메뉴 건너뛰기

2019.06.11 09:45

Fail2Ban 설정하기

조회 수 317217 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치

 

$ apt install fail2ban

 

vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/16 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

 

 

1. DB초기화

 

service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"

 

 

2. vi /etc/fail2ban/jail.d/defaults-debian.conf

 

[sshd]
enabled = true
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp
maxretry = 1

[vsftpd]
enabled = true
port = ftp
maxretry = 1

 

 

3. /etc/fail2ban/action.d/iptables-multiport.conf

 

필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기

 

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP

[Init]

mask=24

 

4. /etc/fail2ban/filter.d/sshd.conf

 

cmnfailure 에 맨마지막 두개 표현 추가

 

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$

 

 

5. /etc/fail2ban/filter.d/postfix-sasl.conf

 

정규표현 SASL PLAIN에서 안먹히는거 고치기

 

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

 

6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log
 

 

 


  1. MariaDB 외부접속시 ssl 사용법, 그리고 ssl 로 replication(동기화) 하기

  2. No Image 11Jul
    by DDART
    2020/07/11 by DDART
    Views 3602 

    터미널에서 backspace 키가 안눌러질때

  3. No Image 07Jul
    by DDART
    2020/07/07 by DDART
    Views 3715 

    서버사이 동기화하기 - rsync, mariadb replication

  4. No Image 17May
    by DDART
    2020/05/17 by DDART
    Views 4376 

    msinfo 시스템정보 wmic cmd 명령

  5. No Image 21Jan
    by DDART
    2020/01/21 by DDART
    Views 4814 

    Visual Studio Code 에서 Autohotkey 설정

  6. No Image 22Dec
    by DDART
    2019/12/22 by DDART
    Views 2621 

    우분투 19.04, 19.10, 20.04 으로 업그레이드 하기

  7. No Image 09Sep
    by DDART
    2019/09/09 by DDART
    Views 3495 

    윈도우 10에서 구글 어시스턴트 명령

  8. No Image 12Jun
    by DDART
    2019/06/12 by DDART
    Views 3730 

    해외 IP차단

  9. No Image 11Jun
    by DDART
    2019/06/11 by DDART
    Views 317217 

    Fail2Ban 설정하기

  10. No Image 01Jun
    by DDART
    2019/06/01 by DDART
    Views 8149 

    윈도우 자동화관련 툴

  11. No Image 31Oct
    by DDART
    2018/10/31 by DDART
    Views 15225 

    PHP로 WOL Magic Packet 보내기

  12. No Image 16Oct
    by DDART
    2018/10/16 by DDART
    Views 5102 

    BATCH 문법

  13. No Image 15Oct
    by DDART
    2018/10/15 by DDART
    Views 2917 

    우분투 16.04 에서 18.04 로 업그레이드하기

  14. No Image 14Oct
    by DDART
    2018/10/14 by DDART
    Views 5965 

    Windows 7, 8.1 에서 Windows 10으로 무료업그레이드하기

  15. No Image 12Dec
    by DDART
    2017/12/12 by DDART
    Views 3169 

    vsftpd 설정

  16. No Image 08Sep
    by DDART
    2017/09/08 by DDART
    Views 9336 

    crontab

  17. VBA Project 패스워드 보호 제거하기

  18. No Image 05Aug
    by DDART
    2016/08/05 by DDART
    Views 6372 

    우분투 16.04 ownCloud 9.1.0 설치

  19. No Image 31Jul
    by DDART
    2016/07/31 by DDART
    Views 12397 

    우분투 16.04 Subversion - SVN서버, SVN+SSH 클라이언트

  20. No Image 31Jul
    by DDART
    2016/07/31 by DDART
    Views 4405 

    우분투 16.04 FTP, Samba 등 가상디렉토리 추가

Board Pagination Prev 1 2 3 ... 4 Next
/ 4