Установка fail2ban
1 |
# yum install fail2ban |
1.Настройка конфигурационного файла fail2ban
1 |
# grep -v -E '(\#|^$)' /etc/fail2ban/fail2ban.conf |
1 2 3 4 5 6 7 8 |
[Definition] loglevel = INFO logtarget = /var/log/fail2ban.log syslogsocket = auto socket = /var/run/fail2ban/fail2ban.sock pidfile = /var/run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 dbpurgeage = 86400 |
2.Настройка Fail2ban для мониторинга логов
1 |
# grep -v -E '(\#|^$)' /etc/fail2ban/jail.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
[INCLUDES] before = paths-fedora.conf [DEFAULT] ignoreip = 127.0.0.1/8 159.224.XXX.YYY ignorecommand = bantime = 86400 findtime = 7200 maxretry = 5 backend = auto usedns = warn logencoding = auto enabled = false filter = %(__name__)s destemail = myuser@mydomain.com sender = root@mydomain.com mta = sendmail protocol = tcp chain = INPUT port = 0:65535 banaction = iptables-multiport action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] action = %(action_)s ### SSH [sshd - iptables] port = 2200 logpath = /var/log/secure maxretry = 3 enabled = true filter = sshd action = %(action_mwl)s bantime = 86400 findtime = 3600 maxretry = 3 ### ProFTPD [proftpd-iptables] port = ftp,ftp-data,ftps,ftps-data enabled = true filter = proftpd action = %(action_mwl)s #action = iptables[name=ProFTPD, port=ftp, protocol=tcp] # sendmail-whois[name=ProFTPD, dest=myname@mydomain.com, sender=root@mydomain.com] logpath = /var/log/proftpd/proftpd.log bantime = 86400 findtime = 3600 maxretry = 3 ### Exim [exim-iptables] port = smtp,465,submission enabled = true filter = exim action = %(action_mwl)s # action = iptables-multiport[name=Exim, port="smtp,smtps,submission", protocol=tcp] # sendmail-whois[name=Exim, dest= myname@mydomain.com, sender=root@mydomain.com] logpath = /var/log/exim/mainlog bantime = 86400 #bantime = -1 # блокировка навсегда findtime = 3600 maxretry = 3 ### Dovecot [dovecot-iptables] port = pop3,pop3s,imap,imaps enabled = true filter = dovecot action = %(action_mwl)s # Необходимо указать файл,в котором логируются попытки аутентификации для Dovecot logpath = /var/log/secure #logpath = /var/log/maillog #logpath = /var/log/dovecot.log bantime = 86400 findtime = 3600 maxretry = 3 ### Postfix [postfix-sasl] enabled = true port = smtp,465,submission logpath = /var/log/maillog filter = postfix-sasl action = %(action_mwl)s #action = iptables[name=postfix-sasl, port=smtp,smtps,submission protocol=tcp] # sendmail-whois[name=postfix-sasl, dest=myname@mydomain.com, sender=root@mydomain.com] bantime = 604800 findtime = 3600 maxretry = 3 [postfix-iptables] enabled = true port = smtp,465,submission logpath = /var/log/maillog filter = postfix action = %(action_mwl)s #action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp] # sendmail[name=Postfix-smtp, dest=myname@mydomain.com, sender=root@mydomain.com] logpath = /var/log/maillog bantime = 604800 maxretry = 3 findtime = 3600 |
3.Настройка Fail2ban фильтров для мониторинга логов
Будем использовать все штатные фильтры, которые поставляются в комплекте с fail2ban
SSH
1 |
# nano /etc/fail2ban/filter.d/sshd.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ ignoreregex = |
ProFTPD
1 |
# nano /etc/fail2ban/filter.d/proftpd.conf |
1 2 3 4 5 6 7 8 9 |
[Definition] _daemon = proftpd __suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit ($ failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ ignoreregex = |
Exim
1 |
# nano /etc/fail2ban/filter.d/exim.conf |
1 2 3 4 5 6 7 |
[Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ ignoreregex = |
Dovecot
1 |
# nano /etc/fail2ban/filter.d/dovecot.conf |
1 2 3 4 5 6 7 |
[Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disab$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying aut$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ignoreregex = |
Postfix
1 |
# nano /etc/fail2ban/filter.d/postfix-sasl.conf |
1 2 3 4 |
[Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = |
1 |
# nano /etc/fail2ban/filter.d/postfix.conf |
1 2 3 4 5 6 7 8 |
[Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ ignoreregex = |
4.Проверка работы фильтра
1 |
# fail2ban-regex --print-all-match /var/log/secure /etc/fail2ban/filter.d/sshd.conf |
1 |
# fail2ban-regex --print-all-match /var/log/proftpd/proftpd.log /etc/fail2ban/filter.d/proftpd.conf |
1 |
# fail2ban-regex --print-all-match /var/log/exim/mainlog /etc/fail2ban/filter.d/exim.conf |
1 |
# fail2ban-regex --print-all-match /var/log/secure /etc/fail2ban/filter.d/dovecot.conf |
1 |
# fail2ban-regex --print-all-match /var/log/maillog /etc/fail2ban/filter.d/postfix.conf |
5.Запуск,проверка запуска, добавление в автозагрузку
1 |
# /etc/init.d/fail2ban start |
1 |
# ps ax | grep [f]ail2ban |
1 |
# chkconfig --level 2345 fail2ban on |
Просмотр лога
1 |
# tail -f /var/log/fail2ban.log |
6.Просмотр существующих Jail
1 |
# fail2ban-client status |
7.Детальный просмотр конкретного Jail, например proftpd-iptables
1 |
# fail2ban-client status proftpd-iptables |
8.Разблокировка требуемого IP-адреса в указанном Jail,например в proftpd-iptables
1 |
# fail2ban-client set proftpd-iptables unbanip <IP-address> |
Проверка отсутствия адреса в iptables
1 |
# iptables -S | grep <IP-address> |
9. Блокировка требуемого IP-адреса в указанном Jail
1 |
# fail2ban-client set proftpd-iptables banip <IP-address> |
Проверка наличия адреса в iptables
1 |
# iptables -S | grep <IP-address> |
10.Настройка ротации файла /var/log/fail2ban.log
1 |
# nano /etc/logrotate.d/fail2ban |
1 2 3 4 5 6 7 8 9 10 11 |
/var/log/fail2ban.log { rotate 7 daily dateext missingok notifempty compress postrotate /usr/bin/fail2ban-client flushlogs 1>/dev/null || true endscript } |