메뉴 건너뛰기

2019.06.11 09:45

Fail2Ban 설정하기

조회 수 315847 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

0. 설치

 

$ apt install fail2ban

 

vi /etc/fail2ban/jail.conf

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/16 관리자IP주소대역/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

 

 

1. DB초기화

 

service fail2ban stop
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans;"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from jails;"

 

 

2. vi /etc/fail2ban/jail.d/defaults-debian.conf

 

[sshd]
enabled = true
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp
maxretry = 1

[vsftpd]
enabled = true
port = ftp
maxretry = 1

 

 

3. /etc/fail2ban/action.d/iptables-multiport.conf

 

필터에 걸리면 그 아이피 대역대 24bit mask 로 drop 시켜버리기

 

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            <iptables> -A INPUT -s <ip>/<mask> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
              <iptables> -D INPUT -s <ip>/<mask> -j DROP

[Init]

mask=24

 

4. /etc/fail2ban/filter.d/sshd.conf

 

cmnfailure 에 맨마지막 두개 표현 추가

 

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
            ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
            ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
            ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
            ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
            ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
            ^Connection closed by <HOST> port \d+ \[preauth\]$
            ^Invalid user \w+ from <HOST> port \d+$

 

 

5. /etc/fail2ban/filter.d/postfix-sasl.conf

 

정규표현 SASL PLAIN에서 안먹히는거 고치기

 

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

 

6. 재시작 및 로그확인

service fail2ban restart

# 확인
iptables -n -L 
fail2ban-client status (sshd|postfix-sasl)
tail -f /var/log/auth.log
tail -f /var/log/mail.log
tail -f /var/log/fail2ban.log
 

 

 


List of Articles
번호 제목 글쓴이 날짜 조회 수
» Fail2Ban 설정하기 DDART 2019.06.11 315847
62 우분투 16.04 데스크탑 - CLI 모드로 전환 및 부팅하기 관리자 2016.07.21 38864
61 VBA Project 패스워드 보호 제거하기 3 DDART 2016.09.22 26025
60 usb download tool - 32bit 운영체제에서 64bit 운영체제 usb 부팅디스크 만들기 DDART 2013.08.07 25825
59 저전력 홈서버 구축 DDART 2013.10.17 23165
58 MYSQL 덤프파일 입력 DDART 2013.07.09 22899
57 KimsQ RB IIS + PM 설치문제 해결 DDART 2013.07.09 22776
56 Ubuntu 12.04 Desktop 초기 설치 DDART 2013.07.09 22730
55 갤럭시U 삭제가능한 기본어플 DDART 2013.07.09 22688
54 Ubuntu Mail Server 구축하기 DDART 2013.07.09 22658
53 Javascript reformatter DDART 2013.07.10 22333
52 설치된 package 정보보기 DDART 2013.07.09 22329
51 메일서버 설정 DDART 2013.07.09 21918
50 윈도우 메일서버구축 DDART 2013.10.17 21733
49 우분투 파일시스템 이미지파일 만들기 DDART 2013.07.09 21673
48 chrooted ubuntu 초기 설정 DDART 2013.07.09 21488
47 아파치2 rewrite mod enable DDART 2013.07.09 21485
46 hMailServer 국가별 접속허용, 차단법 DDART 2013.11.20 21384
45 작업순서 DDART 2013.07.09 21320
44 Windows 8 시작버튼 달기 DDART 2013.10.16 21041
Board Pagination Prev 1 2 3 ... 4 Next
/ 4