security | Записки системного администратора

Записи с меткой ‘security’

Поиск malware/вирусов на сайте

Ноябрь 6th, 2014

Evgeniy Kamenev

Использование внешних ресурсов 1.Проверка на сайтах http://antivirus-alarm.ru/ http://online.drweb.com/?url=1 http://xseo.in/viruscan http://2ip.ru/site-virus-scaner/ Проверка Google

http://www.google.com/safebrowsing/diagnostic?site=mysite.com

1	http://www.google.com/safebrowsing/diagnostic?site=mysite.com

Проверка ссылок/редиректов

http://www.websiteplanet.com/webtools/redirected

1	http://www.websiteplanet.com/webtools/redirected

2. Проверка утилитой ai-bolit http://www.revisium.com/ai/ 3. Проверка с помощью Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/

# maldet -scan-all /home/sites/mysite.com

1	# maldet -scan-all /home/sites/mysite.com

4. WordPress-плагины Antivirus https://wordpress.org/plugins/antivirus/ Sucuri Security https://wordpress.org/plugins/sucuri-scanner/ Использование командной строки 1.Поиск файлов измененных за последнее время(например, за последние […]

Опубликовано в рубрике Security, Security, Security Tools

Метки: base64, malware, security

Комментарии отключены

Настройка Logwatch для обработки Nginx-логов

Ноябрь 6th, 2014

Evgeniy Kamenev

1.Копируем три файла с httpd в nginx

# cp /usr/share/logwatch/default.conf/services/http.conf /etc/logwatch/conf/services/nginx.conf

1	# cp /usr/share/logwatch/default.conf/services/http.conf /etc/logwatch/conf/services/nginx.conf

# cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/nginx.conf

1	# cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/nginx.conf

# cp /usr/share/logwatch/scripts/services/http /etc/logwatch/scripts/services/nginx

1	# cp /usr/share/logwatch/scripts/services/http /etc/logwatch/scripts/services/nginx

2.Редактируем /etc/logwatch/conf/services/nginx.conf

# cat /etc/logwatch/conf/services/nginx.conf | grep nginx

1	# cat /etc/logwatch/conf/services/nginx.conf \| grep nginx

Title = "nginx"
LogFile = nginx

1 2	Title = "nginx" LogFile = nginx

3.Приводим к виду файл /etc/logwatch/conf/logfiles/nginx.conf

# cat /etc/logwatch/conf/logfiles/nginx.conf | grep -v \# | grep -v ^$

1	# cat /etc/logwatch/conf/logfiles/nginx.conf \| grep -v \# \| grep -v ^$

LogFile = nginx/*access.log
Archive = nginx/*access.log-*.gz
*ExpandRepeats
*ApplyhttpDate

LogFile = nginx/*access.log

Archive = nginx/*access.log-*.gz

*ExpandRepeats

*ApplyhttpDate

4.Тестируем работоспособность, запуская logwatch

# logwatch

1	# logwatch

Источник: http://rtfm.co.ua/nginx-dobavlenie-logov-pod-monitoring-logwatch/ http://8bitpipe.com/?p=516

Опубликовано в рубрике Nginx, Security, Security

Метки: logwatch, Nginx, security

Комментарии отключены

Установка и настройка Linux Malware Detect

Август 4th, 2014

Evgeniy Kamenev

1. Загрузка,распаковка,установка

# cd /tmp

# cd /tmp

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

1	# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

# tar xvfz maldetect-current.tar.gz

1	# tar xvfz maldetect-current.tar.gz

# cd maldetect-*

1	# cd maldetect-*

# ./install.sh

1	# ./install.sh

………………………………………………
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

………………………………………………

installation completed to /usr/local/maldetect

config file: /usr/local/maldetect/conf.maldet

exec file: /usr/local/maldetect/maldet

exec link: /usr/local/sbin/maldet

exec link: /usr/local/sbin/lmd

cron.daily: /etc/cron.daily/maldet

# rm  -rf /tmp/maldetect*

1	# rm -rf /tmp/maldetect*

2. Настройкаконфигурационногофайла

# cat /usr/local/maldetect/conf.maldet | grep -v \# | grep -v ^$

1	# cat /usr/local/maldetect/conf.maldet \| grep -v \# \| grep -v ^$

# Включить отправку сообщений
email_alert=1
# Формирование темы сообщений
email_subj="maldet alert from $(hostname)"
# E-Mail, на который будет отправлено уведомление о найденных/подорительных файлах
email_addr=your@email
# Не отправлять отчет,если все подозрительные файлы были очищены/исправлены
email_ignore_clean=0
# Помещать подозрительные файлы на карантин
quar_hits=0
# попытаться очистить файл от зловредного кода(требует активации/включения опции quar_hits)
quar_clean=1
#Блокировать вход для пользователя, в файлах которого обнаружилось malware(требует активации/включения опции quar_hits)
quar_susp=0
# Минимальный универсальный идентификатор пользователя(uid) , с которого разрешается блокировать пользователя.
quar_susp_minuid=500
# Максимальная глубина вложений,на которой будут проверяться файлы
maxdepth=15
# Минимальный размер файла в байтах, включенный в сканирование
minfilesize=32
# Максимальный размер файла, включенный в сканирование
maxfilesize="768k"
hexdepth=61440
hex_fifo_scan=1
hex_fifo_depth=524288
# Если установлен Clamav, использовать его бинарник clamscan как поисковый движок
clamav_scan=1
# Разрешить запускать сканирование не от пользователя root
public_scan=0
inotify_base_watches=15360
inotify_stime=30
inotify_minuid=500
inotify_webdir=public_html
inotify_nice=10

# Включить отправку сообщений

email_alert=1

# Формирование темы сообщений

email_subj="maldet alert from $(hostname)"

# E-Mail, на который будет отправлено уведомление о найденных/подорительных файлах

email_addr=your@email

# Не отправлять отчет,если все подозрительные файлы были очищены/исправлены

email_ignore_clean=0

# Помещать подозрительные файлы на карантин

quar_hits=0

# попытаться очистить файл от зловредного кода(требует активации/включения опции quar_hits)

quar_clean=1

#Блокировать вход для пользователя, в файлах которого обнаружилось malware(требует активации/включения опции quar_hits)

quar_susp=0

# Минимальный универсальный идентификатор пользователя(uid) , с которого разрешается блокировать пользователя.

quar_susp_minuid=500

# Максимальная глубина вложений,на которой будут проверяться файлы

maxdepth=15

# Минимальный размер файла в байтах, включенный в сканирование

minfilesize=32

# Максимальный размер файла, включенный в сканирование

maxfilesize="768k"

hexdepth=61440

hex_fifo_scan=1

hex_fifo_depth=524288

# Если установлен Clamav, использовать его бинарник clamscan как поисковый движок

clamav_scan=1

# Разрешить запускать сканирование не от пользователя root

public_scan=0

inotify_base_watches=15360

inotify_stime=30

inotify_minuid=500

inotify_webdir=public_html

inotify_nice=10

3. Базовые команды для работы с утилитой maldet Принудительное обновление баз с сайта rfxn.com

# maldet --update(-u)

1	# maldet --update(-u)

Принудительно обновление версии скрипта с сайта rfxn.com

# maldet --update-ver(-d)

1	# maldet --update-ver(-d)

Проверка всех папок и фалов в каталоге /home

# maldet --scan-all  /home

1	# maldet --scan-all /home

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 073014-2238.12001
FILE HIT LIST:
{MD5}gzbase64.inject.unclassed.533 : /tmp/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 073014-2238.12001

FILE HIT LIST:

{MD5}gzbase64.inject.unclassed.533 : /tmp/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed

Поместить в карантин все подозрительные файлы при обнаружении их […]

Опубликовано в рубрике Centos, Security, Security

Метки: Linux Malware Detect, security

Комментарии отключены

Установка и настройка Rkhunter на Centos/Debian

Июль 28th, 2014

Evgeniy Kamenev

Установка и настройка Rkhunter на Centos Установка через менеджер пакетов yum 1. Установка через менеджер пакетов yum

# yum  install  rkhunter

1	# yum install rkhunter

Просмотр части файлов, которые создаются при установке rkhunter

# rpm -ql rkhunter-1.4.2-3.el6.noarch | grep "etc\|log"

1	# rpm -ql rkhunter-1.4.2-3.el6.noarch \| grep "etc\\|log"

/etc/cron.daily/rkhunter
/etc/logrotate.d/rkhunter
/etc/rkhunter.conf
/etc/sysconfig/rkhunter
/var/log/rkhunter

/etc/cron.daily/rkhunter

/etc/logrotate.d/rkhunter

/etc/rkhunter.conf

/etc/sysconfig/rkhunter

/var/log/rkhunter

2.Изменяем адрес ,на который будет приходит уведомление в случае появления Warning при проверке

# nano /etc/sysconfig/rkhunter

1	# nano /etc/sysconfig/rkhunter

MAILTO=your@email
DIAG_SCAN=no

1 2	MAILTO=your@email DIAG_SCAN=no

3.Настраиваем конфигурационный файл rkhunter.conf

# cp /etc/rkhunter.conf /etc/rkhunter.conf~

1	# cp /etc/rkhunter.conf /etc/rkhunter.conf~

# nano /etc/rkhunter.conf

1	# nano /etc/rkhunter.conf

MAIL-ON-WARNING=your@email
LOGFILE=/var/log/rkhunter/rkhunter.log
APPEND_LOG=1
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=unset
SSH_CONFIG_DIR=/etc/ssh
ENABLE_TESTS=ALL
DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"
PKGMGR=RPM
SUSPSCAN_DIRS=/tmp /var/tmp
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200

MAIL-ON-WARNING=your@email

LOGFILE=/var/log/rkhunter/rkhunter.log

APPEND_LOG=1

ALLOW_SSH_PROT_V1=0

ALLOW_SSH_ROOT_USER=unset

SSH_CONFIG_DIR=/etc/ssh

ENABLE_TESTS=ALL

DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"

PKGMGR=RPM

SUSPSCAN_DIRS=/tmp /var/tmp

SUSPSCAN_MAXSIZE=10240000

SUSPSCAN_THRESH=200

[…]

Опубликовано в рубрике Centos, Debian/Ubuntu, Security, Security, Security Tools, System

Метки: rkhunter, security

Комментарии отключены

Настройка fail2ban для защиты ssh,proftpd,exim,postfix,dovecot на Centos.

Ноябрь 6th, 2013

Evgeniy Kamenev

Установка fail2ban

# yum install fail2ban

1	# yum install fail2ban

1.Настройка конфигурационного файла fail2ban

# grep -v -E '(\#|^$)' /etc/fail2ban/fail2ban.conf

1	# grep -v -E '(\#\|^$)' /etc/fail2ban/fail2ban.conf

[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400

[Definition]

loglevel = INFO

logtarget = /var/log/fail2ban.log

syslogsocket = auto

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

dbpurgeage = 86400

2.Настройка Fail2ban для мониторинга логов

# grep -v -E '(\#|^$)' /etc/fail2ban/jail.conf

1	# grep -v -E '(\#\|^$)' /etc/fail2ban/jail.conf

[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 159.224.XXX.YYY
ignorecommand =
bantime  = 86400
findtime  = 7200
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = myuser@mydomain.com
sender = root@mydomain.com
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
action = %(action_)s

### SSH
[sshd - iptables]
port = 2200
logpath  = /var/log/secure
maxretry = 3
enabled  = true
filter   = sshd
action = %(action_mwl)s
bantime  = 86400
findtime  = 3600
maxretry = 3

### ProFTPD
[proftpd-iptables]
port     = ftp,ftp-data,ftps,ftps-data
enabled  = true
filter   = proftpd
action = %(action_mwl)s
#action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
#          sendmail-whois[name=ProFTPD, dest=myname@mydomain.com, sender=root@mydomain.com]
logpath  = /var/log/proftpd/proftpd.log
bantime  = 86400
findtime  = 3600
maxretry = 3

###  Exim
[exim-iptables]
port   = smtp,465,submission
enabled  = true
filter   = exim
action = %(action_mwl)s
# action   =  iptables-multiport[name=Exim, port="smtp,smtps,submission", protocol=tcp]
#           sendmail-whois[name=Exim, dest= myname@mydomain.com, sender=root@mydomain.com]
logpath  = /var/log/exim/mainlog
bantime  = 86400
#bantime  = -1 # блокировка навсегда
findtime  = 3600
maxretry = 3

### Dovecot
[dovecot-iptables]
port   = pop3,pop3s,imap,imaps
enabled  = true
filter   = dovecot
action = %(action_mwl)s
# Необходимо указать файл,в котором логируются попытки аутентификации для Dovecot
logpath  = /var/log/secure
#logpath  = /var/log/maillog
#logpath  = /var/log/dovecot.log
bantime  = 86400
findtime  = 3600
maxretry = 3

### Postfix
[postfix-sasl]
enabled = true
port     = smtp,465,submission
logpath  = /var/log/maillog
filter   = postfix-sasl
action = %(action_mwl)s
#action   = iptables[name=postfix-sasl, port=smtp,smtps,submission protocol=tcp]
#           sendmail-whois[name=postfix-sasl, dest=myname@mydomain.com, sender=root@mydomain.com]
bantime  = 604800
findtime  = 3600
maxretry = 3

[postfix-iptables]
enabled = true
port     = smtp,465,submission
logpath = /var/log/maillog
filter = postfix
action = %(action_mwl)s
#action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]
#        sendmail[name=Postfix-smtp, dest=myname@mydomain.com, sender=root@mydomain.com]
logpath = /var/log/maillog
bantime = 604800
maxretry = 3
findtime = 3600

100

101

102

103

104

105

106

107

108

109

[INCLUDES]

before = paths-fedora.conf

[DEFAULT]

ignoreip = 127.0.0.1/8 159.224.XXX.YYY

ignorecommand =

bantime = 86400

findtime = 7200

maxretry = 5

backend = auto

usedns = warn

logencoding = auto

enabled = false

filter = %(__name__)s

destemail = myuser@mydomain.com

sender = root@mydomain.com

mta = sendmail

protocol = tcp

chain = INPUT

port = 0:65535

banaction = iptables-multiport

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]

action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]

action = %(action_)s

### SSH

[sshd - iptables]

port = 2200

logpath = /var/log/secure

maxretry = 3

enabled = true

filter = sshd

action = %(action_mwl)s

bantime = 86400

findtime = 3600

maxretry = 3

### ProFTPD

[proftpd-iptables]

port = ftp,ftp-data,ftps,ftps-data

enabled = true

filter = proftpd

action = %(action_mwl)s

#action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

# sendmail-whois[name=ProFTPD, dest=myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/proftpd/proftpd.log

bantime = 86400

findtime = 3600

maxretry = 3

### Exim

[exim-iptables]

port = smtp,465,submission

enabled = true

filter = exim

action = %(action_mwl)s

# action = iptables-multiport[name=Exim, port="smtp,smtps,submission", protocol=tcp]

# sendmail-whois[name=Exim, dest= myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/exim/mainlog

bantime = 86400

#bantime = -1 # блокировка навсегда

findtime = 3600

maxretry = 3

### Dovecot

[dovecot-iptables]

port = pop3,pop3s,imap,imaps

enabled = true

filter = dovecot

action = %(action_mwl)s

# Необходимо указать файл,в котором логируются попытки аутентификации для Dovecot

logpath = /var/log/secure

#logpath = /var/log/maillog

#logpath = /var/log/dovecot.log

bantime = 86400

findtime = 3600

maxretry = 3

### Postfix

[postfix-sasl]

enabled = true

port = smtp,465,submission

logpath = /var/log/maillog

filter = postfix-sasl

action = %(action_mwl)s

#action = iptables[name=postfix-sasl, port=smtp,smtps,submission protocol=tcp]

# sendmail-whois[name=postfix-sasl, dest=myname@mydomain.com, sender=root@mydomain.com]

bantime = 604800

findtime = 3600

maxretry = 3

[postfix-iptables]

enabled = true

port = smtp,465,submission

logpath = /var/log/maillog

filter = postfix

action = %(action_mwl)s

#action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]

# sendmail[name=Postfix-smtp, dest=myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/maillog

bantime = 604800

maxretry = 3

findtime = 3600

3.Настройка Fail2ban фильтров для мониторинга логов Будем использовать все штатные фильтры, которые поставляются в комплекте с fail2ban SSH

# nano /etc/fail2ban/filter.d/sshd.conf

1	# nano /etc/fail2ban/filter.d/sshd.conf

[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
ignoreregex =

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$

^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$

^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ $serial \d+$ CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$

^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$

^%(__prefix_line)srefused connect from \S+ $<HOST>$\s*$

^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$

^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$

^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$

^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$

^%(__prefix_line)spam_unix$sshd:auth$:\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$

ignoreregex =

ProFTPD

# nano /etc/fail2ban/filter.d/proftpd.conf

1	# nano /etc/fail2ban/filter.d/proftpd.conf

[Definition]
_daemon = proftpd
__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit ($

failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
ignoreregex =

[Definition]

_daemon = proftpd

failregex = ^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ USER .* $Login failed$: %(__suffix_failed_login)s\s*$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ SECURITY VIOLATION: .* login attempted\. *$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ Maximum login attempts $\d+$ exceeded *$

ignoreregex =

Exim

# nano /etc/fail2ban/filter.d/exim.conf

1	# nano /etc/fail2ban/filter.d/exim.conf

[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
ignoreregex =

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$

^%(pid)s \w+ authenticator failed for (\S+ )?$\S+$ \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( $set_id=.*$|: \d+ Time\(s$

^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$

^%(pid)s SMTP protocol synchronization error $[^)]*$: rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$

^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands $last was "\S+"$\s*$

ignoreregex =

Dovecot

# nano /etc/fail2ban/filter.d/dovecot.conf

1	# nano /etc/fail2ban/filter.d/dovecot.conf

 [Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disab$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying aut$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
ignoreregex =

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(%(__pam_auth)s($dovecot:auth$)?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\$

^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disab$

^%(__prefix_line)s(Info|dovecot: auth$default$|auth-worker$\d+$): pam$\S+,<HOST>$: pam_authenticate failed: (User not known to the underlying aut$

^%(__prefix_line)s(auth|auth-worker$\d+$): (pam|passwd-file)$\S+,<HOST>$: unknown user\s*$

ignoreregex =

Postfix

# nano /etc/fail2ban/filter.d/postfix-sasl.conf

1	# nano /etc/fail2ban/filter.d/postfix-sasl.conf

[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex =

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex =

# nano /etc/fail2ban/filter.d/postfix.conf

1	# nano /etc/fail2ban/filter.d/postfix.conf

[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
ignoreregex =

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$

^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$

^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

ignoreregex =

4.Проверка работы фильтра […]

Опубликовано в рубрике Centos, Security

Метки: dovecot, Exim, fail2ban, postfix, Proftpd, security, ssh

Комментарии отключены

Записи с меткой ‘security’

Поиск malware/вирусов на сайте

Настройка Logwatch для обработки Nginx-логов

Установка и настройка Linux Malware Detect

Установка и настройка Rkhunter на Centos/Debian

Настройка fail2ban для защиты ssh,proftpd,exim,postfix,dovecot на Centos.

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель