메뉴 건너뛰기

DDART.NET

2019.06.11 00:45

Fail2Ban 설정하기

조회 수 926 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치

 

$ apt install fail2ban

 

vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/16 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

 

 

1. DB초기화

 

service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"

 

 

2. vi /etc/fail2ban/jail.d/defaults-debian.conf

 

[sshd]
enabled = true
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp
maxretry = 1

[vsftpd]
enabled = true
port = ftp
maxretry = 1

 

 

3. /etc/fail2ban/action.d/iptables-multiport.conf

 

필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기

 

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP

[Init]

mask=24

 

4. /etc/fail2ban/filter.d/sshd.conf

 

cmnfailure 에 맨마지막 두개 표현 추가

 

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$

 

 

5. /etc/fail2ban/filter.d/postfix-sasl.conf

 

정규표현 SASL PLAIN에서 안먹히는거 고치기

 

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

 

6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log
 

 

 


List of Articles
번호 제목 글쓴이 날짜 조회 수
48 갑자기 WOL 이 동작안할때 DDART 2020.11.07 240
47 svn 서버 사이 동기화 DDART 2020.07.29 274
46 postfix 에서 mysql 오류 DDART 2020.08.01 275
45 터미널에서 backspace 키가 안눌러질때 DDART 2020.07.10 277
44 윈도우 10 마이크로소프트 계정 PIN 없이 자동로그인 DDART 2020.09.16 283
43 서버사이 동기화하기 - rsync, mariadb replication DDART 2020.07.07 410
42 우분투 19.04, 19.10, 20.04 으로 업그레이드 하기 DDART 2019.12.21 484
41 msinfo 시스템정보 wmic cmd 명령 DDART 2020.05.17 484
40 윈도우 자동화관련 툴 DDART 2019.06.01 606
39 윈도우 10에서 구글 어시스턴트 명령 DDART 2019.09.08 711
38 해외 IP차단 DDART 2019.06.12 810
» Fail2Ban 설정하기 DDART 2019.06.11 926
36 우분투 16.04 에서 18.04 로 업그레이드하기 DDART 2018.10.15 979
35 MariaDB 외부접속시 ssl 사용법, 그리고 ssl 로 replication(동기화) 하기 file DDART 2020.07.11 1311
34 vsftpd 설정 DDART 2017.12.11 1396
33 Visual Studio Code 에서 Autohotkey 설정 DDART 2020.01.21 1485
32 BATCH 문법 DDART 2018.10.15 1667
31 PHP로 WOL Magic Packet 보내기 DDART 2018.10.31 1768
30 우분투 16.04 FTP, Samba 등 가상디렉토리 추가 DDART 2016.07.30 2894
29 Windows 7, 8.1 에서 Windows 10으로 무료업그레이드하기 DDART 2018.10.14 4184
Board Pagination Prev 1 2 ... 3 Next
/ 3