메뉴 건너뛰기

2019.06.11 00:45

Fail2Ban 설정하기

조회 수 313995 추천 수 0 댓글 0


Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄


Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치


$ apt install fail2ban


vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = ::1 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400



1. DB초기화


service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"



2. vi /etc/fail2ban/jail.d/defaults-debian.conf


enabled = true
maxretry = 1

enabled = true
port = smtp
maxretry = 1

enabled = true
port = ftp
maxretry = 1



3. /etc/fail2ban/action.d/iptables-multiport.conf


필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기


# Fail2Ban configuration file
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning


before = iptables-common.conf


# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP




4. /etc/fail2ban/filter.d/sshd.conf


cmnfailure 에 맨마지막 두개 표현 추가


cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$



5. /etc/fail2ban/filter.d/postfix-sasl.conf


정규표현 SASL PLAIN에서 안먹히는거 고치기


# Fail2Ban filter for postfix authentication failures


before = common.conf


_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$


journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Yaroslav Halchenko


6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log



List of Articles
번호 제목 글쓴이 날짜 조회 수
22 서버사이 동기화하기 - rsync, mariadb replication DDART 2020.07.07 2559
21 해외 IP차단 DDART 2019.06.12 2476
20 postfix 에서 mysql 오류 DDART 2020.08.01 2167
19 svn 서버 사이 동기화 DDART 2020.07.29 2155
18 터미널에서 backspace 키가 안눌러질때 DDART 2020.07.10 2153
17 vsftpd 설정 DDART 2017.12.11 2112
16 윈도우 10에서 구글 어시스턴트 명령 DDART 2019.09.08 2106
15 우분투 서버 업데이트 후 자동 전원 대기모드 방지 DDART 2021.07.22 1971
14 우분투 16.04 에서 18.04 로 업그레이드하기 DDART 2018.10.15 1957
13 윈도우 10 마이크로소프트 계정 PIN 없이 자동로그인 DDART 2020.09.16 1922
12 원격데스크톱 마이크로소프트 계정 자격증명 실패할때 DDART 2023.04.28 1777
11 우분투 서버 자동업데이트 DDART 2021.07.02 1701
10 우분투 19.04, 19.10, 20.04 으로 업그레이드 하기 DDART 2019.12.21 1582
9 원격데스크톱 연결후 화면 사라짐현상, 특정 IP만 접속 허용 DDART 2023.05.04 1373
8 윈도우에서 우분투 20.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류 DDART 2023.05.06 1271
7 아파치서버에서 웹소켓 특정포트 프락시설정방법 DDART 2023.07.19 1190
6 mysql/mariadb 손상된 inno db 복구 DDART 2023.05.03 1120
5 윈도우용 아파치에서 localhost 를 https로 띄우기 file DDART 2023.06.20 1106
4 우분투 22.04 메일서버 설정 DDART 2023.06.13 1013
3 윈도우용 아파치 php 버전 동시에 2개이상 띄우기 DDART 2023.05.26 836
Board Pagination Prev 1 ... 2 3 ... 4 Next
/ 4