메뉴 건너뛰기

2019.06.11 00:45

Fail2Ban 설정하기

조회 수 313883 추천 수 0 댓글 0


Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄


Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치


$ apt install fail2ban


vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = ::1 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400



1. DB초기화


service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"



2. vi /etc/fail2ban/jail.d/defaults-debian.conf


enabled = true
maxretry = 1

enabled = true
port = smtp
maxretry = 1

enabled = true
port = ftp
maxretry = 1



3. /etc/fail2ban/action.d/iptables-multiport.conf


필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기


# Fail2Ban configuration file
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning


before = iptables-common.conf


# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP




4. /etc/fail2ban/filter.d/sshd.conf


cmnfailure 에 맨마지막 두개 표현 추가


cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$



5. /etc/fail2ban/filter.d/postfix-sasl.conf


정규표현 SASL PLAIN에서 안먹히는거 고치기


# Fail2Ban filter for postfix authentication failures


before = common.conf


_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$


journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Yaroslav Halchenko


6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log



  1. No Image 20Jan
    by DDART
    2024/01/20 by DDART
    Views 594 

    윈도우에서 우분투 22.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  2. No Image 08Nov
    by DDART
    2023/11/08 by DDART
    Views 558 

    윈도우10 아이콘이 제대로 표시 안될때

  3. No Image 19Jul
    by DDART
    2023/07/19 by DDART
    Views 1147 

    아파치서버에서 웹소켓 특정포트 프락시설정방법

  4. 윈도우용 아파치에서 localhost 를 https로 띄우기

  5. No Image 13Jun
    by DDART
    2023/06/13 by DDART
    Views 974 

    우분투 22.04 메일서버 설정

  6. No Image 26May
    by DDART
    2023/05/26 by DDART
    Views 799 

    윈도우용 아파치 php 버전 동시에 2개이상 띄우기

  7. No Image 06May
    by DDART
    2023/05/06 by DDART
    Views 1227 

    윈도우에서 우분투 20.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  8. No Image 04May
    by DDART
    2023/05/04 by DDART
    Views 1308 

    원격데스크톱 연결후 화면 사라짐현상, 특정 IP만 접속 허용

  9. No Image 03May
    by DDART
    2023/05/03 by DDART
    Views 977 

    mysql/mariadb 손상된 inno db 복구

  10. No Image 28Apr
    by DDART
    2023/04/28 by DDART
    Views 1695 

    원격데스크톱 마이크로소프트 계정 자격증명 실패할때

  11. No Image 04Nov
    by DDART
    2021/11/04 by DDART
    Views 2783 


  12. No Image 14Sep
    by DDART
    2021/09/14 by DDART
    Views 6398 

    윈도우에서 우분투 MariaDB 10.5 로 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  13. No Image 22Jul
    by DDART
    2021/07/22 by DDART
    Views 1934 

    우분투 서버 업데이트 후 자동 전원 대기모드 방지

  14. No Image 02Jul
    by DDART
    2021/07/02 by DDART
    Views 1465 

    우분투 서버 자동업데이트

  15. No Image 07Nov
    by DDART
    2020/11/07 by DDART
    Views 3213 

    갑자기 WOL 이 동작안할때

  16. No Image 16Sep
    by DDART
    2020/09/16 by DDART
    Views 1788 

    윈도우 10 마이크로소프트 계정 PIN 없이 자동로그인

  17. No Image 01Aug
    by DDART
    2020/08/01 by DDART
    Views 2034 

    postfix 에서 mysql 오류

  18. No Image 29Jul
    by DDART
    2020/07/29 by DDART
    Views 2115 

    svn 서버 사이 동기화

  19. MariaDB 외부접속시 ssl 사용법, 그리고 ssl 로 replication(동기화) 하기

  20. No Image 10Jul
    by DDART
    2020/07/10 by DDART
    Views 2112 

    터미널에서 backspace 키가 안눌러질때

Board Pagination Prev 1 2 3 ... 4 Next
/ 4