Category: Informatique

Fail2Ban Cheat Sheet

Fail2Ban is super useful but .. do you remember most of the commands to actually use it? Let us help!

Fail2Ban Overview

Fail2Ban is a powerful intrusion prevention software designed to enhance the security of servers that are exposed to the internet. It accomplishes this by monitoring log files for malicious activity, such as repeated failed login attempts, and takes proactive measures to protect the system from potential threats. By automatically banning IP addresses that show signs of suspicious behavior, Fail2Ban effectively mitigates risks associated with brute-force attacks and other forms of unauthorized access.

Purpose of This Cheat Sheet

This cheat sheet article serves as a quick reference guide for users looking to efficiently manage their Fail2Ban installation. It consolidates key commands related to service and jail management, ban management, log monitoring, and configuration parameters into an easily digestible format. By providing a streamlined overview, this cheat sheet is particularly useful for system administrators and users who may not remember every command needed to effectively operate Fail2Ban. With this resource, users can quickly access essential commands and configurations, ultimately saving time and improving server security practices.

Service Management

# Start Fail2ban
sudo systemctl start fail2ban

# Stop Fail2ban
sudo systemctl stop fail2ban

# Restart Fail2ban
sudo systemctl restart fail2ban

# Check status
sudo systemctl status fail2ban

Jail Management

# List all jails
sudo fail2ban-client status

# Get status of specific jail
sudo fail2ban-client status sshd
sudo fail2ban-client status fastapi

# Start a jail
sudo fail2ban-client start sshd

# Stop a jail
sudo fail2ban-client stop sshd

Ban Management

# Ban an IP manually
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100
sudo fail2ban-client set fastapi unbanip 37.64.58.42 

# Get currently banned IPs
sudo fail2ban-client get sshd banned

Log Monitoring

# View Fail2ban log
sudo tail -f /var/log/fail2ban.log

# View detailed jail information
sudo fail2ban-client get sshd actions

Configuration Files

Main configuration files:

/etc/fail2ban/jail.conf – Default configuration (don’t edit)
/etc/fail2ban/jail.local – Custom configuration (create/edit this)
/etc/fail2ban/filter.d/ – Filter definitions
/etc/fail2ban/action.d/ – Action definitions

Common Configuration Parameters

# In /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

Parameter explanations:

maxretry: Number of failures before ban
findtime: Time window for maxretry (in seconds)
bantime: Duration of ban (in seconds)

Testing Configuration

# Test jail configuration
sudo fail2ban-client -d

# Verify syntax of jail.local
sudo fail2ban-client -t

Remember to always backup configuration files before making changes and restart Fail2ban after configuration modifications.

SQLite commands :

Show all IP address and its jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"

Show all unique IP address:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"

Show all unique IP address in sshd jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"

Tags Fail2Ban, Linux

Informatique

Microsoft AutoUpdate – Required Data Notice

Post author By Gonzague Dambricourt
Post date 25 April 2024

If you’re managed Macs and they’ve started to display a “Required Data Notice” popup all the time, a setting in your MDM is upsetting Microsoft AutoUpdate.

Tags Microsoft

Informatique IT

Blocking Co-Installers in Windows with Intune Remediations

Post author By Gonzague Dambricourt
Post date 22 February 2024

When using Windows 10/11, Windows Plug & Play drivers can automatically install applications (unsecured, dangerous or both) on your computer. This is a feature called Co Installers.

This – initially convenient – behaviour can be undesirable for most of us. For example a bug in Razer’s Synapse software allowed standard users to gain admin access to the machines.

Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
— ҉j҉o҉n҉h҉a҉t҉ (@j0nh4t) August 21, 2021

At BoucheCousue, we offer managed services to our customers and our therefore looking to reduce any surface of attack on the machines being used by end users.

How to block CoInstallers?

You can manually edit your registry by adding or changing a key in

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDevice Installer

Modify or create the value DisableCoInstallers as a DWORD-32 with a value of 1

Source: BleepingComputer

How to block CoInstallers using Intune Remediations

For Intune, you can use Remediation Scripts to change registry settings automatically.

Here is the detection script to upload:

## DetectCoInstallers - BoucheCousue
## Detection script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

# Registry Detection Template
If (!(Test-Path $regkey))
{
Write-Output 'RegKey not available - remediate'
Exit 1
}

$check=(Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue).$name
if ($check -eq $value){
write-output 'setting ok - no remediation required'
Exit 0
} Else {
write-output 'value not ok, no value or could not read - go and remediate'
Exit 1
}

And the remediation one:

## DetectCoInstallers - BoucheCousue
## Remediation script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

#Registry Template
If (!(Test-Path $regkey))
{
New-Item -Path $regkey -ErrorAction stop
}

if (!(Get-ItemProperty -Path $regkey -Name $name -ErrorAction SilentlyContinue))
{
New-ItemProperty -Path $regkey -Name $name -Value $value -PropertyType DWORD -ErrorAction stop
write-output "remediation complete"
exit 0
}

set-ItemProperty -Path $regkey -Name $name -Value $value -ErrorAction stop
write-output "remediation complete"
exit 0

Base script by MikeMDM, customized for the needs of this registry key.

Thanks: Big up to Mattias Melkersen for bringing up this topic on X and to Nathan McNulty for sharing the fix that Will Dormann offered.

Tags Drivers, Intune, Powershell

Informatique IT

Indexing Google Drive in Spotlight for Mac OS

Post author By Gonzague Dambricourt
Post date 10 May 2021

If you use Google Drive on Mac OS (formerly named Drive File Stream), you might be having a hard time finding documents and folders in Spotlight. It is quite an easy problem to solve.