.142:144762): avc:  denied  { entrypoint } for  pid=4354 comm="runcon" path="/usr/local/bin/apache-ip-ban" dev="vda2" ino=138961 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file permissive=0
+type=AVC msg=audit(1589572296.815:144814): avc:  denied  { write } for  pid=4496 comm="apache-ip-ban" name="apache_banlist.txt" dev="vda2" ino=4933 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
+type=AVC msg=audit(1589572296.844:144815): avc:  denied  { write } for  pid=4497 comm="httxt2dbm" name="apache_banlist.db" dev="vda2" ino=267967 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=0
Binary file modules/fail2ban/files/apache-ip-banlist.pp has changed
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-apache-ip-block.conf	Sat May 16 14:05:09 2020 +0100
@@ -0,0 +1,16 @@
+# Custom IP blocking script for Apache
+# This deals with IPv4 and IPv6 on an IPv6-only server
+# with PROXY protocol support so we can see the originating
+# IPv4 address
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = /usr/local/bin/apache-ip-ban ban <ip>
+
+actionunban = /usr/local/bin/apache-ip-ban unban <ip>
--- a/modules/fail2ban/files/jail.local	Wed Apr 22 22:28:52 2020 +0100
+++ b/modules/fail2ban/files/jail.local	Sat May 16 14:05:09 2020 +0100
@@ -28,9 +28,9 @@
 findtime = 604800
 bantime  = 604800
 
-
+# Disable badbots - we've not seen it used in a month
 [apache-badbots]
-enabled  = true
+enabled  = false
 filter   = apache-badbots
 action   = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"]
 logpath  = /var/log/apache/access_*.log
@@ -41,13 +41,14 @@
 enabled  = true
 maxretry = 1
 filter   = ibb-apache-exploits-instaban
-action   = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"]
+action   = ibb-apache-ip-block
 logpath  = /var/log/apache/access_*.log
 findtime = 86400
 bantime  = 86400
 
+# Disable auth - we've not seen it used in a month
 [apache-auth]
-enabled  = true
+enabled  = false
 maxretry = 5
 filter   = apache-auth
 action   = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"]
@@ -92,7 +93,7 @@
 bantime  = 604800
 
 [mail-rejected]
-enabled = true
+enabled = false
 maxretry = 10
 filter = ibb-postfix
 action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"]
--- a/modules/fail2ban/manifests/init.pp	Wed Apr 22 22:28:52 2020 +0100
+++ b/modules/fail2ban/manifests/init.pp	Sat May 16 14:05:09 2020 +0100
@@ -28,11 +28,31 @@
 	} else {
 		$firewall_ban_cmd = $firewall_cmd
 	}
-
+	# Create an empty banlist file if it doesn't exist
+	exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_banlist.db':
+		path => '/usr/bin',
+		unless => 'test -f /etc/httpd/conf.custom/apache_banlist.db',
+		before => Service['httpd'],
+	}
+	file { '/tmp/apache_banlist.txt':
+		ensure => present,
+		seltype => 'httpd_config_t',
+	}
+	# And let the httxt2dbm process work the rest of the time
+	file { '/etc/selinux/apache-ip-banlist.pp':
+		source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',
+	} ~>
+	exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp':
+		path => '/usr/sbin',
+		refreshonly => true,
+	}
 	file { '/etc/fail2ban/action.d/firewall-ban.conf':
 		ensure => link,
 		target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
 	}
+	file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf':
+		source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf',
+	}
 	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
 		source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf',
 	}