Fail2Ban은 지속해서 잘못된 패스워드를 입력한 IP 주소들을 방화벽 규칙에 추가해서 차단(Ban)한다. sshd(SSH 서버) 이외에도 Apache Web Server(아파치 웹 서버) 등 여러 서버의 로그를 읽어 차단할 수 있지만, 이 글에서는 간단하게 SSH 서버 설정만 다룬다.
모든 명령을 root 계정으로 실행했으며 해당 서버의 배포판과 버전은 CentOS Linux release 7.6.1810 (Core), 패키지들의 버전은 Fail2Ban v0.9.7, firewalld v0.5.3, iptables v1.4.21이다.
1. Python 3.4, EPEL 저장소 설치
Fail2ban 0.9.x 버전은 Python 2.6 버전 이상 혹은 Python 3.2 버전 이상을 필요로 한다.
# yum -y install python34
[root@test ~]# yum install python34
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
Resolving Dependencies
--> Running transaction check
---> Package python34.x86_64 0:3.4.9-2.el7 will be installed
--> Processing Dependency: python34-libs(x86-64) = 3.4.9-2.el7 for package: python34-3.4.9-2.el7.x86_64
--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.9-2.el7.x86_64
--> Running transaction check
---> Package python34-libs.x86_64 0:3.4.9-2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
python34 x86_64 3.4.9-2.el7 epel 51 k
Installing for dependencies:
python34-libs x86_64 3.4.9-2.el7 epel 8.3 M
Transaction Summary
================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 8.3 M
Installed size: 29 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): python34-3.4.9-2.el7.x86_64.rpm | 51 kB 00:00
(2/2): python34-libs-3.4.9-2.el7.x86_64.rpm | 8.3 MB 00:00
--------------------------------------------------------------------------------
Total 16 MB/s | 8.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python34-3.4.9-2.el7.x86_64 1/2
Installing : python34-libs-3.4.9-2.el7.x86_64 2/2
Verifying : python34-libs-3.4.9-2.el7.x86_64 1/2
Verifying : python34-3.4.9-2.el7.x86_64 2/2
Installed:
python34.x86_64 0:3.4.9-2.el7
Dependency Installed:
python34-libs.x86_64 0:3.4.9-2.el7
Complete!
EPEL 패키지 저장소 설치
# yum -y install epel-release
[root@test ~]# yum -y install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
※ epel-release 패키지가 이미 설치된 서버이다.
2. Fail2Ban 설치
# yum -y install fail2ban
[root@test ~]# yum -y install fail2ban
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.7-1.el7 will be installed
--> Processing Dependency: fail2ban-firewalld = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch
--> Processing Dependency: fail2ban-sendmail = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch
--> Processing Dependency: fail2ban-server = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch
--> Running transaction check
---> Package fail2ban-firewalld.noarch 0:0.9.7-1.el7 will be installed
---> Package fail2ban-sendmail.noarch 0:0.9.7-1.el7 will be installed
---> Package fail2ban-server.noarch 0:0.9.7-1.el7 will be installed
--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.7-1.el7.noarch
--> Running transaction check
---> Package systemd-python.x86_64 0:219-62.el7_6.5 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.9.7-1.el7 epel 11 k
Installing for dependencies:
fail2ban-firewalld noarch 0.9.7-1.el7 epel 11 k
fail2ban-sendmail noarch 0.9.7-1.el7 epel 14 k
fail2ban-server noarch 0.9.7-1.el7 epel 288 k
systemd-python x86_64 219-62.el7_6.5 updates 132 k
Transaction Summary
================================================================================
Install 1 Package (+4 Dependent packages)
Total download size: 458 k
Installed size: 1.1 M
Downloading packages:
(1/5): fail2ban-0.9.7-1.el7.noarch.rpm | 11 kB 00:00
(2/5): fail2ban-firewalld-0.9.7-1.el7.noarch.rpm | 11 kB 00:00
(3/5): fail2ban-sendmail-0.9.7-1.el7.noarch.rpm | 14 kB 00:00
(4/5): fail2ban-server-0.9.7-1.el7.noarch.rpm | 288 kB 00:00
(5/5): systemd-python-219-62.el7_6.5.x86_64.rpm | 132 kB 00:00
--------------------------------------------------------------------------------
Total 1.8 MB/s | 458 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : systemd-python-219-62.el7_6.5.x86_64 1/5
Installing : fail2ban-server-0.9.7-1.el7.noarch 2/5
Installing : fail2ban-sendmail-0.9.7-1.el7.noarch 3/5
Installing : fail2ban-firewalld-0.9.7-1.el7.noarch 4/5
Installing : fail2ban-0.9.7-1.el7.noarch 5/5
Verifying : fail2ban-sendmail-0.9.7-1.el7.noarch 1/5
Verifying : fail2ban-0.9.7-1.el7.noarch 2/5
Verifying : fail2ban-server-0.9.7-1.el7.noarch 3/5
Verifying : fail2ban-firewalld-0.9.7-1.el7.noarch 4/5
Verifying : systemd-python-219-62.el7_6.5.x86_64 5/5
Installed:
fail2ban.noarch 0:0.9.7-1.el7
Dependency Installed:
fail2ban-firewalld.noarch 0:0.9.7-1.el7
fail2ban-sendmail.noarch 0:0.9.7-1.el7
fail2ban-server.noarch 0:0.9.7-1.el7
systemd-python.x86_64 0:219-62.el7_6.5
Complete!
3. Fail2Ban 구성
firewalld 서비스를 이용하는 CentOS에서는 아래와 같이 해당 파일을 설정해야 한다.
# vim /etc/fail2ban/jail.conf
※ 필수
87번 줄의 "backend = auto"를 "backend = systemd"로 변경한다.
161번 줄의 "banaction = iptables-multiport"를 "banaction = firewallcmd-new"로 변경한다.
224번 줄의 "[sshd]" 아래에 "enabled = true"를 추가한다.
선택
59번 줄의 bantime : 차단 기간 (초 단위)
63번 줄의 findtime : 설정된 findtime 내에 maxretry 만큼 실패하면 차단 (초 단위)
66번 줄의 maxretry : 설정된 숫자만큼 실패하면 차단
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-fedora.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = systemd
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = firewallcmd-new
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
enabled = true
# To use more aggressive sshd filter (inclusive sshd-ddos failregex):
#filter = sshd-aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
#
# Web Applications
#
#
[drupal-auth]
port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#
# HTTP Proxy servers
#
#
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port = 27017
logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
filter = slapd
logpath = /var/log/slapd.log
[domino-smtp]
port = smtp,ssmtp
filter = domino-smtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
/etc/fail2ban/fail2ban.conf 파일은 굳이 건드리지 않아도 서비스가 작동하지만 간단하게 설명하자면…
loglevel – 기록될 로그의 최소 레벨. 설정 가능한 레벨은 다음과 같다.
CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
logtarget – 로그가 기록될 파일 경로. 기본 설정은 /var/log/fail2ban.log이며 다음 네 가지 값 중 하나를 설정할 수 있다.
STDOUT, STDERR, SYSLOG, File (예 /var/log/fail2ban.log)
socket – socket 파일이 위치할 디렉터리
pidfile – pid 파일의 위치
설정을 편집했으면 fail2ban.conf, jail.conf의 설정을 각각 fail2ban.local, jail.local로 복사해둔다.
서비스 시작 시 .conf파일부터 먼저 읽고 그 다음 .local의 설정을 읽는데,
fail2ban을 업데이트하면 .conf파일이 초기화되기 때문
# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ls /etc/fail2ban/
[root@test ~]# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
[root@test ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[root@test ~]# ls /etc/fail2ban/
action.d filter.d paths-common.conf paths-opensuse.conf
fail2ban.conf jail.conf paths-debian.conf paths-osx.conf
fail2ban.d jail.d paths-fedora.conf
fail2ban.local jail.local paths-freebsd.conf
4. Fail2Ban 서비스 시작 및 자동 실행 등록
# systemctl start fail2ban.service
# systemctl enable fail2ban.service
# systemctl status fail2ban.service
[root@test ~]# systemctl start fail2ban.service
[root@test ~]# systemctl enable fail2ban.service
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.
[root@test ~]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-02-26 21:39:40 KST; 12h ago
Docs: man:fail2ban(1)
Process: 5852 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 20491 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 20494 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─20494 /usr/bin/python2 -s /usr/b...
Feb 26 21:39:40 test.vorcloud.com systemd[1]: ...
Feb 26 21:39:40 test.vorcloud.com fail2ban-client[20491]: ...
Feb 26 21:39:40 test.vorcloud.com fail2ban-client[20491]: ...
Feb 26 21:39:40 test.vorcloud.com systemd[1]: ...
Hint: Some lines were ellipsized, use -l to show in full.
5. 로그 및 차단 현황 보기
# tail -30 /var/log/fail2ban.log
[root@test ~]# tail -30 /var/log/fail2ban.log
2019-02-27 08:56:20,200 fail2ban.filter [20494]: INFO [sshd] Found 128.199.128.215
2019-02-27 09:10:32,848 fail2ban.filter [20494]: INFO [sshd] Found 142.165.136.77
2019-02-27 09:10:57,753 fail2ban.filter [20494]: INFO [sshd] Found 27.106.45.6
2019-02-27 09:10:58,743 fail2ban.actions [20494]: NOTICE [sshd] Ban 27.106.45.6
2019-02-27 09:11:45,364 fail2ban.filter [20494]: INFO [sshd] Found 103.250.84.164
2019-02-27 09:14:44,984 fail2ban.filter [20494]: INFO [sshd] Found 200.149.7.206
2019-02-27 09:28:56,870 fail2ban.filter [20494]: INFO [sshd] Found 54.36.98.223
2019-02-27 09:29:48,150 fail2ban.filter [20494]: INFO [sshd] Found 139.59.108.237
2019-02-27 09:38:33,795 fail2ban.filter [20494]: INFO [sshd] Found 46.105.227.206
2019-02-27 09:38:38,569 fail2ban.filter [20494]: INFO [sshd] Found 119.62.70.4
2019-02-27 09:43:03,584 fail2ban.filter [20494]: INFO [sshd] Found 41.230.56.204
2019-02-27 09:44:17,920 fail2ban.filter [20494]: INFO [sshd] Found 119.28.72.123
2019-02-27 09:44:37,548 fail2ban.filter [20494]: INFO [sshd] Found 51.38.187.135
2019-02-27 09:45:33,173 fail2ban.filter [20494]: INFO [sshd] Found 124.82.156.29
2019-02-27 09:47:16,913 fail2ban.filter [20494]: INFO [sshd] Found 178.32.96.181
2019-02-27 09:47:48,165 fail2ban.filter [20494]: INFO [sshd] Found 190.85.63.50
2019-02-27 09:52:12,903 fail2ban.filter [20494]: INFO [sshd] Found 197.5.144.78
2019-02-27 09:52:29,951 fail2ban.filter [20494]: INFO [sshd] Found 200.48.220.12
2019-02-27 09:53:21,636 fail2ban.filter [20494]: INFO [sshd] Found 1.202.15.234
2019-02-27 09:54:10,640 fail2ban.filter [20494]: INFO [sshd] Found 91.16.49.22
2019-02-27 09:55:18,858 fail2ban.filter [20494]: INFO [sshd] Found 40.69.40.86
2019-02-27 09:55:34,528 fail2ban.filter [20494]: INFO [sshd] Found 58.64.184.233
2019-02-27 10:04:47,531 fail2ban.filter [20494]: INFO [sshd] Found 113.142.63.162
2019-02-27 10:06:31,782 fail2ban.filter [20494]: INFO [sshd] Found 185.38.3.138
2019-02-27 10:06:49,044 fail2ban.filter [20494]: INFO [sshd] Found 103.253.107.187
2019-02-27 10:06:49,911 fail2ban.actions [20494]: NOTICE [sshd] Ban 103.253.107.187
2019-02-27 10:08:02,848 fail2ban.filter [20494]: INFO [sshd] Found 79.2.22.244
2019-02-27 10:09:35,790 fail2ban.filter [20494]: INFO [sshd] Found 180.180.122.31
2019-02-27 10:14:15,064 fail2ban.filter [20494]: INFO [sshd] Found 27.40.23.221
2019-02-27 10:14:26,481 fail2ban.filter [20494]: INFO [sshd] Found 165.227.69.39
※ fail2ban 서비스를 시작한 지 이틀 정도 지난 후에 실행한 결과
# fail2ban-client status sshd
[root@test ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 170
| |- Total failed: 186
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 42
|- Total banned: 42
`- Banned IP list: 101.226.196.132 105.247.158.86 118.182.118.248 122.162.27.17 125.105.44.44 128.199.103.93 132.148.155.86 138.197.190.118 149.129.225.127 160.120.129.35 167.99.153.22 175.140.190.106 176.196.192.48 182.73.123.118 193.201.224.158 198.98.61.186 201.54.77.145 206.189.30.229 223.87.179.207 27.114.168.20 34.212.119.26 36.78.1.59 46.101.246.82 51.15.36.163 51.38.135.6 51.38.38.221 67.205.135.65 68.183.17.76 73.162.65.136 78.131.56.62 78.194.31.97 91.69.164.24 92.222.15.70 94.23.62.187 104.250.160.150 77.127.65.157 222.137.121.214 103.99.186.20 94.23.55.228 81.247.81.209 27.106.45.6 103.253.107.187
※ fail2ban 서비스를 시작한 지 이틀 정도 지난 후에 실행한 결과
# iptables -L f2b-sshd
[root@test ~]# iptables -L f2b-sshd
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- ip-103-253-107-187.interlink.net.id anywhere reject-with icmp-port-unreachable
REJECT all -- 6.45.106.27.mysipl.com anywhere reject-with icmp-port-unreachable
REJECT all -- 209.81-247-81.adsl-dyn.isp.belgacom.be anywhere reject-with icmp-port-unreachable
REJECT all -- ns301984.ip-94-23-55.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 103.99.186.20 anywhere reject-with icmp-port-unreachable
REJECT all -- hn.kd.ny.adsl anywhere reject-with icmp-port-unreachable
REJECT all -- 77.127.65.157 anywhere reject-with icmp-port-unreachable
REJECT all -- 104.250.160.150 anywhere reject-with icmp-port-unreachable
REJECT all -- ns396064.ip-94-23-62.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 70.ip-92-222-15.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 24.164.69.91.rev.sfr.net anywhere reject-with icmp-port-unreachable
REJECT all -- ran75-4-78-194-31-97.fbxo.proxad.net anywhere reject-with icmp-port-unreachable
REJECT all -- 78-131-56-62.static.hdsnet.hu anywhere reject-with icmp-port-unreachable
REJECT all -- c-73-162-65-136.hsd1.ca.comcast.net anywhere reject-with icmp-port-unreachable
REJECT all -- 68.183.17.76 anywhere reject-with icmp-port-unreachable
REJECT all -- 67.205.135.65 anywhere reject-with icmp-port-unreachable
REJECT all -- 221.ip-51-38-38.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 6.ip-51-38-135.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 163-36-15-51.rev.cloud.scaleway.com anywhere reject-with icmp-port-unreachable
REJECT all -- 46.101.246.82 anywhere reject-with icmp-port-unreachable
REJECT all -- 36.78.1.59 anywhere reject-with icmp-port-unreachable
REJECT all -- ec2-34-212-119-26.us-west-2.compute.amazonaws.com anywhere reject-with icmp-port-unreachable
REJECT all -- 27.114.168.20 anywhere reject-with icmp-port-unreachable
REJECT all -- 223.87.179.207 anywhere reject-with icmp-port-unreachable
REJECT all -- 206.189.30.229 anywhere reject-with icmp-port-unreachable
REJECT all -- 201-54-77-145.sercomtel.com.br anywhere reject-with icmp-port-unreachable
REJECT all -- . anywhere reject-with icmp-port-unreachable
REJECT all -- 193.201.224.158 anywhere reject-with icmp-port-unreachable
REJECT all -- 182.73.123.118 anywhere reject-with icmp-port-unreachable
REJECT all -- 176.196.192.48 anywhere reject-with icmp-port-unreachable
REJECT all -- 175.140.190.106 anywhere reject-with icmp-port-unreachable
REJECT all -- 167.99.153.22 anywhere reject-with icmp-port-unreachable
REJECT all -- 160.120.129.35 anywhere reject-with icmp-port-unreachable
REJECT all -- 149.129.225.127 anywhere reject-with icmp-port-unreachable
REJECT all -- 138.197.190.118 anywhere reject-with icmp-port-unreachable
REJECT all -- ip-132-148-155-86.ip.secureserver.net anywhere reject-with icmp-port-unreachable
REJECT all -- 156928.cloudwaysapps.com anywhere reject-with icmp-port-unreachable
REJECT all -- 125.105.44.44 anywhere reject-with icmp-port-unreachable
REJECT all -- abts-north-dynamic-017.27.162.122.airtelbroadband.in anywhere reject-with icmp-port-unreachable
REJECT all -- 118.182.118.248 anywhere reject-with icmp-port-unreachable
REJECT all -- 105.247.158.86 anywhere reject-with icmp-port-unreachable
REJECT all -- 101.226.196.132 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
태그 : 리눅스, Linux, CentOS, 서버, Server, 보안, SSH, sshd, Fail2Ban, Firewalld, Firewall, 방화벽, iptables
'Linux > CentOS' 카테고리의 다른 글
| (CentOS 7) Strongswan을 이용한 IKEv2 VPN 서버 구축하기 (7) | 2019.02.24 |
|---|