Fail2ban自動封鎖暴力入侵
發表於 : 2013-09-15, 22:18
CentOS 使用者,請先設定使用 ATrpms 的套件庫,再使用 yum 來安裝較新版本的 Fail2ban
# vi /etc/yum.repos.d/atrpms.repo
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$bas ... pms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
# yum install fail2ban
說明:
jail.conf用來設定 jail,即是定義 filter 與 action 的對應關係。
filter.d/用來定義過濾條件 (filter),目錄下已定義多種既有的過濾條件。
action.d/ 用來定義動作內容 (action),目錄下已定義多種既有的動作內容,如「sendmail 寄信通知」、「iptables 阻擋來源位址」、「使用 whois 查詢來源 domain 資訊」或「自動通知該來源 IP 的管理者」。
設定:
# vi /etc/fail2ban/jail.conf
[DEFAULT]
ignoreip = 127.0.0.1 #指定哪些 IP、主機或是網段可以忽略,而不作任何動作
bantime = 600 #設定這個主機要被阻擋多久
findtime = 600 #被封鎖前的最大嘗試失敗次數
maxretry = 3 # maxretry 產生後,多少時間內被封鎖
backend = auto #分為gamin與polling兩種,選擇何種方式去偵測檔案是否有異動
觀察 Fail2ban 狀態:
觀察目前啟動哪些 jail
# fail2ban-client status
觀察特定 jail 的內容
# fail2ban-client status dovecot-check
Dovecot 入侵偵測設定:
#vi /etc/dovecot.conf
auth_debug = yes
# vi /etc/fail2ban/jail.conf
[dovecot-check]
enabled = true
filter = dovecot-check
backend = polling
action = iptables-multiport[name=dovecot-check, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-check, dest=[email protected]]
logpath = /var/log/maillog
ignoreip = 127.0.0.1
bantime = 3600
findtime = 60
maxretry = 5
# vi /etc/fail2ban/filter.d/dovecot-check.conf
[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>S*),.*
ignoreregex = (?: Disconnected: Logged out).*
Sasl (smtp) 入侵偵測設定:
# vi /etc/fail2ban/jail.conf
[sasl-iptables]
enabled = true
#filter = sasl
filter = smtp-auth
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest= [email protected]]
logpath = /var/log/maillog
bantime = 3600
findtime = 60
maxretry = 5
#vi /etc/fail2ban/filter.d/smtp-auth.conf
[Definition]
failregex = [<HOST>] .*to MTA
# [<HOST>] (may be forged)
[<HOST>], reject.*... Relaying denied
(User unknown)n* [<HOST>]
badlogin: .* [<HOST>] plaintext .* SASL
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Openwebmail 入侵偵測設定:
#vi /etc/fail2ban/jail.conf
[webmail-iptables]
enabled = true
filter = openwebmail-auth
action = iptables[name=openwebmail-auth, port=http, protocol=tcp]
sendmail-whois[name=openwebmail, dest=[email protected]]
logpath = /var/log/openwebmail.log
maxretry = 3
#vi /etc/fail2ban/filter.d/openwebmail-auth.conf
[Definition]
failregex = (<HOST>) .* username/password incorrect?
(<HOST>) .* no such user
ignoreregex =
# vi /etc/yum.repos.d/atrpms.repo
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$bas ... pms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
# yum install fail2ban
說明:
jail.conf用來設定 jail,即是定義 filter 與 action 的對應關係。
filter.d/用來定義過濾條件 (filter),目錄下已定義多種既有的過濾條件。
action.d/ 用來定義動作內容 (action),目錄下已定義多種既有的動作內容,如「sendmail 寄信通知」、「iptables 阻擋來源位址」、「使用 whois 查詢來源 domain 資訊」或「自動通知該來源 IP 的管理者」。
設定:
# vi /etc/fail2ban/jail.conf
[DEFAULT]
ignoreip = 127.0.0.1 #指定哪些 IP、主機或是網段可以忽略,而不作任何動作
bantime = 600 #設定這個主機要被阻擋多久
findtime = 600 #被封鎖前的最大嘗試失敗次數
maxretry = 3 # maxretry 產生後,多少時間內被封鎖
backend = auto #分為gamin與polling兩種,選擇何種方式去偵測檔案是否有異動
觀察 Fail2ban 狀態:
觀察目前啟動哪些 jail
# fail2ban-client status
觀察特定 jail 的內容
# fail2ban-client status dovecot-check
Dovecot 入侵偵測設定:
#vi /etc/dovecot.conf
auth_debug = yes
# vi /etc/fail2ban/jail.conf
[dovecot-check]
enabled = true
filter = dovecot-check
backend = polling
action = iptables-multiport[name=dovecot-check, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-check, dest=[email protected]]
logpath = /var/log/maillog
ignoreip = 127.0.0.1
bantime = 3600
findtime = 60
maxretry = 5
# vi /etc/fail2ban/filter.d/dovecot-check.conf
[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>S*),.*
ignoreregex = (?: Disconnected: Logged out).*
Sasl (smtp) 入侵偵測設定:
# vi /etc/fail2ban/jail.conf
[sasl-iptables]
enabled = true
#filter = sasl
filter = smtp-auth
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest= [email protected]]
logpath = /var/log/maillog
bantime = 3600
findtime = 60
maxretry = 5
#vi /etc/fail2ban/filter.d/smtp-auth.conf
[Definition]
failregex = [<HOST>] .*to MTA
# [<HOST>] (may be forged)
[<HOST>], reject.*... Relaying denied
(User unknown)n* [<HOST>]
badlogin: .* [<HOST>] plaintext .* SASL
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Openwebmail 入侵偵測設定:
#vi /etc/fail2ban/jail.conf
[webmail-iptables]
enabled = true
filter = openwebmail-auth
action = iptables[name=openwebmail-auth, port=http, protocol=tcp]
sendmail-whois[name=openwebmail, dest=[email protected]]
logpath = /var/log/openwebmail.log
maxretry = 3
#vi /etc/fail2ban/filter.d/openwebmail-auth.conf
[Definition]
failregex = (<HOST>) .* username/password incorrect?
(<HOST>) .* no such user
ignoreregex =