照 http://www.howtoforge.com/fail2ban_debian_etch的說明,fail2ban是一個防止暴力攻擊的程式,
且並不像 denyhosts只用於 ssh,它還可以針對任何有作記錄的 Service去設定,並使用 iptables來阻擋。

並參考: http://cha.homeip.net/blog/archives/2007/06/_fail2ban_ip.html

Fedora Core release 6 (Zod)

[1.] 安裝
yum install fail2ban

[2.] 設定
vi /etc/fail2ban/fail2ban.conf

# 設定 log 等級 及 路徑
loglevel = 4
logtarget = /var/log/fail2ban.log

vi /etc/fail2ban/jail.conf

# 忽略的 IP
ignoreip = 127.0.0.1 10.1.1.1

# 擋多久時間
bantime  = 600

#  在600秒裡重試三次就擋
findtime  = 600
maxretry = 3

# SSH 設定
[ssh-iptables]
# 是否生效,即 true

enabled  = true

# sshd 設定在 filter.d/ 裡
filter   = sshd
action   = iptables-ssh[name=SSH, port=ssh, protocol=tcp]
#                                 chain 的名稱,22 port,tcp 協定
           sendmail-whois[name=SSH, dest=cross, sender=fail2ban]
#                                  發生時郵件主旨為 SSH, 寄件者為 fail2ban, 收件者為 cross
logpath  = /var/log/secure
maxretry = 5

目錄 filter.d/ 裡定義被 ban 的內容判斷

more filter.d/sshd.conf

這個檔案 sshd 名稱即為 jail.conf 裡定義的 filter = sshd

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 613 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?PS+)
# Values:  TEXT
#
failregex = (?:error: PAM: )?Authentication failure for .* from s*$
            Failed [-/w]+ for .* from (?: port d*)?(?: sshd*)?s*$
            ROOT LOGIN REFUSED.* FROM s*$
            [iI](?:llegal|nvalid) user .* from s*$
            User .+ from  not allowed because not listed in AllowUserss*$
            User .+ from  not allowed because none of user's groups are listed in AllowGroupss*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

目錄 action.d/ 定義偵測到要被 ban 的連線要怎麼做

more action.d/iptables-ssh.conf

[Definition]
# fail2ban 啟動後,新增 chain,假如已有自已的 rules 存在,可在 -I INPUT 指定 fail2ban-SSH 在 INPUT 裡的優先順序
actionstart = iptables -N fail2ban-
                     iptables -A fail2ban- -j RETURN
                     iptables -I INPUT 9 -p  –dport  -j fail2ban-

# 停止 fail2ban 的動作
actionstop = iptables -D INPUT -p  –dport  -j fail2ban-
                     iptables -F fail2ban-
                     iptables -X fail2ban-

actioncheck = iptables -n -L INPUT | grep -q fail2ban-

# ban 連線的動作
actionban = iptables -I fail2ban- 1 -s  -j DROP

# 刪除
actionunban = iptables -D fail2ban- -s  -j DROP

[Init]

name = default

port = ssh

protocol = tcp

[3.] 啟動
service fail2ban start

more /var/log/fail2ban.log

(以上省略…)
2007-10-10 12:23:20,715 fail2ban.filter : DEBUG  Date 0 is smaller than 1191705426.0
2007-10-10 12:23:20,717 fail2ban.filter : DEBUG  Log rotation detected for /var/log/secure
2007-10-10 12:23:20,718 fail2ban.filter : DEBUG  Setting file position to 0 for /var/log/secure
2007-10-10 12:23:20,793 fail2ban.filter : DEBUG  Got event: 9 for /var/log/secure
2007-10-10 12:23:20,794 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:23:20,888 fail2ban.actions.action: DEBUG  echo -en "Subject: [Fail2Ban] SSH: started
From: Fail2Ban 
To: cross
Hi,
The jail SSH has been started successfully.
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross returned successfully

[4.] 測試
ssh 至 ssorc.tw 後,一直按 enter,連續三次就被 jail 了

iptables -n -L

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  —  202.xx.xx.xx        0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

more /var/log/fail2ban.log

2007-10-10 12:27:24,300 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:27:24,301 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:27:24,301 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:27:24,303 fail2ban.filter : DEBUG  Setting file position to 21999L for /var/log/secure
2007-10-10 12:27:24,305 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:27:28,315 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:27:28,316 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:27:28,316 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:27:28,317 fail2ban.filter : DEBUG  Setting file position to 22069L for /var/log/secure
2007-10-10 12:27:28,317 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:28,318 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:28,320 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:27:35,335 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:27:35,336 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:27:35,336 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:27:35,337 fail2ban.filter : DEBUG  Setting file position to 22329L for /var/log/secure
2007-10-10 12:27:35,340 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:35,341 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:35,342 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:27:39,351 fail2ban.filter : DEBUG  Setting file position to 22589L for /var/log/secure
2007-10-10 12:27:39,352 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:39,352 fail2ban.filter : DEBUG  Found 202.xx.xx.xx
2007-10-10 12:27:39,353 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:27:39,464 fail2ban.actions: WARNING [ssh-iptables] Ban 202.xx.xx.xx
2007-10-10 12:27:39,464 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-10 12:27:39,491 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-10 12:27:39,493 fail2ban.actions.action: DEBUG  iptables -I fail2ban-SSH 1 -s 202.xx.xx.xx -j DROP
2007-10-10 12:27:39,505 fail2ban.actions.action: DEBUG  iptables -I fail2ban-SSH 1 -s 202.xx.xx.xx -j DROP returned successfully
2007-10-10 12:27:39,506 fail2ban.actions.action: DEBUG
2007-10-10 12:27:39,514 fail2ban.actions.action: DEBUG   returned successfully
2007-10-10 12:27:39,515 fail2ban.actions.action: DEBUG  echo -en "Subject: [Fail2Ban] SSH: banned 202.xx.xx.xx
From: Fail2Ban 
To: cross
Hi,
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.
Here are more information about 202.xx.xx.xx:
`/usr/bin/whois 202.xx.xx.xx`
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross
2007-10-10 12:27:41,821 fail2ban.actions.action: DEBUG  echo -en "Subject: [Fail2Ban] SSH: banned 202.xx.xx.xx
From: Fail2Ban 
To: cross
Hi,
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.
Here are more information about 202.xx.xx.xx:
`/usr/bin/whois 202.xx.xx.xx`
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross returned successfully
2007-10-10 12:34:01,149 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:34:01,151 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:34:01,152 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:34:01,157 fail2ban.filter : DEBUG  Setting file position to 22849L for /var/log/secure
2007-10-10 12:34:01,160 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG  Got event: 1 for /var/log/secure
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG  File changed: /var/log/secure
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG  Opened /var/log/secure
2007-10-10 12:35:19,341 fail2ban.filter : DEBUG  Setting file position to 22943L for /var/log/secure
2007-10-10 12:35:19,342 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2007-10-10 12:37:40,150 fail2ban.actions: WARNING [ssh-iptables] Unban 202.xx.xx.xx
2007-10-10 12:37:40,151 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-10 12:37:40,349 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-10 12:37:40,350 fail2ban.actions.action: DEBUG  iptables -D fail2ban-SSH -s 202.xx.xx.xx -j DROP
2007-10-10 12:37:40,361 fail2ban.actions.action: DEBUG  iptables -D fail2ban-SSH -s 202.xx.xx.xx -j DROP returned successfully
2007-10-10 12:37:40,362 fail2ban.actions.action: DEBUG  Nothing to do

收到一封信主旨為 [Fail2Ban] SSH: banned 202.xx.xx.xx

Hi,
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.

Here are more information about 202.xx.xx.xx:

[?亥岷 whois.apnic.net]
[?寞硅?闾 whois.twnic.net]
[?亥岷 whois.twnic.net]
[whois.twnic.net]
XX Taiwan Inc.

   Netname: XX-NET
   Netblock: 202.xx.xx.0/24

   Administrator contact:
      [email protected]

   Technical contact:
      [email protected]

Regards,

Fail2Ban
Related posts 相關文章
掃描 SSH 歷屆漏洞
More...
xz liblzma 漏洞後門事件
More...
架設 VPN 服務 – WireGuard – 主打比 IPSec、OpenVPN 更快、安全
More...
ssh 到裝有 cygwin openssh 的 windows 主機卻出現 no kex alg 錯誤
More...

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。