메뉴 건너뛰기

2019.06.11 00:45

Fail2Ban 설정하기

조회 수 313589 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치

 

$ apt install fail2ban

 

vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/16 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

 

 

1. DB초기화

 

service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"

 

 

2. vi /etc/fail2ban/jail.d/defaults-debian.conf

 

[sshd]
enabled = true
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp
maxretry = 1

[vsftpd]
enabled = true
port = ftp
maxretry = 1

 

 

3. /etc/fail2ban/action.d/iptables-multiport.conf

 

필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기

 

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP

[Init]

mask=24

 

4. /etc/fail2ban/filter.d/sshd.conf

 

cmnfailure 에 맨마지막 두개 표현 추가

 

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$

 

 

5. /etc/fail2ban/filter.d/postfix-sasl.conf

 

정규표현 SASL PLAIN에서 안먹히는거 고치기

 

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

 

6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log
 

 

 


  1. 윈도우10 아이콘이 제대로 표시 안될때

    Date2023.11.08 ByDDART Views490
    Read More
  2. 윈도우에서 우분투 22.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

    Date2024.01.20 ByDDART Views492
    Read More
  3. 윈도우용 아파치 php 버전 동시에 2개이상 띄우기

    Date2023.05.26 ByDDART Views716
    Read More
  4. 윈도우용 아파치에서 localhost 를 https로 띄우기

    Date2023.06.20 ByDDART Views849
    Read More
  5. mysql/mariadb 손상된 inno db 복구

    Date2023.05.03 ByDDART Views871
    Read More
  6. 우분투 22.04 메일서버 설정

    Date2023.06.13 ByDDART Views892
    Read More
  7. 아파치서버에서 웹소켓 특정포트 프락시설정방법

    Date2023.07.19 ByDDART Views1026
    Read More
  8. 원격데스크톱 연결후 화면 사라짐현상, 특정 IP만 접속 허용

    Date2023.05.04 ByDDART Views1154
    Read More
  9. 윈도우에서 우분투 20.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

    Date2023.05.06 ByDDART Views1155
    Read More
  10. 원격데스크톱 마이크로소프트 계정 자격증명 실패할때

    Date2023.04.28 ByDDART Views1261
    Read More
  11. 우분투 서버 자동업데이트

    Date2021.07.02 ByDDART Views1394
    Read More
  12. 우분투 19.04, 19.10, 20.04 으로 업그레이드 하기

    Date2019.12.21 ByDDART Views1577
    Read More
  13. 윈도우 10 마이크로소프트 계정 PIN 없이 자동로그인

    Date2020.09.16 ByDDART Views1722
    Read More
  14. 우분투 서버 업데이트 후 자동 전원 대기모드 방지

    Date2021.07.22 ByDDART Views1759
    Read More
  15. postfix 에서 mysql 오류

    Date2020.08.01 ByDDART Views1768
    Read More
  16. 터미널에서 backspace 키가 안눌러질때

    Date2020.07.10 ByDDART Views1912
    Read More
  17. 우분투 16.04 에서 18.04 로 업그레이드하기

    Date2018.10.15 ByDDART Views1943
    Read More
  18. svn 서버 사이 동기화

    Date2020.07.29 ByDDART Views1943
    Read More
  19. 윈도우 10에서 구글 어시스턴트 명령

    Date2019.09.08 ByDDART Views2102
    Read More
  20. vsftpd 설정

    Date2017.12.11 ByDDART Views2103
    Read More
Board Pagination Prev 1 2 3 ... 4 Next
/ 4