LoginSignup
6

More than 5 years have passed since last update.

Fail2ban for CentOS5.x

Last updated at Posted at 2014-03-10

参考

www.fail2ban.org/

インストール

shell
# yum install --enablerepo=epel fail2ban

デフォルトでインストールされる設定ファイル

設定ファイル群
/etc/fail2ban/
|-- fail2ban.conf # 設定ファイル
|-- jail.conf     # 設定ファイル
|-- action.d      # アクション定義群
|   |-- complain.conf
|   |-- dshield.conf
|   |-- dummy.conf
|   |-- hostsdeny.conf
|   |-- ipfilter.conf
|   |-- ipfw.conf
|   |-- iptables-allports.conf
|   |-- iptables-multiport-log.conf
|   |-- iptables-multiport.conf
|   |-- iptables-new.conf
|   |-- iptables-xt_recent-echo.conf
|   |-- iptables.conf
|   |-- mail-buffered.conf
|   |-- mail-whois-lines.conf
|   |-- mail-whois.conf
|   |-- mail.conf
|   |-- mynetwatchman.conf
|   |-- sendmail-buffered.conf
|   |-- sendmail-whois-lines.conf
|   |-- sendmail-whois.conf
|   |-- sendmail.conf
|   `-- shorewall.conf
`-- filter.d      # フィルタ定義群
    |-- apache-auth.conf
    |-- apache-badbots.conf
    |-- apache-nohome.conf
    |-- apache-noscript.conf
    |-- apache-overflows.conf
    |-- asterisk.conf
    |-- common.conf
    |-- courierlogin.conf
    |-- couriersmtp.conf
    |-- cyrus-imap.conf
    |-- dovecot.conf
    |-- dropbear.conf
    |-- exim.conf
    |-- gssftpd.conf
    |-- lighttpd-auth.conf
    |-- lighttpd-fastcgi.conf
    |-- named-refused.conf
    |-- pam-generic.conf
    |-- php-url-fopen.conf
    |-- postfix.conf
    |-- proftpd.conf
    |-- pure-ftpd.conf
    |-- qmail.conf
    |-- recidive.conf
    |-- sasl.conf
    |-- sieve.conf
    |-- sshd-ddos.conf
    |-- sshd.conf
    |-- vsftpd.conf
    |-- webmin-auth.conf
    |-- wuftpd.conf
    `-- xinetd-fail.conf

デフォルトのまま

/etc/fail2ban/fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock

修正

/etc/fail2ban/jail.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime  = 600
findtime = 600
maxretry = 3
backend  = auto
usedns   = warn

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=xxx@example.jp, sender=xxx@example]
logpath  = /var/log/secure
maxretry = 5

デフォルトのまま

/etc/fail2ban/filter.d/sshd.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
ignoreregex =

デフォルトのまま

/etc/fail2ban/action.d/iptables.conf
[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT

送信されるメールの日付がおかしくなるので
http://katabami.org/su-kaku/169/ を参考にLC_TIME="en_US.UTF-8"を設定

/etc/sysconfig/i18n
LANG="ja_JP.UTF-8"
SYSFONT="latarcyrheb-sun16"
# for Fail2Ban
LC_TIME="en_US.UTF-8"

起動

shell
# /etc/init.d/fail2ban start
# chkconfig fail2ban on

起動直後のiptables

shell
# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 #■自動で追加

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)                                          #■自動で追加
target     prot opt source               destination 
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

攻撃を加えた後のiptables

shell
# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  --  172.16.0.2           0.0.0.0/0 #■←はじいてくれている
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
6