Te dire busca en google hay muchas formas de proteger apache, te agrego dos links la mejor forma de hacerlo es probando con tus logs y configurarlo a tus necesidades, es lo que mas recomiendo:
*apache-tcpwrapper:* Bloquea con el fichero /etc/hosts.deny los hosts que se intentan conectar a dominios protegidos con contraseña (estos fallos de autenticación aparecen en el error_log) *apache-badbots* Bloquea por iptables los hosts que se conectan haciendo uso de un “User Agent” sospechoso, y nos envia un mail para avisarnos. Pondre dos links: http://apliweb.com/blog/fail2ban-evitando-ataques-en-nuestro-servidor-web http://garciavictor.blogspot.com/2012/11/fail2ban-en-debian-squeezy-wheezy.html 2013/10/3 Rodrigo Pichiñual Norin <rodrigo.pichin...@gmail.com> > Gracias Willmer > > me podrias explicar parte de este trozo de codigo. > > [apache-badbots] > > enabled = true > filter = apache-badbots > action = iptables-multiport[name=BadBots, port="http,https"] > sendmail-buffered[name=BadBots, lines=5, dest=tu email] > logpath = /home/*/logs/access.log > bantime = 172800 > maxretry = 1 > > > entiendo que esta habilitado (enabled) > el filtro que utiliza dentro de la carpete filter.d es apache-badbots > > peor el resto no lo tengo muy claro.. > > > gracias > > > 2013/10/3 Wilmer Arambula <tecnologiaterab...@gmail.com> > > > Yo tenia un problema similar con mi vps, al revisar los logs full > ataques, > > pero con pocas cosas los detuve, te explico a ver que te sirve: > > > > 1.- SSH: Cambie el puerto por Defecto. > > > > 2.- Definir Buenas Reglas Iptables y Shorewall (Administrar una Lista > Negra > > de Ips de Ataques). > > > > 3.- Fail2ban: (Luego de Investigar mucho logre esta configuración): > > > > [DEFAULT] > > > > # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban > > will not > > # ban a host which matches an address in this list. Several addresses can > > be > > # defined using space separator. > > ignoreip = tu ip. > > > > # "bantime" is the number of seconds that a host is banned. > > bantime = 36000 > > > > # A host is banned if it has generated "maxretry" during the last > > "findtime" > > # seconds. > > findtime = 600 > > > > # "maxretry" is the number of failures before a host get banned. > > maxretry = 3 > > > > # "backend" specifies the backend used to get files modification. > > # Available options are "pyinotify", "gamin", "polling" and "auto". > > # This option can be overridden in each jail as well. > > # > > # pyinotify: requires pyinotify (a file alteration monitor) to be > > installed. > > # If pyinotify is not installed, Fail2ban will use auto. > > # gamin: requires Gamin (a file alteration monitor) to be installed. > > # If Gamin is not installed, Fail2ban will use auto. > > # polling: uses a polling algorithm which does not require external > > libraries. > > # auto: will try to use the following backends, in order: > > # pyinotify, gamin, polling. > > backend = auto > > > > # "usedns" specifies if jails should trust hostnames in logs, > > # warn when reverse DNS lookups are performed, or ignore all hostnames > > in logs > > # > > # yes: if a hostname is encountered, a reverse DNS lookup will be > > performed. > > # warn: if a hostname is encountered, a reverse DNS lookup will be > > performed, > > # but it will be logged as a warning. > > # no: if a hostname is encountered, will not be used for banning, > > # but it will be logged as info. > > usedns = warn > > > > > > # This jail corresponds to the standard configuration in Fail2ban 0.6. > > # The mail-whois action send a notification e-mail with a whois request > > # in the body. > > > > [ssh-iptables] > > > > enabled = true > > filter = sshd > > action = iptables[name=SSH, port=ssh, protocol=tcp] > > sendmail-whois[name=SSH, dest=root, sender=tu email] > > logpath = /var/log/secure > > > > [proftpd-iptables] > > > > enabled = true > > filter = proftpd > > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > > sendmail-whois[name=ProFTPD, dest=tu email] > > logpath = /var/log/proftpd/access.log > > maxretry = 5 > > > > # This jail forces the backend to "polling". > > > > [sasl-iptables] > > > > enabled = true > > filter = sasl > > backend = polling > > action = iptables[name=sasl, port=smtp, protocol=tcp] > > sendmail-whois[name=sasl, dest=tu email] > > logpath = /var/log/maillog > > maxretry = 3 > > > > # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" > is > > # used to avoid banning the user "myuser". > > > > > > [ssh-tcpwrapper] > > > > enabled = true > > filter = sshd > > action = hostsdeny > > sendmail-whois[name=SSH, dest=tu email] > > ignoreregex = for myuser from > > logpath = /var/log/secure > > > > # This jail demonstrates the use of wildcards in "logpath". > > # Moreover, it is possible to give other files on a new line. > > > > [apache-tcpwrapper] > > > > enabled = true > > filter = apache-auth > > action = hostsdeny > > logpath = /home/*/logs/*error.log > > /home/*/logs/error.log > > maxretry = 6 > > > > # The hosts.deny path can be defined with the "file" argument if it is > > # not in /etc. > > > > [postfix-tcpwrapper] > > > > enabled = true > > filter = postfix > > action = iptables-multiport[name=postfix, port="110,995,143,993,25", > > protocol=tcp] > > sendmail-buffered[name=BadBots, lines=5, dest=tu email] > > logpath = /var/log/maillog > > maxretry = 3 > > > > # Ban hosts which agent identifies spammer robots crawling the web > > # for email addresses. The mail outputs are buffered. > > > > [dovecot] > > > > enabled = true > > filter = dovecot > > action = iptables-multiport[name=Dovecot, port="110,995,143,993,25", > > protocol=tcp] > > sendmail-whois[name=Fail2Dovecot, lines=5, dest=tu email] > > logpath = /var/log/dovecot.log > > maxretry = 3 > > > > [apache-badbots] > > > > enabled = true > > filter = apache-badbots > > action = iptables-multiport[name=BadBots, port="http,https"] > > sendmail-buffered[name=BadBots, lines=5, dest=tu email] > > logpath = /home/*/logs/access.log > > bantime = 172800 > > maxretry = 1 > > > > # Use shorewall instead of iptables. > > > > [apache-shorewall] > > > > enabled = true > > filter = apache-noscript > > action = shorewall > > sendmail[name=Postfix, dest=tu email] > > logpath = /home/*/logs/error.log > > > > # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" > > # option is overridden in this jail. Moreover, the action "mail-whois" > > defines > > # the variable "name" which contains a comma using "". The characters '' > > are > > # valid too. > > > > # This jail blocks TCP traffic for DNS requests. > > > > [named-refused-tcp] > > > > enabled = true > > filter = named-refused > > action = iptables-multiport[name=Named, port="domain,953", > protocol=tcp] > > sendmail-whois[name=Named, dest=tu email] > > logpath = /var/log/messages > > ignoreip = tu ip > > > > # Jail for more extended banning of persistent abusers > > # !!! WARNING !!! > > # Make sure that your loglevel specified in fail2ban.conf/.local > > # is not at DEBUG level -- which might then cause fail2ban to fall into > > # an infinite loop constantly feeding itself with non-informative lines > > [recidive] > > > > enabled = true > > filter = recidive > > logpath = /var/log/fail2ban.log > > action = iptables-allports[name=recidive] > > sendmail-whois-lines[name=recidive, > > logpath=/var/log/fail2ban.log] > > bantime = 604800 ; 1 week > > findtime = 86400 ; 1 day > > maxretry = 5 > > > > > > Estas son algunas opciones que puedes configurar en tu fail2ban, si > buscas > > en google con tus logs que ya tienes puedes probar cada una de ellas, te > > recomiendo que crees tu propio archivo jail.local en vez de jail.conf, > asi > > cada vez que actualices tendrás tus reglas guardadas sin problemas, todo > es > > cuestión de paciencia y sobre todo de analizar tus logs para detectar los > > ataques que recibes, claro habrán otros que no veras como escaneos, pero > > tampoco hay que ponerse tan paranoico. > > > > > > > > El 2 de octubre de 2013 12:44, Rodrigo Pichiñual Norin < > > rodrigo.pichin...@gmail.com> escribió: > > > > > Hola a todos. > > > > > > > > > Tengo instalado fail2ban en centos 6.3 > > > > > > Logre entender como proteger SSH en caso de ataques de fuerza bruta. > > > > > > > > > banntime=600 > > > > > > [ssh-iptables] > > > enabled = true > > > filter = sshd > > > action = iptables[name=SSH, port=ssh, protocol=tcp] > > > mail-whois[name=SSH, dest=mim...@dominio.cl, > > > sender=fail2ban@<fail2...@latitud33.cl> > > > dominio.cl] > > > logpath = /var/log/secure > > > maxretry = 5 > > > > > > Esto bloquea a una ip el accesso mediante SSH después de 5 intentos > > > fallidos (bloque la ip durante 600 seg). > > > > > > lo probé y funciona. > > > > > > pero ahora quiero proteger mi servidor web (apache httpd). > > > > > > pero no se como hacerlo. > > > > > > en ssh el maxretry es 5(intentos antes de bloquear) en un servidor web > > esto > > > debería ser mucho mas mayor (nro de transacciones de un web server > > siempre > > > es mas alto) > > > > > > > > > Orientación..gracias > > > _______________________________________________ > > > CentOS-es mailing list > > > CentOS-es@centos.org > > > http://lists.centos.org/mailman/listinfo/centos-es > > > > > > > > > > > -- > > *Wilmer Arambula. * > > *Asoc. Cooperativa Tecnologia Terabyte 124, RL.* > > ** > > ** > > _______________________________________________ > > CentOS-es mailing list > > CentOS-es@centos.org > > http://lists.centos.org/mailman/listinfo/centos-es > > > _______________________________________________ > CentOS-es mailing list > CentOS-es@centos.org > http://lists.centos.org/mailman/listinfo/centos-es > -- *Wilmer Arambula. * *Asoc. Cooperativa Tecnologia Terabyte 124, RL. * ** ** _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es