Sécurité Apache ou Nginx & ssh sur linux (iptable avec Fail2ban)+Antivirus | desktop/Server aux maximum



Une sécurisation maximal seul service utilisé pour le web et ssh via iptable et fail2ban sous linux de n'importe qu'elles distribution de votre choix.que ce soit desktop ou serveur.

sudo -i
apt update && apt upgrade -y && apt install -y fail2ban # iptables-persistent

#dpkg-reconfigure iptables-persistent

nano /etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1
#nameserver 2606:4700:4700::1111
#nameserver 2606:4700:4700::1001


iptables -L #info
nano /etc/ssh/sshd_config
******
PermitRootLogin no         # Ne pas permettre de login en root
AllowUsers alexonbstudio             # N'autoriser qu'un utilisateur précis
#changé le Port SSH n'est pas une solution
*******
/etc/init.d/ssh restart
nano /etc/init.d/firewall

===========================================
#!/bin/sh

# Vider les tables actuelles
iptables -t filter -F

# Vider les règles personnelles
iptables -t filter -X

#Autorisé une IP exeptionnel
iptables -t filter -A INPUT -s adresse_ip -j ACCEPT

# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

#Reject all
iptables -t filter -A INPUT -j DROP

# --- Fail2ban
iptables -t filter -N fail2ban-nginx
#iptables -t filter -N fail2ban-apache
iptables -t filter -N fail2ban-nginx-badbots
#iptables -t filter -N fail2ban-apache-badbots
iptables -t filter -N fail2ban-nginx-nohome
#iptables -t filter -N fail2ban-apache-nohome
iptables -t filter -N fail2ban-nginx-noscript
#iptables -t filter -N fail2ban-apache-noscript
iptables -t filter -N fail2ban-nginx-overflows
#iptables -t filter -N fail2ban-apache-overflows
iptables -t filter -N fail2ban-ssh

iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-nohome
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-badbots
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-badbots
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-overflows
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-noscript
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
iptables -t filter -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh

iptables -t filter -A fail2ban-nginx -j RETURN
#iptables -t filter -A fail2ban-apache -j RETURN
iptables -t filter -A fail2ban-nginx-badbots -j RETURN
#iptables -t filter -A fail2ban-apache-badbots -j RETURN
iptables -t filter -A fail2ban-nginx-nohome -j RETURN
#iptables -t filter -A fail2ban-apache-nohome -j RETURN
iptables -t filter -A fail2ban-nginx-noscript -j RETURN
#iptables -t filter -A fail2ban-apache-noscript -j RETURN
iptables -t filter -A fail2ban-nginx-overflows -j RETURN
#iptables -t filter -A fail2ban-apache-overflows -j RETURN
iptables -t filter -A fail2ban-ssh -j RETURN

# Ne pas casser les connexions etablies
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH In/Out
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT


# HTTP + HTTPS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

#Ajouter les autres règle IPTABLE ici

===========================================
chmod +x /etc/init.d/firewall
update-rc.d firewall defaults # ajouter aux scripts appelés au démarrage 
update-rc.d -f firewall remove # Pour le retirer
/etc/init.d/firewall

########
# iptables -A INPUT -s adresse_ip -j DROP #bannir une IP
# iptables -A INPUT -s adresse_ip -j ACCEPT #autorisé une IP

-------------------

fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban

nano /etc/fail2ban/jail.local
===============
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
#action = $(action_)s

[ssh]
enabled = true
port    = ssh
filter    = sshd
maxretry = 2
ignoreip = 123.123.123.123 #iplocal myip


###### APACHE OR NGINX
[nginx]
#[apache]

enabled  = true
port     = http,https
filter   = nginx-auth
#filter   = apache-auth
logpath  = /var/log/nginx/*custom_log_location.log
#logpath  = /var/log/apache*/*custom_log_location.log
maxretry = 3
findtime = 600
 
[nginx-noscript]
#[apache-noscript]

enabled  = true
port     = http,https
filter   = nginx-noscript
#filter   = apache-noscript
logpath  = /var/log/nginx/*error.log
#logpath  = /var/log/apache*/*error.log
maxretry = 3
findtime = 600
 
[nginx-overflows]
#[apache-overflows]

enabled  = true
port     = http,https
filter   = nginx-overflows
#filter   = apache-overflows
logpath  = /var/log/nginx/*error.log
#logpath  = /var/log/apache*/*error.log
maxretry = 2

[nginx-badbots]
#[apache-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
#filter   = apache-badbots
logpath  = /var/log/nginx/*error.log
#logpath  = /var/log/apache*/*error.log
maxretry = 2

[nginx-nohome]
#[apache-nohome]

enabled  = true
port     = http,https
filter   = nginx-nohome
#filter   = apache-nohome
logpath  = /var/log/nginx/*error.log
#logpath  = /var/log/apache*/*error.log
maxretry = 2


================
systemctl restart fail2ban
#OR -> /etc/init.d/fail2ban restart
fail2ban-client status


================
cd /etc/fail2ban/filter.d
nano nginx-http-auth.conf
[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$,
^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+,  request: "\S+ \S+ HTTPS/\d+\.\d+", host: "\S+"\s*$,
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+,  request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$,
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+,  request: "\S+ \S+ HTTPS/\d+\.\d+", host: "\S+"\s*$

ignoreregex =
cp apache-badbots.conf nginx-badbots.conf
nano nginx-noscript.conf
[Definition]

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)

ignoreregex =
nano nginx-nohome.conf
[Definition]

failregex = ^<HOST> -.*GET .*/~.*

ignoreregex =
nano nginx-noproxy.conf
[Definition]

failregex = ^<HOST> -.*GET http.*,
^<HOST> -.*GET https.*

ignoreregex =



#Ne veulent plus utilisé apache
apt remove apache2 -y && apt autoremove && apt install -y nginx && apt clean
# reste plus installé un SSL

#Auto supprimé log
crontab -e
@monthly rm /var/log/nginx/*custom_log_location.log
#@monthly rm /var/log/apache*/*custom_log_location.log
@monthly rm /var/log/nginx/*error.log
#@monthly rm /var/log/apache*/*error.log
@weekly apt update && apt upgrade -y

Antivirus - ClamAV
apt install clamav clamav-daemon libclamunrar6

systemctl enable clamav-freshclam
systemctl stop clamav-freshclam

freshclam #mise à jour
# mAj - autre méthode
#or -> mkdir -p /var/lib/clamav && cd /var/lib/clamav
#or -> wget https://database.clamav.net/daily.cvd
#or -> chmod +x daily.cvd
systemctl start clamav-freshclam

#scan: 
clamscan --infected --recursive --remove / >> /home/alexonbstudio/finale-scan.txt








Publier un commentaire

0 Commentaires