上一篇
返回
下一篇
防暴力攻擊(Brute Force attacks) -- fail2ban
作者: cross 日期: 2007-05-03 14:38
照 http://www.howtoforge.com/fail2ban_debian_etch的說明,fail2ban是一個防止暴力攻擊的程式,
且並不像 denyhosts只用於 ssh,它還可以針對任何有作記錄的 Service去設定,並使用 iptables來阻擋。
並參考: http://cha.homeip.net/blog/archives/2007/06/_fail2ban_ip.html
Fedora Core release 6 (Zod)
[1.] 安裝
yum install fail2ban
[2.] 設定
vi /etc/fail2ban/fail2ban.conf
# 設定 log 等級 及 路徑
loglevel = 4
logtarget = /var/log/fail2ban.log
vi /etc/fail2ban/jail.conf
# 忽略的 IP
ignoreip = 127.0.0.1 10.1.1.1
# 擋多久時間
bantime = 600
# 在600秒裡重試三次就擋
findtime = 600
maxretry = 3
# SSH 設定
[ssh-iptables]
# 是否生效,即 trueenabled = true
# sshd 設定在 filter.d/ 裡
filter = sshd
action = iptables-ssh[name=SSH, port=ssh, protocol=tcp]
# chain 的名稱,22 port,tcp 協定
sendmail-whois[name=SSH, dest=cross, sender=fail2ban]
# 發生時郵件主旨為 SSH, 寄件者為 fail2ban, 收件者為 cross
logpath = /var/log/secure
maxretry = 5
目錄 filter.d/ 裡定義被 ban 的內容判斷
more filter.d/sshd.conf
這個檔案 sshd 名稱即為 jail.conf 裡定義的 filter = sshd
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 613 $
#[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>S+)
# Values: TEXT
#
failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>s*$
Failed [-/w]+ for .* from <HOST>(?: port d*)?(?: sshd*)?s*$
ROOT LOGIN REFUSED.* FROM <HOST>s*$
[iI](?:llegal|nvalid) user .* from <HOST>s*$
User .+ from <HOST> not allowed because not listed in AllowUserss*$
User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroupss*$# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
目錄 action.d/ 定義偵測到要被 ban 的連線要怎麼做
more action.d/iptables-ssh.conf
[Definition]
# fail2ban 啟動後,新增 chain,假如已有自已的 rules 存在,可在 -I INPUT 指定 fail2ban-SSH 在 INPUT 裡的優先順序
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT 9 -p <protocol> --dport <port> -j fail2ban-<name>
# 停止 fail2ban 的動作
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
# ban 連線的動作
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# 刪除
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]name = default
port = ssh
protocol = tcp
[3.] 啟動
service fail2ban start
more /var/log/fail2ban.log
(以上省略...)
2007-10-10 12:23:20,715 fail2ban.filter : DEBUG Date 0 is smaller than 1191705426.0
2007-10-10 12:23:20,717 fail2ban.filter : DEBUG Log rotation detected for /var/log/secure
2007-10-10 12:23:20,718 fail2ban.filter : DEBUG Setting file position to 0 for /var/log/secure
2007-10-10 12:23:20,793 fail2ban.filter : DEBUG Got event: 9 for /var/log/secure
2007-10-10 12:23:20,794 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:23:20,888 fail2ban.actions.action: DEBUG echo -en "Subject: [Fail2Ban] SSH: started
From: Fail2Ban <fail2ban>
To: cross
Hi,
The jail SSH has been started successfully.
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross returned successfully
[4.] 測試
ssh 至 ssorc.tw 後,一直按 enter,連續三次就被 jail 了
iptables -n -L
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 202.xx.xx.xx 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
more /var/log/fail2ban.log
2007-10-10 12:27:24,300 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:27:24,301 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:27:24,301 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:27:24,303 fail2ban.filter : DEBUG Setting file position to 21999L for /var/log/secure
2007-10-10 12:27:24,305 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:27:28,315 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:27:28,316 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:27:28,316 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:27:28,317 fail2ban.filter : DEBUG Setting file position to 22069L for /var/log/secure
2007-10-10 12:27:28,317 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:28,318 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:28,320 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:27:35,335 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:27:35,336 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:27:35,336 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:27:35,337 fail2ban.filter : DEBUG Setting file position to 22329L for /var/log/secure
2007-10-10 12:27:35,340 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:35,341 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:35,342 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:27:39,350 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:27:39,351 fail2ban.filter : DEBUG Setting file position to 22589L for /var/log/secure
2007-10-10 12:27:39,352 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:39,352 fail2ban.filter : DEBUG Found 202.xx.xx.xx
2007-10-10 12:27:39,353 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:27:39,464 fail2ban.actions: WARNING [ssh-iptables] Ban 202.xx.xx.xx
2007-10-10 12:27:39,464 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-10 12:27:39,491 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-10 12:27:39,493 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 202.xx.xx.xx -j DROP
2007-10-10 12:27:39,505 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 202.xx.xx.xx -j DROP returned successfully
2007-10-10 12:27:39,506 fail2ban.actions.action: DEBUG
2007-10-10 12:27:39,514 fail2ban.actions.action: DEBUG returned successfully
2007-10-10 12:27:39,515 fail2ban.actions.action: DEBUG echo -en "Subject: [Fail2Ban] SSH: banned 202.xx.xx.xx
From: Fail2Ban <fail2ban>
To: cross
Hi,
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.
Here are more information about 202.xx.xx.xx:
`/usr/bin/whois 202.xx.xx.xx`
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross
2007-10-10 12:27:41,821 fail2ban.actions.action: DEBUG echo -en "Subject: [Fail2Ban] SSH: banned 202.xx.xx.xx
From: Fail2Ban <fail2ban>
To: cross
Hi,
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.
Here are more information about 202.xx.xx.xx:
`/usr/bin/whois 202.xx.xx.xx`
Regards,
Fail2Ban" | /usr/sbin/sendmail -f fail2ban cross returned successfully
2007-10-10 12:34:01,149 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:34:01,151 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:34:01,152 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:34:01,157 fail2ban.filter : DEBUG Setting file position to 22849L for /var/log/secure
2007-10-10 12:34:01,160 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG Got event: 1 for /var/log/secure
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG File changed: /var/log/secure
2007-10-10 12:35:19,333 fail2ban.filter : DEBUG Opened /var/log/secure
2007-10-10 12:35:19,341 fail2ban.filter : DEBUG Setting file position to 22943L for /var/log/secure
2007-10-10 12:35:19,342 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-10 12:37:40,150 fail2ban.actions: WARNING [ssh-iptables] Unban 202.xx.xx.xx
2007-10-10 12:37:40,151 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-10 12:37:40,349 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-10 12:37:40,350 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 202.xx.xx.xx -j DROP
2007-10-10 12:37:40,361 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 202.xx.xx.xx -j DROP returned successfully
2007-10-10 12:37:40,362 fail2ban.actions.action: DEBUG Nothing to do
收到一封信主旨為 [Fail2Ban] SSH: banned 202.xx.xx.xx
The IP 202.xx.xx.xx has just been banned by Fail2Ban after
6 attempts against SSH.
Here are more information about 202.xx.xx.xx:
[?亥岷 whois.apnic.net]
[?寞硅?闾 whois.twnic.net]
[?亥岷 whois.twnic.net]
[whois.twnic.net]
XX Taiwan Inc.
Netname: XX-NET
Netblock: 202.xx.xx.0/24
Administrator contact:
xx@xx.com
Technical contact:
xx@xx.com
Regards,
Fail2Ban
標籤:
如何在ssh登入主機遠端主機時不要有key的檢查 (2012-01-03 09:16)
設定ssh連線30分鐘後沒有動作就自動斷線 (2011-12-26 23:59)
把 ssh public key 遠端複製過去 (另一種方式) (2011-10-26 14:32)
ssh搭配pam_tally2讓使用者登入,幾次失敗就鎖定時間,過了才可再次登入 (2011-04-28 14:58)
SSH 幾項安全性設置 (2011-04-27 00:19)
防ssh的暴力式攻擊-DenyHosts (2011-04-17 23:45)
怎麼在ssh console底下刪除特殊字元的檔案 (2010-02-22 19:28)
SSH 使用技巧 - 縮短名稱 (2009-04-21 21:04)
sudo 讓一般使用者有 Root 權限 (Part II) (2008-08-04 22:19)