vorCloud Blog #2

[root@test ~]# yum install python34

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: ftp.iij.ad.jp

 * epel: ftp.iij.ad.jp

 * extras: ftp.iij.ad.jp

 * updates: ftp.iij.ad.jp

Resolving Dependencies

--> Running transaction check

---> Package python34.x86_64 0:3.4.9-2.el7 will be installed

--> Processing Dependency: python34-libs(x86-64) = 3.4.9-2.el7 for package: python34-3.4.9-2.el7.x86_64

--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.9-2.el7.x86_64

--> Running transaction check

---> Package python34-libs.x86_64 0:3.4.9-2.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package               Arch           Version                Repository    Size

================================================================================

Installing:

 python34              x86_64         3.4.9-2.el7            epel          51 k

Installing for dependencies:

 python34-libs         x86_64         3.4.9-2.el7            epel         8.3 M

Transaction Summary

================================================================================

Install  1 Package (+1 Dependent package)

Total download size: 8.3 M

Installed size: 29 M

Is this ok [y/d/N]: y

Downloading packages:

(1/2): python34-3.4.9-2.el7.x86_64.rpm                     |  51 kB   00:00

(2/2): python34-libs-3.4.9-2.el7.x86_64.rpm                | 8.3 MB   00:00

--------------------------------------------------------------------------------

Total                                               16 MB/s | 8.3 MB  00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : python34-3.4.9-2.el7.x86_64                                  1/2

  Installing : python34-libs-3.4.9-2.el7.x86_64                             2/2

  Verifying  : python34-libs-3.4.9-2.el7.x86_64                             1/2

  Verifying  : python34-3.4.9-2.el7.x86_64                                  2/2

Installed:

  python34.x86_64 0:3.4.9-2.el7

Dependency Installed:

  python34-libs.x86_64 0:3.4.9-2.el7

Complete!

[root@test ~]# yum -y install epel-release

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: ftp.iij.ad.jp

 * epel: d2lzkl7pfhq30w.cloudfront.net

 * extras: ftp.iij.ad.jp

 * updates: ftp.iij.ad.jp

Package epel-release-7-11.noarch already installed and latest version

Nothing to do

※ epel-release 패키지가 이미 설치된 서버이다.

[root@test ~]# yum -y install fail2ban

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: ftp.iij.ad.jp

 * epel: ftp.iij.ad.jp

 * extras: ftp.iij.ad.jp

 * updates: ftp.iij.ad.jp

Resolving Dependencies

--> Running transaction check

---> Package fail2ban.noarch 0:0.9.7-1.el7 will be installed

--> Processing Dependency: fail2ban-firewalld = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch

--> Processing Dependency: fail2ban-sendmail = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch

--> Processing Dependency: fail2ban-server = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch

--> Running transaction check

---> Package fail2ban-firewalld.noarch 0:0.9.7-1.el7 will be installed

---> Package fail2ban-sendmail.noarch 0:0.9.7-1.el7 will be installed

---> Package fail2ban-server.noarch 0:0.9.7-1.el7 will be installed

--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.7-1.el7.noarch

--> Running transaction check

---> Package systemd-python.x86_64 0:219-62.el7_6.5 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package                  Arch         Version              Repository     Size

================================================================================

Installing:

 fail2ban                 noarch       0.9.7-1.el7          epel           11 k

Installing for dependencies:

 fail2ban-firewalld       noarch       0.9.7-1.el7          epel           11 k

 fail2ban-sendmail        noarch       0.9.7-1.el7          epel           14 k

 fail2ban-server          noarch       0.9.7-1.el7          epel          288 k

 systemd-python           x86_64       219-62.el7_6.5       updates       132 k

Transaction Summary

================================================================================

Install  1 Package (+4 Dependent packages)

Total download size: 458 k

Installed size: 1.1 M

Downloading packages:

(1/5): fail2ban-0.9.7-1.el7.noarch.rpm                     |  11 kB   00:00

(2/5): fail2ban-firewalld-0.9.7-1.el7.noarch.rpm           |  11 kB   00:00

(3/5): fail2ban-sendmail-0.9.7-1.el7.noarch.rpm            |  14 kB   00:00

(4/5): fail2ban-server-0.9.7-1.el7.noarch.rpm              | 288 kB   00:00

(5/5): systemd-python-219-62.el7_6.5.x86_64.rpm            | 132 kB   00:00

--------------------------------------------------------------------------------

Total                                              1.8 MB/s | 458 kB  00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : systemd-python-219-62.el7_6.5.x86_64                         1/5

  Installing : fail2ban-server-0.9.7-1.el7.noarch                           2/5

  Installing : fail2ban-sendmail-0.9.7-1.el7.noarch                         3/5

  Installing : fail2ban-firewalld-0.9.7-1.el7.noarch                        4/5

  Installing : fail2ban-0.9.7-1.el7.noarch                                  5/5

  Verifying  : fail2ban-sendmail-0.9.7-1.el7.noarch                         1/5

  Verifying  : fail2ban-0.9.7-1.el7.noarch                                  2/5

  Verifying  : fail2ban-server-0.9.7-1.el7.noarch                           3/5

  Verifying  : fail2ban-firewalld-0.9.7-1.el7.noarch                        4/5

  Verifying  : systemd-python-219-62.el7_6.5.x86_64                         5/5

Installed:

  fail2ban.noarch 0:0.9.7-1.el7

Dependency Installed:

  fail2ban-firewalld.noarch 0:0.9.7-1.el7

  fail2ban-sendmail.noarch 0:0.9.7-1.el7

  fail2ban-server.noarch 0:0.9.7-1.el7

  systemd-python.x86_64 0:219-62.el7_6.5

Complete!

#

# WARNING: heavily refactored in 0.9.0 release.  Please review and

#          customize settings for your setup.

#

# Changes:  in most of the cases you should not modify this

#           file, but provide customizations in jail.local file,

#           or separate .conf files under jail.d/ directory, e.g.:

#

# HOW TO ACTIVATE JAILS:

#

# YOU SHOULD NOT MODIFY THIS FILE.

#

# It will probably be overwritten or improved in a distribution update.

#

# Provide customizations in a jail.local file or a jail.d/customisation.local.

# For example to change the default bantime for all jails and to enable the

# ssh-iptables jail the following (uncommented) would appear in the .local file.

# See man 5 jail.conf for details.

#

# [DEFAULT]

# bantime = 3600

#

# [sshd]

# enabled = true

#

# See jail.conf(5) man page for more information

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

[INCLUDES]

#before = paths-distro.conf

before = paths-fedora.conf

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

#

# MISCELLANEOUS OPTIONS

#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space (and/or comma) separator.

ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,

# and return true if the IP is to be ignored. False otherwise.

#

# ignorecommand = /path/to/command <ip>

ignorecommand =

# "bantime" is the number of seconds that a host is banned.

bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "backend" specifies the backend used to get files modification.

# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".

# This option can be overridden in each jail as well.

#

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.

#              If pyinotify is not installed, Fail2ban will use auto.

# gamin:     requires Gamin (a file alteration monitor) to be installed.

#              If Gamin is not installed, Fail2ban will use auto.

# polling:   uses a polling algorithm which does not require external libraries.

# systemd:   uses systemd python library to access the systemd journal.

#              Specifying "logpath" is not valid for this backend.

#              See "journalmatch" in the jails associated filter config

# auto:      will try to use the following backends, in order:

#              pyinotify, gamin, polling.

#

# Note: if systemd backend is chosen as the default but you enable a jail

#       for which logs are present only in its own log files, specify some other

#       backend for that jail (e.g. polling) and provide empty value for

#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200

backend = systemd

# "usedns" specifies if jails should trust hostnames in logs,

#   warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes:   if a hostname is encountered, a DNS lookup will be performed.

# warn:  if a hostname is encountered, a DNS lookup will be performed,

#        but it will be logged as a warning.

# no:    if a hostname is encountered, will not be used for banning,

#        but it will be logged as info.

# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)

usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail

#   This is used to decode the lines from the log file.

#   Typical examples:  "ascii", "utf-8"

#

#   auto:   will use the system locale setting

logencoding = auto

# "enabled" enables the jails.

#  By default all jails are disabled, and it should stay this way.

#  Enable only relevant to your setup jails in your .local or jail.d/*.conf

#

# true:  jail will be enabled and log files will get monitored for changes

# false: jail is not enabled

enabled = false

# "filter" defines the filter to use by the jail.

#  By default jails have names matching their filter name

#

filter = %(__name__)s

#

# ACTIONS

#

# Some options used for actions

# Destination email address used solely for the interpolations in

# jail.{conf,local,d/*} configuration files.

destemail = root@localhost

# Sender email address used solely for some actions

sender = root@localhost

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the

# mailing. Change mta configuration parameter to mail if you want to

# revert to conventional 'mail'.

mta = sendmail

# Default protocol

protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions

chain = INPUT

# Ports to be banned

# Usually should be overridden in a particular jail

port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#

# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,

# iptables-multiport, shorewall, etc) It is used to define

# action_* variables. Can be overridden globally or per

# section within jail.local file

banaction = firewallcmd-new

banaction_allports = iptables-allports

# The simplest action to take: ban only

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines

# to the destemail.

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action

#

# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines

# to the destemail.

action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines

# to the destemail.

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]

                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API

#

# See the IMPORTANT note in action.d/blocklist_de.conf for when to

# use this action. Create a file jail.d/blocklist_de.local containing

# [Init]

# blocklist_de_apikey = {api key from registration]

#

action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

# Report ban via badips.com, and use as blacklist

#

# See BadIPsAction docstring in config/action.d/badips.py for

# documentation for this action.

#

# NOTE: This action relies on banaction being present on start and therefore

# should be last action defined for a jail.

#

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]

#

# Report ban via badips.com (uses action.d/badips.conf for reporting only)

#

action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

# Choose default action.  To change, just override value of 'action' with the

# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local

# globally (section [DEFAULT]) or per specific section

action = %(action_)s

#

# JAILS

#

#

# SSH servers

#

[sshd]

enabled = true

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):

#filter = sshd-aggressive

port    = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

[sshd-ddos]

# This jail corresponds to the standard configuration in Fail2ban.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

port    = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

[dropbear]

port     = ssh

logpath  = %(dropbear_log)s

backend  = %(dropbear_backend)s

[selinux-ssh]

port     = ssh

logpath  = %(auditd_log)s

#

# HTTP servers

#

[apache-auth]

port     = http,https

logpath  = %(apache_error_log)s

[apache-badbots]

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

port     = http,https

logpath  = %(apache_access_log)s

bantime  = 172800

maxretry = 1

[apache-noscript]

port     = http,https

logpath  = %(apache_error_log)s

[apache-overflows]

port     = http,https

logpath  = %(apache_error_log)s

maxretry = 2

[apache-nohome]

port     = http,https

logpath  = %(apache_error_log)s

maxretry = 2

[apache-botsearch]

port     = http,https

logpath  = %(apache_error_log)s

maxretry = 2

[apache-fakegooglebot]

port     = http,https

logpath  = %(apache_access_log)s

maxretry = 1

ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>

[apache-modsecurity]

port     = http,https

logpath  = %(apache_error_log)s

maxretry = 2

[apache-shellshock]

port    = http,https

logpath = %(apache_error_log)s

maxretry = 1

[openhab-auth]

filter = openhab

action = iptables-allports[name=NoAuthFailures]

logpath = /opt/openhab/logs/request.log

[nginx-http-auth]

port    = http,https

logpath = %(nginx_error_log)s

# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`

# and define `limit_req` and `limit_req_zone` as described in nginx documentation

# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

# or for example see in 'config/filter.d/nginx-limit-req.conf'

[nginx-limit-req]

port    = http,https

logpath = %(nginx_error_log)s

[nginx-botsearch]

port     = http,https

logpath  = %(nginx_error_log)s

maxretry = 2

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

port    = http,https

logpath = %(nginx_access_log)s

          %(apache_access_log)s

[suhosin]

port    = http,https

logpath = %(suhosin_log)s

[lighttpd-auth]

# Same as above for Apache's mod_auth

# It catches wrong authentifications

port    = http,https

logpath = %(lighttpd_error_log)s

#

# Webmail and groupware servers

#

[roundcube-auth]

port     = http,https

logpath  = %(roundcube_errors_log)s

[openwebmail]

port     = http,https

logpath  = /var/log/openwebmail.log

[horde]

port     = http,https

logpath  = /var/log/horde/horde.log

[groupoffice]

port     = http,https

logpath  = /home/groupoffice/log/info.log

[sogo-auth]

# Monitor SOGo groupware server

# without proxy this would be:

# port    = 20000

port     = http,https

logpath  = /var/log/sogo/sogo.log

[tine20]

logpath  = /var/log/tine20/tine20.log

port     = http,https

#

# Web Applications

#

#

[drupal-auth]

port     = http,https

logpath  = %(syslog_daemon)s

backend  = %(syslog_backend)s

[guacamole]

port     = http,https

logpath  = /var/log/tomcat*/catalina.out

[monit]

#Ban clients brute-forcing the monit gui login

port = 2812

logpath  = /var/log/monit

[webmin-auth]

port    = 10000

logpath = %(syslog_authpriv)s

backend = %(syslog_backend)s

[froxlor-auth]

port    = http,https

logpath  = %(syslog_authpriv)s

backend  = %(syslog_backend)s

#

# HTTP Proxy servers

#

#

[squid]

port     =  80,443,3128,8080

logpath = /var/log/squid/access.log

[3proxy]

port    = 3128

logpath = /var/log/3proxy.log

#

# FTP servers

#

[proftpd]

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(proftpd_log)s

backend  = %(proftpd_backend)s

[pure-ftpd]

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(pureftpd_log)s

backend  = %(pureftpd_backend)s

[gssftpd]

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(syslog_daemon)s

backend  = %(syslog_backend)s

[wuftpd]

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(wuftpd_log)s

backend  = %(wuftpd_backend)s

[vsftpd]

# or overwrite it in jails.local to be

# logpath = %(syslog_authpriv)s

# if you want to rely on PAM failed login attempts

# vsftpd's failregex should match both of those formats

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(vsftpd_log)s

#

# Mail servers

#

# ASSP SMTP Proxy Jail

[assp]

port     = smtp,465,submission

logpath  = /root/path/to/assp/logs/maillog.txt

[courier-smtp]

port     = smtp,465,submission

logpath  = %(syslog_mail)s

backend  = %(syslog_backend)s

[postfix]

port     = smtp,465,submission

logpath  = %(postfix_log)s

backend  = %(postfix_backend)s

[postfix-rbl]

port     = smtp,465,submission

logpath  = %(postfix_log)s

backend  = %(postfix_backend)s

maxretry = 1

[sendmail-auth]

port    = submission,465,smtp

logpath = %(syslog_mail)s

backend = %(syslog_backend)s

[sendmail-reject]

port     = smtp,465,submission

logpath  = %(syslog_mail)s

backend  = %(syslog_backend)s

[qmail-rbl]

filter  = qmail

port    = smtp,465,submission

logpath = /service/qmail/log/main/current

# dovecot defaults to logging to the mail syslog facility

# but can be set by syslog_facility in the dovecot configuration.

[dovecot]

port    = pop3,pop3s,imap,imaps,submission,465,sieve

logpath = %(dovecot_log)s

backend = %(dovecot_backend)s

[sieve]

port   = smtp,465,submission

logpath = %(dovecot_log)s

backend = %(dovecot_backend)s

[solid-pop3d]

port    = pop3,pop3s

logpath = %(solidpop3d_log)s

[exim]

port   = smtp,465,submission

logpath = %(exim_main_log)s

[exim-spam]

port   = smtp,465,submission

logpath = %(exim_main_log)s

[kerio]

port    = imap,smtp,imaps,465

logpath = /opt/kerio/mailserver/store/logs/security.log

#

# Mail servers authenticators: might be used for smtp,ftp,imap servers, so

# all relevant ports get banned

#

[courier-auth]

port     = smtp,465,submission,imap3,imaps,pop3,pop3s

logpath  = %(syslog_mail)s

backend  = %(syslog_backend)s

[postfix-sasl]

port     = smtp,465,submission,imap3,imaps,pop3,pop3s

# You might consider monitoring /var/log/mail.warn instead if you are

# running postfix since it would provide the same log lines at the

# "warn" level but overall at the smaller filesize.

logpath  = %(postfix_log)s

backend  = %(postfix_backend)s

[perdition]

port   = imap3,imaps,pop3,pop3s

logpath = %(syslog_mail)s

backend = %(syslog_backend)s

[squirrelmail]

port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks

logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log

[cyrus-imap]

port   = imap3,imaps

logpath = %(syslog_mail)s

backend = %(syslog_backend)s

[uwimap-auth]

port   = imap3,imaps

logpath = %(syslog_mail)s

backend = %(syslog_backend)s

#

#

# DNS servers

#

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks UDP traffic for DNS requests.

# [named-refused-udp]

#

# filter   = named-refused

# port     = domain,953

# protocol = udp

# logpath  = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks TCP traffic for DNS requests.

[named-refused]

port     = domain,953

logpath  = /var/log/named/security.log

[nsd]

port     = 53

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

logpath = /var/log/nsd.log

#

# Miscellaneous

#

[asterisk]

port     = 5060,5061

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 10

[freeswitch]

port     = 5060,5061

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/freeswitch.log

maxretry = 10

# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or

# equivalent section:

# log-warning = 2

#

# for syslog (daemon facility)

# [mysqld_safe]

# syslog

#

# for own logfile

# [mysqld]

# log-error=/var/log/mysqld.log

[mysqld-auth]

port     = 3306

logpath  = %(mysql_log)s

backend  = %(mysql_backend)s

# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')

[mongodb-auth]

# change port when running with "--shardsvr" or "--configsvr" runtime operation

port     = 27017

logpath  = /var/log/mongodb/mongodb.log

# Jail for more extended banning of persistent abusers

# !!! WARNINGS !!!

# 1. Make sure that your loglevel specified in fail2ban.conf/.local

#    is not at DEBUG level -- which might then cause fail2ban to fall into

#    an infinite loop constantly feeding itself with non-informative lines

# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)

#    to maintain entries for failed logins for sufficient amount of time

[recidive]

logpath  = /var/log/fail2ban.log

banaction = %(banaction_allports)s

bantime  = 604800  ; 1 week

findtime = 86400   ; 1 day

# Generic filter for PAM. Has to be used with action which bans all

# ports such as iptables-allports, shorewall

[pam-generic]

# pam-generic filter can be customized to monitor specific subset of 'tty's

banaction = %(banaction_allports)s

logpath  = %(syslog_authpriv)s

backend  = %(syslog_backend)s

[xinetd-fail]

banaction = iptables-multiport-log

logpath   = %(syslog_daemon)s

backend   = %(syslog_backend)s

maxretry  = 2

# stunnel - need to set port for this

[stunnel]

logpath = /var/log/stunnel4/stunnel.log

[ejabberd-auth]

port    = 5222

logpath = /var/log/ejabberd/ejabberd.log

[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log

# Firewall: http://www.cstrike-planet.com/faq/6

tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039

udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015

action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

# consider low maxretry and a long bantime

# nobody except your own Nagios server should ever probe nrpe

[nagios]

logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility

backend  = %(syslog_backend)s

maxretry = 1

[oracleims]

# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above

logpath = /opt/sun/comms/messaging64/log/mail.log_current

banaction = %(banaction_allports)s

[directadmin]

logpath = /var/log/directadmin/login.log

port = 2222

[portsentry]

logpath  = /var/lib/portsentry/portsentry.history

maxretry = 1

[pass2allow-ftp]

# this pass2allow example allows FTP traffic after successful HTTP authentication

port         = ftp,ftp-data,ftps,ftps-data

# knocking_url variable must be overridden to some secret value in jail.local

knocking_url = /knocking/

filter       = apache-pass[knocking_url="%(knocking_url)s"]

# access log of the website with HTTP auth

logpath      = %(apache_access_log)s

blocktype    = RETURN

returntype   = DROP

bantime      = 3600

maxretry     = 1

findtime     = 1

[murmur]

# AKA mumble-server

port     = 64738

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]

logpath  = /var/log/mumble-server/mumble-server.log

[screensharingd]

# For Mac OS Screen Sharing Service (VNC)

logpath  = /var/log/system.log

logencoding = utf-8

[haproxy-http-auth]

# HAProxy by default doesn't log to file you'll need to set it up to forward

# logs to a syslog server which would then write them to disk.

# See "haproxy-http-auth" filter for a brief cautionary note when setting

# maxretry and findtime.

logpath  = /var/log/haproxy.log

[slapd]

port    = ldap,ldaps

filter  = slapd

logpath = /var/log/slapd.log

[domino-smtp]

port    = smtp,ssmtp

filter  = domino-smtp

logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

[root@test ~]# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

[root@test ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

[root@test ~]# ls /etc/fail2ban/

action.d        filter.d    paths-common.conf   paths-opensuse.conf

fail2ban.conf   jail.conf   paths-debian.conf   paths-osx.conf

fail2ban.d      jail.d      paths-fedora.conf

fail2ban.local  jail.local  paths-freebsd.conf

[root@test ~]# systemctl start fail2ban.service

[root@test ~]# systemctl enable fail2ban.service

Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.

[root@test ~]# systemctl status fail2ban.service

● fail2ban.service - Fail2Ban Service

   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)

   Active: active (running) since Tue 2019-02-26 21:39:40 KST; 12h ago

     Docs: man:fail2ban(1)

  Process: 5852 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)

  Process: 20491 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)

 Main PID: 20494 (fail2ban-server)

   CGroup: /system.slice/fail2ban.service

           └─20494 /usr/bin/python2 -s /usr/b...

Feb 26 21:39:40 test.vorcloud.com systemd[1]: ...

Feb 26 21:39:40 test.vorcloud.com fail2ban-client[20491]: ...

Feb 26 21:39:40 test.vorcloud.com fail2ban-client[20491]: ...

Feb 26 21:39:40 test.vorcloud.com systemd[1]: ...

Hint: Some lines were ellipsized, use -l to show in full.

[root@test ~]# tail -30 /var/log/fail2ban.log

2019-02-27 08:56:20,200 fail2ban.filter         [20494]: INFO    [sshd] Found 128.199.128.215

2019-02-27 09:10:32,848 fail2ban.filter         [20494]: INFO    [sshd] Found 142.165.136.77

2019-02-27 09:10:57,753 fail2ban.filter         [20494]: INFO    [sshd] Found 27.106.45.6

2019-02-27 09:10:58,743 fail2ban.actions        [20494]: NOTICE  [sshd] Ban 27.106.45.6

2019-02-27 09:11:45,364 fail2ban.filter         [20494]: INFO    [sshd] Found 103.250.84.164

2019-02-27 09:14:44,984 fail2ban.filter         [20494]: INFO    [sshd] Found 200.149.7.206

2019-02-27 09:28:56,870 fail2ban.filter         [20494]: INFO    [sshd] Found 54.36.98.223

2019-02-27 09:29:48,150 fail2ban.filter         [20494]: INFO    [sshd] Found 139.59.108.237

2019-02-27 09:38:33,795 fail2ban.filter         [20494]: INFO    [sshd] Found 46.105.227.206

2019-02-27 09:38:38,569 fail2ban.filter         [20494]: INFO    [sshd] Found 119.62.70.4

2019-02-27 09:43:03,584 fail2ban.filter         [20494]: INFO    [sshd] Found 41.230.56.204

2019-02-27 09:44:17,920 fail2ban.filter         [20494]: INFO    [sshd] Found 119.28.72.123

2019-02-27 09:44:37,548 fail2ban.filter         [20494]: INFO    [sshd] Found 51.38.187.135

2019-02-27 09:45:33,173 fail2ban.filter         [20494]: INFO    [sshd] Found 124.82.156.29

2019-02-27 09:47:16,913 fail2ban.filter         [20494]: INFO    [sshd] Found 178.32.96.181

2019-02-27 09:47:48,165 fail2ban.filter         [20494]: INFO    [sshd] Found 190.85.63.50

2019-02-27 09:52:12,903 fail2ban.filter         [20494]: INFO    [sshd] Found 197.5.144.78

2019-02-27 09:52:29,951 fail2ban.filter         [20494]: INFO    [sshd] Found 200.48.220.12

2019-02-27 09:53:21,636 fail2ban.filter         [20494]: INFO    [sshd] Found 1.202.15.234

2019-02-27 09:54:10,640 fail2ban.filter         [20494]: INFO    [sshd] Found 91.16.49.22

2019-02-27 09:55:18,858 fail2ban.filter         [20494]: INFO    [sshd] Found 40.69.40.86

2019-02-27 09:55:34,528 fail2ban.filter         [20494]: INFO    [sshd] Found 58.64.184.233

2019-02-27 10:04:47,531 fail2ban.filter         [20494]: INFO    [sshd] Found 113.142.63.162

2019-02-27 10:06:31,782 fail2ban.filter         [20494]: INFO    [sshd] Found 185.38.3.138

2019-02-27 10:06:49,044 fail2ban.filter         [20494]: INFO    [sshd] Found 103.253.107.187

2019-02-27 10:06:49,911 fail2ban.actions        [20494]: NOTICE  [sshd] Ban 103.253.107.187

2019-02-27 10:08:02,848 fail2ban.filter         [20494]: INFO    [sshd] Found 79.2.22.244

2019-02-27 10:09:35,790 fail2ban.filter         [20494]: INFO    [sshd] Found 180.180.122.31

2019-02-27 10:14:15,064 fail2ban.filter         [20494]: INFO    [sshd] Found 27.40.23.221

2019-02-27 10:14:26,481 fail2ban.filter         [20494]: INFO    [sshd] Found 165.227.69.39

※ fail2ban 서비스를 시작한 지 이틀 정도 지난 후에 실행한 결과

[root@test ~]# fail2ban-client status sshd

Status for the jail: sshd

|- Filter

|  |- Currently failed: 170

|  |- Total failed:     186

|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd

`- Actions

   |- Currently banned: 42

   |- Total banned:     42

   `- Banned IP list:   101.226.196.132 105.247.158.86 118.182.118.248 122.162.27.17 125.105.44.44 128.199.103.93 132.148.155.86 138.197.190.118 149.129.225.127 160.120.129.35 167.99.153.22 175.140.190.106 176.196.192.48 182.73.123.118 193.201.224.158 198.98.61.186 201.54.77.145 206.189.30.229 223.87.179.207 27.114.168.20 34.212.119.26 36.78.1.59 46.101.246.82 51.15.36.163 51.38.135.6 51.38.38.221 67.205.135.65 68.183.17.76 73.162.65.136 78.131.56.62 78.194.31.97 91.69.164.24 92.222.15.70 94.23.62.187 104.250.160.150 77.127.65.157 222.137.121.214 103.99.186.20 94.23.55.228 81.247.81.209 27.106.45.6 103.253.107.187

※ fail2ban 서비스를 시작한 지 이틀 정도 지난 후에 실행한 결과

[root@test ~]# iptables -L f2b-sshd

Chain f2b-sshd (1 references)

target     prot opt source               destination

REJECT     all  --  ip-103-253-107-187.interlink.net.id  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  6.45.106.27.mysipl.com  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  209.81-247-81.adsl-dyn.isp.belgacom.be  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  ns301984.ip-94-23-55.eu  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  103.99.186.20        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  hn.kd.ny.adsl        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  77.127.65.157        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  104.250.160.150      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  ns396064.ip-94-23-62.eu  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  70.ip-92-222-15.eu   anywhere             reject-with icmp-port-unreachable

REJECT     all  --  24.164.69.91.rev.sfr.net  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  ran75-4-78-194-31-97.fbxo.proxad.net  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  78-131-56-62.static.hdsnet.hu  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  c-73-162-65-136.hsd1.ca.comcast.net  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  68.183.17.76         anywhere             reject-with icmp-port-unreachable

REJECT     all  --  67.205.135.65        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  221.ip-51-38-38.eu   anywhere             reject-with icmp-port-unreachable

REJECT     all  --  6.ip-51-38-135.eu    anywhere             reject-with icmp-port-unreachable

REJECT     all  --  163-36-15-51.rev.cloud.scaleway.com  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  46.101.246.82        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  36.78.1.59           anywhere             reject-with icmp-port-unreachable

REJECT     all  --  ec2-34-212-119-26.us-west-2.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  27.114.168.20        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  223.87.179.207       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  206.189.30.229       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  201-54-77-145.sercomtel.com.br  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  .                    anywhere             reject-with icmp-port-unreachable

REJECT     all  --  193.201.224.158      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  182.73.123.118       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  176.196.192.48       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  175.140.190.106      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  167.99.153.22        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  160.120.129.35       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  149.129.225.127      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  138.197.190.118      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  ip-132-148-155-86.ip.secureserver.net  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  156928.cloudwaysapps.com  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  125.105.44.44        anywhere             reject-with icmp-port-unreachable

REJECT     all  --  abts-north-dynamic-017.27.162.122.airtelbroadband.in  anywhere             reject-with icmp-port-unreachable

REJECT     all  --  118.182.118.248      anywhere             reject-with icmp-port-unreachable

REJECT     all  --  105.247.158.86       anywhere             reject-with icmp-port-unreachable

REJECT     all  --  101.226.196.132      anywhere             reject-with icmp-port-unreachable

RETURN     all  --  anywhere             anywhere

[root@test ~]# yum -y install epel-release

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: centos.mirror.constant.com

 * epel: epel.mirror.constant.com

 * extras: centos.mirror.constant.com

 * updates: centos.mirror.constant.com

Package epel-release-7-11.noarch already installed and latest version

Nothing to do

※ epel-release 패키지가 이미 설치된 서버이다.

[root@test ~]# yum -y install strongswan

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: centos.mirror.constant.com

 * epel: epel.mirror.constant.com

 * extras: centos.mirror.constant.com

 * updates: centos.mirror.constant.com

Resolving Dependencies

--> Running transaction check

---> Package strongswan.x86_64 0:5.7.2-1.el7 will be installed

--> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.7.2-1.el7.x86_64

--> Running transaction check

---> Package trousers.x86_64 0:0.3.14-2.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

=============================================

 Package    Arch   Version        Repository

                                        Size

=============================================

Installing:

 strongswan x86_64 5.7.2-1.el7    epel 1.4 M

Installing for dependencies:

 trousers   x86_64 0.3.14-2.el7   base 289 k

Transaction Summary

=============================================

Install  1 Package (+1 Dependent package)

Total download size: 1.7 M

Installed size: 4.8 M

Downloading packages:

(1/2): trousers-0.3.14- | 289 kB   00:00

(2/2): strongswan-5.7.2 | 1.4 MB   00:00

---------------------------------------------

Total           3.8 MB/s | 1.7 MB  00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : trousers-0.3.14-2.el7.x   1/2

  Installing : strongswan-5.7.2-1.el7.   2/2

  Verifying  : trousers-0.3.14-2.el7.x   1/2

  Verifying  : strongswan-5.7.2-1.el7.   2/2

Installed:

  strongswan.x86_64 0:5.7.2-1.el7

Dependency Installed:

  trousers.x86_64 0:0.3.14-2.el7

Complete!

[root@vpn ~]# yum -y install certbot

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: centos.mirror.constant.com

 * epel: epel.mirror.constant.com

 * extras: centos.mirror.constant.com

 * updates: centos.mirror.constant.com

Resolving Dependencies

--> Running transaction check

---> Package certbot.noarch 0:0.30.2-1.el7 will be installed

--> Processing Dependency: python2-certbot = 0.30.2-1.el7 for package: certbot-0.30.2-1.el7.noarch

--> Processing Dependency: /usr/sbin/semanage for package: certbot-0.30.2-1.el7.noarch

--> Running transaction check

---> Package policycoreutils-python.x86_64 0:2.5-29.el7_6.1 will be installed

--> Processing Dependency: setools-libs >= 3.3.8-4 for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libsemanage-python >= 2.5-14 for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-29.el7_6.1.x86_64

---> Package python2-certbot.noarch 0:0.30.2-1.el7 will be installed

--> Processing Dependency: python2-acme >= 0.26.0 for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python-parsedatetime for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python-setuptools for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python-zope-component for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python-zope-interface for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-configargparse for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-cryptography for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-future for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-josepy for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-mock for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: python2-pyrfc3339 for package: python2-certbot-0.30.2-1.el7.noarch

--> Processing Dependency: pytz for package: python2-certbot-0.30.2-1.el7.noarch

--> Running transaction check

---> Package audit-libs-python.x86_64 0:2.8.4-4.el7 will be installed

---> Package checkpolicy.x86_64 0:2.5-8.el7 will be installed

---> Package libcgroup.x86_64 0:0.41-20.el7 will be installed

---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be installed

---> Package python-IPy.noarch 0:0.75-6.el7 will be installed

---> Package python-setuptools.noarch 0:0.9.8-7.el7 will be installed

--> Processing Dependency: python-backports-ssl_match_hostname for package: python-setuptools-0.9.8-7.el7.noarch

---> Package python-zope-component.noarch 1:4.1.0-3.el7 will be installed

--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-3.el7.noarch

---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed

---> Package python2-acme.noarch 0:0.30.2-1.el7 will be installed

--> Processing Dependency: pyOpenSSL >= 0.13 for package: python2-acme-0.30.2-1.el7.noarch

--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.30.2-1.el7.noarch

--> Processing Dependency: python-requests-toolbelt for package: python2-acme-0.30.2-1.el7.noarch

--> Processing Dependency: python2-pyasn1 for package: python2-acme-0.30.2-1.el7.noarch

--> Processing Dependency: python2-requests for package: python2-acme-0.30.2-1.el7.noarch

--> Processing Dependency: python2-six for package: python2-acme-0.30.2-1.el7.noarch

---> Package python2-configargparse.noarch 0:0.11.0-1.el7 will be installed

---> Package python2-cryptography.x86_64 0:1.7.2-2.el7 will be installed

--> Processing Dependency: python-six >= 1.4.1 for package: python2-cryptography-1.7.2-2.el7.x86_64

--> Processing Dependency: python-idna >= 2.0 for package: python2-cryptography-1.7.2-2.el7.x86_64

--> Processing Dependency: python-cffi >= 1.4.1 for package: python2-cryptography-1.7.2-2.el7.x86_64

--> Processing Dependency: python-ipaddress for package: python2-cryptography-1.7.2-2.el7.x86_64

--> Processing Dependency: python-enum34 for package: python2-cryptography-1.7.2-2.el7.x86_64

---> Package python2-future.noarch 0:0.16.0-6.el7 will be installed

---> Package python2-josepy.noarch 0:1.1.0-1.el7 will be installed

---> Package python2-mock.noarch 0:1.0.1-10.el7 will be installed

---> Package python2-parsedatetime.noarch 0:2.4-5.el7 will be installed

---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed

---> Package pytz.noarch 0:2016.10-2.el7 will be installed

---> Package setools-libs.x86_64 0:3.3.8-4.el7 will be installed

--> Running transaction check

---> Package pyOpenSSL.x86_64 0:0.13.1-4.el7 will be installed

---> Package python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 will be installed

--> Processing Dependency: python-backports for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch

---> Package python-cffi.x86_64 0:1.6.0-5.el7 will be installed

--> Processing Dependency: python-pycparser for package: python-cffi-1.6.0-5.el7.x86_64

---> Package python-enum34.noarch 0:1.0.4-1.el7 will be installed

---> Package python-idna.noarch 0:2.4-1.el7 will be installed

---> Package python-ipaddress.noarch 0:1.0.16-2.el7 will be installed

---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed

---> Package python-requests-toolbelt.noarch 0:0.8.0-1.el7 will be installed

--> Processing Dependency: python-requests for package: python-requests-toolbelt-0.8.0-1.el7.noarch

---> Package python-six.noarch 0:1.9.0-2.el7 will be installed

---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed

---> Package python2-pyasn1.noarch 0:0.1.9-7.el7 will be installed

---> Package python2-requests.noarch 0:2.6.0-0.el7 will be installed

---> Package python2-six.noarch 0:1.9.0-0.el7 will be installed

--> Running transaction check

---> Package python-backports.x86_64 0:1.0-8.el7 will be installed

---> Package python-pycparser.noarch 0:2.14-1.el7 will be installed

--> Processing Dependency: python-ply for package: python-pycparser-2.14-1.el7.noarch

---> Package python-requests.noarch 0:2.6.0-1.el7_1 will be installed

--> Processing Dependency: python-urllib3 >= 1.10.2-1 for package: python-requests-2.6.0-1.el7_1.noarch

--> Processing Dependency: python-chardet >= 2.2.1-1 for package: python-requests-2.6.0-1.el7_1.noarch

--> Running transaction check

---> Package python-chardet.noarch 0:2.2.1-1.el7_1 will be installed

---> Package python-ply.noarch 0:3.4-11.el7 will be installed

---> Package python-urllib3.noarch 0:1.10.2-5.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

=============================================

 Package     Arch   Version       Repository

                                        Size

=============================================

Installing:

 certbot     noarch 0.30.2-1.el7  epel  37 k

Installing for dependencies:

 audit-libs-python

             x86_64 2.8.4-4.el7   base  76 k

 checkpolicy x86_64 2.5-8.el7     base 295 k

 libcgroup   x86_64 0.41-20.el7   base  66 k

 libsemanage-python

             x86_64 2.5-14.el7    base 113 k

 policycoreutils-python

             x86_64 2.5-29.el7_6.1

                                  updates

                                       456 k

 pyOpenSSL   x86_64 0.13.1-4.el7  base 135 k

 python-IPy  noarch 0.75-6.el7    base  32 k

 python-backports

             x86_64 1.0-8.el7     base 5.8 k

 python-backports-ssl_match_hostname

             noarch 3.5.0.1-1.el7 base  13 k

 python-cffi x86_64 1.6.0-5.el7   base 218 k

 python-chardet

             noarch 2.2.1-1.el7_1 base 227 k

 python-enum34

             noarch 1.0.4-1.el7   base  52 k

 python-idna noarch 2.4-1.el7     base  94 k

 python-ipaddress

             noarch 1.0.16-2.el7  base  34 k

 python-ndg_httpsclient

             noarch 0.3.2-1.el7   epel  43 k

 python-ply  noarch 3.4-11.el7    base 123 k

 python-pycparser

             noarch 2.14-1.el7    base 104 k

 python-requests

             noarch 2.6.0-1.el7_1 base  94 k

 python-requests-toolbelt

             noarch 0.8.0-1.el7   epel  77 k

 python-setuptools

             noarch 0.9.8-7.el7   base 397 k

 python-six  noarch 1.9.0-2.el7   base  29 k

 python-urllib3

             noarch 1.10.2-5.el7  base 102 k

 python-zope-component

             noarch 1:4.1.0-3.el7 epel 227 k

 python-zope-event

             noarch 4.0.3-2.el7   epel  79 k

 python-zope-interface

             x86_64 4.0.5-4.el7   base 138 k

 python2-acme

             noarch 0.30.2-1.el7  epel 148 k

 python2-certbot

             noarch 0.30.2-1.el7  epel 547 k

 python2-configargparse

             noarch 0.11.0-1.el7  epel  30 k

 python2-cryptography

             x86_64 1.7.2-2.el7   base 502 k

 python2-future

             noarch 0.16.0-6.el7  epel 799 k

 python2-josepy

             noarch 1.1.0-1.el7   epel  87 k

 python2-mock

             noarch 1.0.1-10.el7  epel  92 k

 python2-parsedatetime

             noarch 2.4-5.el7     epel  78 k

 python2-pyasn1

             noarch 0.1.9-7.el7   base 100 k

 python2-pyrfc3339

             noarch 1.0-2.el7     epel  13 k

 python2-requests

             noarch 2.6.0-0.el7   epel 2.9 k

 python2-six noarch 1.9.0-0.el7   epel 2.9 k

 pytz        noarch 2016.10-2.el7 base  46 k

 setools-libs

             x86_64 3.3.8-4.el7   base 620 k

Transaction Summary

=============================================

Install  1 Package (+39 Dependent packages)

Total download size: 6.2 M

Installed size: 27 M

Downloading packages:

(1/40): libcgroup-0.41- |  66 kB   00:00

(2/40): audit-libs-pyth |  76 kB   00:00

(3/40): libsemanage-pyt | 113 kB   00:00

(4/40): checkpolicy-2.5 | 295 kB   00:00

(5/40): pyOpenSSL-0.13. | 135 kB   00:00

(6/40): policycoreutils | 456 kB   00:00

(7/40): python-IPy-0.75 |  32 kB   00:00

(8/40): python-backport | 5.8 kB   00:00

(9/40): python-chardet- | 227 kB   00:00

(10/40): python-enum34- |  52 kB   00:00

(11/40): python-idna-2. |  94 kB   00:00

(12/40): python-ipaddre |  34 kB   00:00

(13/40): certbot-0.30.2 |  37 kB   00:00

(14/40): python-ply-3.4 | 123 kB   00:00

(15/40): python-ndg_htt |  43 kB   00:00

(16/40): python-backpor |  13 kB   00:00

(17/40): python-request |  94 kB   00:00

(18/40): python-request |  77 kB   00:00

(19/40): python-setupto | 397 kB   00:00

(20/40): python-urllib3 | 102 kB   00:00

(21/40): python-cffi-1. | 218 kB   00:00

(22/40): python-six-1.9 |  29 kB   00:00

(23/40): python-pycpars | 104 kB   00:00

(24/40): python-zope-co | 227 kB   00:00

(25/40): python-zope-in | 138 kB   00:00

(26/40): python-zope-ev |  79 kB   00:00

(27/40): python2-acme-0 | 148 kB   00:00

(28/40): python2-certbo | 547 kB   00:00

(29/40): python2-crypto | 502 kB   00:00

(30/40): python2-config |  30 kB   00:00

(31/40): python2-future | 799 kB   00:00

(32/40): python2-josepy |  87 kB   00:00

(33/40): python2-mock-1 |  92 kB   00:00

(34/40): python2-pyasn1 | 100 kB   00:00

(35/40): python2-parsed |  78 kB   00:00

(36/40): python2-pyrfc3 |  13 kB   00:00

(37/40): python2-reques | 2.9 kB   00:00

(38/40): pytz-2016.10-2 |  46 kB   00:00

(39/40): python2-six-1. | 2.9 kB   00:00

(40/40): setools-libs-3 | 620 kB   00:00

---------------------------------------------

Total           4.2 MB/s | 6.2 MB  00:01

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : python-six-1.9.0-2.el    1/40

  Installing : python2-pyasn1-0.1.9-    2/40

  Installing : python-ipaddress-1.0.    3/40

  Installing : pyOpenSSL-0.13.1-4.el    4/40

  Installing : python-zope-interface    5/40

  Installing : python2-pyrfc3339-1.0    6/40

  Installing : python2-future-0.16.0    7/40

  Installing : pytz-2016.10-2.el7.no    8/40

  Installing : python2-parsedatetime    9/40

  Installing : python2-six-1.9.0-0.e   10/40

  Installing : python-chardet-2.2.1-   11/40

  Installing : python-zope-event-4.0   12/40

  Installing : 1:python-zope-compone   13/40

  Installing : audit-libs-python-2.8   14/40

  Installing : python2-mock-1.0.1-10   15/40

  Installing : python-backports-1.0-   16/40

  Installing : python-backports-ssl_   17/40

  Installing : python-setuptools-0.9   18/40

  Installing : python-ndg_httpsclien   19/40

  Installing : python-urllib3-1.10.2   20/40

  Installing : python-requests-2.6.0   21/40

  Installing : python2-requests-2.6.   22/40

  Installing : python-requests-toolb   23/40

  Installing : libsemanage-python-2.   24/40

  Installing : python-ply-3.4-11.el7   25/40

  Installing : python-pycparser-2.14   26/40

  Installing : python-cffi-1.6.0-5.e   27/40

  Installing : python-idna-2.4-1.el7   28/40

  Installing : setools-libs-3.3.8-4.   29/40

  Installing : python-IPy-0.75-6.el7   30/40

  Installing : checkpolicy-2.5-8.el7   31/40

  Installing : python-enum34-1.0.4-1   32/40

  Installing : python2-cryptography-   33/40

  Installing : python2-josepy-1.1.0-   34/40

  Installing : python2-acme-0.30.2-1   35/40

  Installing : python2-configargpars   36/40

  Installing : python2-certbot-0.30.   37/40

  Installing : libcgroup-0.41-20.el7   38/40

  Installing : policycoreutils-pytho   39/40

  Installing : certbot-0.30.2-1.el7.   40/40

  Verifying  : libcgroup-0.41-20.el7    1/40

  Verifying  : certbot-0.30.2-1.el7.    2/40

  Verifying  : python-backports-ssl_    3/40

  Verifying  : python2-configargpars    4/40

  Verifying  : pytz-2016.10-2.el7.no    5/40

  Verifying  : python-ndg_httpsclien    6/40

  Verifying  : python2-acme-0.30.2-1    7/40

  Verifying  : 1:python-zope-compone    8/40

  Verifying  : python2-future-0.16.0    9/40

  Verifying  : python-enum34-1.0.4-1   10/40

  Verifying  : python-setuptools-0.9   11/40

  Verifying  : python2-certbot-0.30.   12/40

  Verifying  : checkpolicy-2.5-8.el7   13/40

  Verifying  : python2-pyrfc3339-1.0   14/40

  Verifying  : python2-parsedatetime   15/40

  Verifying  : python2-six-1.9.0-0.e   16/40

  Verifying  : python-zope-interface   17/40

  Verifying  : python-IPy-0.75-6.el7   18/40

  Verifying  : python-six-1.9.0-2.el   19/40

  Verifying  : python-urllib3-1.10.2   20/40

  Verifying  : setools-libs-3.3.8-4.   21/40

  Verifying  : python-idna-2.4-1.el7   22/40

  Verifying  : python-ply-3.4-11.el7   23/40

  Verifying  : policycoreutils-pytho   24/40

  Verifying  : python2-requests-2.6.   25/40

  Verifying  : libsemanage-python-2.   26/40

  Verifying  : python-backports-1.0-   27/40

  Verifying  : python-requests-toolb   28/40

  Verifying  : pyOpenSSL-0.13.1-4.el   29/40

  Verifying  : python-cffi-1.6.0-5.e   30/40

  Verifying  : python2-mock-1.0.1-10   31/40

  Verifying  : audit-libs-python-2.8   32/40

  Verifying  : python-pycparser-2.14   33/40

  Verifying  : python2-josepy-1.1.0-   34/40

  Verifying  : python-requests-2.6.0   35/40

  Verifying  : python-zope-event-4.0   36/40

  Verifying  : python-ipaddress-1.0.   37/40

  Verifying  : python-chardet-2.2.1-   38/40

  Verifying  : python2-pyasn1-0.1.9-   39/40

  Verifying  : python2-cryptography-   40/40

Installed:

  certbot.noarch 0:0.30.2-1.el7

Dependency Installed:

  audit-libs-python.x86_64 0:2.8.4-4.el7

  checkpolicy.x86_64 0:2.5-8.el7

  libcgroup.x86_64 0:0.41-20.el7

  libsemanage-python.x86_64 0:2.5-14.el7

  policycoreutils-python.x86_64 0:2.5-29.el7_6.1

  pyOpenSSL.x86_64 0:0.13.1-4.el7

  python-IPy.noarch 0:0.75-6.el7

  python-backports.x86_64 0:1.0-8.el7

  python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7

  python-cffi.x86_64 0:1.6.0-5.el7

  python-chardet.noarch 0:2.2.1-1.el7_1

  python-enum34.noarch 0:1.0.4-1.el7

  python-idna.noarch 0:2.4-1.el7

  python-ipaddress.noarch 0:1.0.16-2.el7

  python-ndg_httpsclient.noarch 0:0.3.2-1.el7

  python-ply.noarch 0:3.4-11.el7

  python-pycparser.noarch 0:2.14-1.el7

  python-requests.noarch 0:2.6.0-1.el7_1

  python-requests-toolbelt.noarch 0:0.8.0-1.el7

  python-setuptools.noarch 0:0.9.8-7.el7

  python-six.noarch 0:1.9.0-2.el7

  python-urllib3.noarch 0:1.10.2-5.el7

  python-zope-component.noarch 1:4.1.0-3.el7

  python-zope-event.noarch 0:4.0.3-2.el7

  python-zope-interface.x86_64 0:4.0.5-4.el7

  python2-acme.noarch 0:0.30.2-1.el7

  python2-certbot.noarch 0:0.30.2-1.el7

  python2-configargparse.noarch 0:0.11.0-1.el7

  python2-cryptography.x86_64 0:1.7.2-2.el7

  python2-future.noarch 0:0.16.0-6.el7

  python2-josepy.noarch 0:1.1.0-1.el7

  python2-mock.noarch 0:1.0.1-10.el7

  python2-parsedatetime.noarch 0:2.4-5.el7

  python2-pyasn1.noarch 0:0.1.9-7.el7

  python2-pyrfc3339.noarch 0:1.0-2.el7

  python2-requests.noarch 0:2.6.0-0.el7

  python2-six.noarch 0:1.9.0-0.el7

  pytz.noarch 0:2016.10-2.el7

  setools-libs.x86_64 0:3.3.8-4.el7

Complete!

[root@vpn ~]# firewall-cmd --add-service=http --permanent

success

[root@vpn ~]# firewall-cmd --add-service=https --permanent

success

[root@vpn ~]# firewall-cmd --reload

success

[root@test ~]# certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email vorcloud@post.com -d test.vorcloud.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for test.vorcloud.com

Waiting for verification...

Cleaning up challenges

Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/test.vorcloud.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/test.vorcloud.com/privkey.pem

   Your cert will expire on 2019-05-24. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

[root@test ~]# ls /etc/strongswan/ipsec.d -R

/etc/strongswan/ipsec.d:

aacerts  cacerts  crls       private

acerts   certs    ocspcerts  reqs

/etc/strongswan/ipsec.d/aacerts:

/etc/strongswan/ipsec.d/acerts:

/etc/strongswan/ipsec.d/cacerts:

chain.pem

/etc/strongswan/ipsec.d/certs:

fullchain.pem

/etc/strongswan/ipsec.d/crls:

/etc/strongswan/ipsec.d/ocspcerts:

/etc/strongswan/ipsec.d/private:

privkey.pem

/etc/strongswan/ipsec.d/reqs:

[root@test strongswan]# ls

ipsec.conf.original  strongswan.conf

ipsec.d              strongswan.d

ipsec.secrets        swanctl

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'

success

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'

success

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-port=500/udp

success

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-port=4500/udp

success

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-service="ipsec"

success

[root@test strongswan]# firewall-cmd --zone=public --permanent --add-masquerade

success

[root@test strongswan]# firewall-cmd --reload

success

[root@test strongswan]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client http https ipsec

  ports: 500/udp 4500/udp

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

        rule protocol value="esp" accept

        rule protocol value="ah" accept

[root@test strongswan]# sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

[root@test strongswan]# systemctl start strongswan

[root@test strongswan]# systemctl enable strongswan

Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.

[root@test strongswan]# systemctl status strongswan

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf

   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)

   Active: active (running) since Sun 2019-02-24 03:57:49 KST; 11s ago

 Main PID: 25448 (starter)

   CGroup: /system.slice/strongswan.service

           ├─25448 /usr/libexec/strongswan...

           └─25474 /usr/libexec/strongswan...

Feb 24 03:57:49 test.vorcloud.com systemd[1]: ...

Feb 24 03:57:49 test.vorcloud.com ipsec_starter[25448]: ...

Feb 24 03:57:49 test.vorcloud.com strongswan[25448]: ...

Feb 24 03:57:49 test.vorcloud.com charon[25474]: ...

Feb 24 03:57:49 test.vorcloud.com charon[25474]: ...

Feb 24 03:57:49 test.vorcloud.com charon[25474]: ...

Feb 24 03:57:49 test.vorcloud.com charon[25474]: ...

Feb 24 03:57:49 test.vorcloud.com ipsec_starter[25448]: ...

Feb 24 03:57:49 test.vorcloud.com strongswan[25448]: ...

Hint: Some lines were ellipsized, use -l to show in full.

Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.el7.x86_64, x86_64):

  uptime: 17 seconds, since Feb 24 04:46:15 2019

  malloc: sbrk 1761280, mmap 0, used 637808, free 1123472

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2

  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters

Virtual IP pools (size/online/offline):

  10.11.12.0/24: 254/1/0

Listening IP addresses:

  [서버 아이피 IPv4]

  [서버 아이피 IPv6]

Connections:

  myVPN:  %any...%any  IKEv2, dpddelay=300s

  myVPN:   local:  [test.vorcloud.com] uses public key authentication

  myVPN:    cert:  "CN=test.vorcloud.com"

  myVPN:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'

  myVPN:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):

  myVPN[2]: ESTABLISHED 9 seconds ago, [서버 아이피 IPv4][test.vorcloud.com]...[클라이언트 아이피 IPv4]

  myVPN[2]: Remote EAP identity: testuser2

  myVPN[2]: IKEv2 SPIs: b37056d4032b0c3f_i 45f591dd07acc655_r*, rekeying disabled

  myVPN[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

  myVPN{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c4a2385a_i 0cf86d1a_o

  myVPN{1}:  AES_CBC_256/HMAC_SHA2_256_128, 174 bytes_i (3 pkts, 9s ago), 502 bytes_o (3 pkts, 9s ago), rekeying disabled

  myVPN{1}:   0.0.0.0/0 === 10.11.12.1/32