{"id":7955,"date":"2025-08-17T14:14:59","date_gmt":"2025-08-17T12:14:59","guid":{"rendered":"https:\/\/www.h-hennes.fr\/blog\/?p=7955"},"modified":"2025-08-17T14:15:00","modified_gmt":"2025-08-17T12:15:00","slug":"serveur-dedies-bloquer-les-ips-qui-scannent-les-vulnerabilites-web-avec-fail2ban","status":"publish","type":"post","link":"https:\/\/www.h-hennes.fr\/blog\/2025\/08\/17\/serveur-dedies-bloquer-les-ips-qui-scannent-les-vulnerabilites-web-avec-fail2ban\/","title":{"rendered":"Serveur d\u00e9di\u00e9s : bloquer les ips qui scannent les vuln\u00e9rabilit\u00e9s web avec fail2ban"},"content":{"rendered":"\n<p>Dans les logs de mon serveur j&rsquo;ai des milliers de lignes qui correspondent \u00e0 des analyses de vuln\u00e9rabilit\u00e9s.<br \/>Les serveurs concern\u00e9s essayent de lire le contenu des fichier .env , de l&rsquo;admin wordpress &#8230;\u00a0<br \/>Voici une capture d&rsquo;illustration :\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs.png\"><img loading=\"lazy\" decoding=\"async\" width=\"949\" height=\"347\" src=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs.png\" alt=\"\" class=\"wp-image-7956\" srcset=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs.png 949w, https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-300x110.png 300w, https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-768x281.png 768w\" sizes=\"auto, (max-width: 949px) 100vw, 949px\" \/><\/a><\/figure>\n\n\n\n<p><strong>Attention \u00e0 bien identifier les \u00e9l\u00e9ment \u00e0 bloquer sinon vous pouvez bloquer du traffic l\u00e9gitime !<\/strong><\/p>\n<p>Nous allons voir comment bloquer ces ips d\u00e8s leur premi\u00e8re tentative.<br \/>Pour cela nous allons utiliser <strong>fail2ban<\/strong>, si besoin de l&rsquo;installer, cet article est assez ancien mais toujours fonctionnel. :\u00a0<a href=\"https:\/\/www.h-hennes.fr\/blog\/2015\/01\/09\/securiser-votre-serveur-dedie-installation-de-fail2ban\/\">S\u00e9curiser votre serveur d\u00e9di\u00e9 : installation de fail2ban\u00a0<\/a><\/p>\n<p>Pour commencer nous allons cr\u00e9er une nouvelle r\u00e8gle \u00ab\u00a0apache-scan\u00a0\u00bb qui sera stock\u00e9e dans le fichier <em>\/etc\/fail2ban\/filter.d\/apache-scan.conf<\/em><br \/>Et dans ce fichier nous allons mettre en place toute nos r\u00e8gles d\u2019exclusion.<br \/>Dans mon cas je n&rsquo;ai pas de site wordpress, du coup je bloque toutes les tentatives de r\u00e9cup\u00e9ration de contenu wordpress.<br \/>Ainsi qu&rsquo;un certain nombre d&rsquo;autres patterns que je retrouve dans mes logs.<br \/>Cette r\u00e8gle n&rsquo;est pas exhaustive et devra \u00eatre compl\u00e9t\u00e9e au fur et \u00e0 mesure.<\/p>\n\n\n\n<pre>\n[Definition]\nfailregex = ^<HOST> -.*\"(GET|POST).*wp-login\\.php\n            ^<HOST> -.*\"(GET|POST).*xmlrpc\\.php\n            ^<HOST> -.*\"(GET|POST).*wp-admin\n            ^<HOST> -.*\"(GET|POST).*wp-content\n            ^<HOST> -.*\"(GET|POST).*wp-includes\n            ^<HOST> -.*\"(GET|POST).*\/wp-json\n            ^<HOST> -.*\"(GET|POST).*\/wp-cron\\.php\n            ^<HOST> -.*\"(GET|POST).*\/administrator\n            ^<HOST> -.*\"(GET|POST).*\/typo3\n            ^<HOST> -.*\"(GET|POST).*\/vendor\/phpunit\n            ^<HOST> -.*\"(GET|POST).*\/owa\n            ^<HOST> -.*\"(GET|POST).*\/\\.git\n            ^<HOST> -.*\"(GET|POST).*\/\\.svn\n            ^<HOST> -.*\"(GET|POST).*\/docker\/\n            ^<HOST> -.*\"(GET|POST).*\/aws\n            ^<HOST> -.*\"(GET|POST).*\/\\.env\n            ^<HOST> -.*\"(GET|POST).*\/composer\\.json\n            ^<HOST> -.*\"(GET|POST).*\/package\\.json\n            ^<HOST> -.*\"(GET|POST).*\/config\\.php\n<\/pre>\n\n\n\n<p>Il faut ensuite activer la r\u00e8gle en cr\u00e9ant le fichier <em>\/etc\/fail2ban\/jail.d\/apache-scan.conf <\/em>avec le contenu suivant\u00a0<br \/>En compl\u00e9tant les fichiers de logs \u00e0 analyser.<br \/>Cette configuration va bannir pour 24h chaque ip qui va tenter d&rsquo;acc\u00e9der \u00e0 une url qui fait partie du pattern d\u00e9taill\u00e9 plus haut.<\/p>\n\n\n\n<pre>\n[apache-scan]\nenabled  = true\nport     = http,https\nfilter   = apache-scan\nlogpath  = \/var\/log\/apache2\/access.log\n           \/var\/log\/apache2\/other_vhost_access.log\nmaxretry = 1\nbantime  = 86400\nfindtime = 600\n<\/pre>\n\n\n\n<p>Pour finir il est n\u00e9cessaire de recharger fail2ban pour prendre en compte la configuration.<\/p>\n\n\n\n<pre lang=\"bash\">\nsudo systemctl restart fail2ban\n<\/pre>\n\n\n<p>Si tout est bon apr\u00e8s quelques heures on pourra constater que des ips sont bien bloqu\u00e9es par fail2ban.<br \/>Que ce soit via un monitoring via munin ( cf. capture plus bas ), ou via la console en saisissant la commande :\u00a0<code class=\"whitespace-pre! language-bash\">sudo fail2ban-client status apache-scan<\/code><\/p>\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-munin.png\"><img loading=\"lazy\" decoding=\"async\" width=\"503\" height=\"303\" src=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-munin.png\" alt=\"\" class=\"wp-image-7957\" srcset=\"https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-munin.png 503w, https:\/\/www.h-hennes.fr\/blog\/wp-content\/uploads\/2025\/08\/apache-logs-munin-300x181.png 300w\" sizes=\"auto, (max-width: 503px) 100vw, 503px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Dans les logs de mon serveur j&rsquo;ai des milliers de lignes qui correspondent \u00e0 des analyses de vuln\u00e9rabilit\u00e9s.Les serveurs concern\u00e9s essayent de lire le contenu des fichier .env , de l&rsquo;admin wordpress &#8230;\u00a0Voici une capture d&rsquo;illustration :\u00a0 Attention \u00e0 bien identifier les \u00e9l\u00e9ment \u00e0 bloquer sinon vous pouvez bloquer du traffic l\u00e9gitime ! Nous allons [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[254],"tags":[321,620],"class_list":["post-7955","post","type-post","status-publish","format-standard","hentry","category-serveurs-dedies","tag-fail2ban","tag-securite"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/7955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/comments?post=7955"}],"version-history":[{"count":2,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/7955\/revisions"}],"predecessor-version":[{"id":7959,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/7955\/revisions\/7959"}],"wp:attachment":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/media?parent=7955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/categories?post=7955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/tags?post=7955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}