메뉴 건너뛰기

2019.06.11 00:45

Fail2Ban 설정하기

조회 수 313591 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치

 

$ apt install fail2ban

 

vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/16 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

 

 

1. DB초기화

 

service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"

 

 

2. vi /etc/fail2ban/jail.d/defaults-debian.conf

 

[sshd]
enabled = true
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp
maxretry = 1

[vsftpd]
enabled = true
port = ftp
maxretry = 1

 

 

3. /etc/fail2ban/action.d/iptables-multiport.conf

 

필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기

 

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP

[Init]

mask=24

 

4. /etc/fail2ban/filter.d/sshd.conf

 

cmnfailure 에 맨마지막 두개 표현 추가

 

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$

 

 

5. /etc/fail2ban/filter.d/postfix-sasl.conf

 

정규표현 SASL PLAIN에서 안먹히는거 고치기

 

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

 

6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log
 

 

 


  1. No Image 20Jan
    by DDART
    2024/01/20 by DDART
    Views 493 

    윈도우에서 우분투 22.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  2. No Image 08Nov
    by DDART
    2023/11/08 by DDART
    Views 490 

    윈도우10 아이콘이 제대로 표시 안될때

  3. No Image 19Jul
    by DDART
    2023/07/19 by DDART
    Views 1026 

    아파치서버에서 웹소켓 특정포트 프락시설정방법

  4. 윈도우용 아파치에서 localhost 를 https로 띄우기

  5. No Image 13Jun
    by DDART
    2023/06/13 by DDART
    Views 892 

    우분투 22.04 메일서버 설정

  6. No Image 26May
    by DDART
    2023/05/26 by DDART
    Views 716 

    윈도우용 아파치 php 버전 동시에 2개이상 띄우기

  7. No Image 06May
    by DDART
    2023/05/06 by DDART
    Views 1155 

    윈도우에서 우분투 20.04 MariaDB 서버 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  8. No Image 04May
    by DDART
    2023/05/04 by DDART
    Views 1155 

    원격데스크톱 연결후 화면 사라짐현상, 특정 IP만 접속 허용

  9. No Image 03May
    by DDART
    2023/05/03 by DDART
    Views 871 

    mysql/mariadb 손상된 inno db 복구

  10. No Image 28Apr
    by DDART
    2023/04/28 by DDART
    Views 1263 

    원격데스크톱 마이크로소프트 계정 자격증명 실패할때

  11. No Image 04Nov
    by DDART
    2021/11/04 by DDART
    Views 2718 

    로그지우기

  12. No Image 14Sep
    by DDART
    2021/09/14 by DDART
    Views 6224 

    윈도우에서 우분투 MariaDB 10.5 로 SSL접속시 SEC_E_ALGORITHM_MISMATCH 오류

  13. No Image 22Jul
    by DDART
    2021/07/22 by DDART
    Views 1759 

    우분투 서버 업데이트 후 자동 전원 대기모드 방지

  14. No Image 02Jul
    by DDART
    2021/07/02 by DDART
    Views 1394 

    우분투 서버 자동업데이트

  15. No Image 07Nov
    by DDART
    2020/11/07 by DDART
    Views 3058 

    갑자기 WOL 이 동작안할때

  16. No Image 16Sep
    by DDART
    2020/09/16 by DDART
    Views 1722 

    윈도우 10 마이크로소프트 계정 PIN 없이 자동로그인

  17. No Image 01Aug
    by DDART
    2020/08/01 by DDART
    Views 1768 

    postfix 에서 mysql 오류

  18. No Image 29Jul
    by DDART
    2020/07/29 by DDART
    Views 1943 

    svn 서버 사이 동기화

  19. MariaDB 외부접속시 ssl 사용법, 그리고 ssl 로 replication(동기화) 하기

  20. No Image 10Jul
    by DDART
    2020/07/10 by DDART
    Views 1912 

    터미널에서 backspace 키가 안눌러질때

Board Pagination Prev 1 2 3 ... 4 Next
/ 4