参考
インストール
shell
# yum install --enablerepo=epel fail2ban
デフォルトでインストールされる設定ファイル
設定ファイル群
/etc/fail2ban/
|-- fail2ban.conf # 設定ファイル
|-- jail.conf # 設定ファイル
|-- action.d # アクション定義群
| |-- complain.conf
| |-- dshield.conf
| |-- dummy.conf
| |-- hostsdeny.conf
| |-- ipfilter.conf
| |-- ipfw.conf
| |-- iptables-allports.conf
| |-- iptables-multiport-log.conf
| |-- iptables-multiport.conf
| |-- iptables-new.conf
| |-- iptables-xt_recent-echo.conf
| |-- iptables.conf
| |-- mail-buffered.conf
| |-- mail-whois-lines.conf
| |-- mail-whois.conf
| |-- mail.conf
| |-- mynetwatchman.conf
| |-- sendmail-buffered.conf
| |-- sendmail-whois-lines.conf
| |-- sendmail-whois.conf
| |-- sendmail.conf
| `-- shorewall.conf
`-- filter.d # フィルタ定義群
|-- apache-auth.conf
|-- apache-badbots.conf
|-- apache-nohome.conf
|-- apache-noscript.conf
|-- apache-overflows.conf
|-- asterisk.conf
|-- common.conf
|-- courierlogin.conf
|-- couriersmtp.conf
|-- cyrus-imap.conf
|-- dovecot.conf
|-- dropbear.conf
|-- exim.conf
|-- gssftpd.conf
|-- lighttpd-auth.conf
|-- lighttpd-fastcgi.conf
|-- named-refused.conf
|-- pam-generic.conf
|-- php-url-fopen.conf
|-- postfix.conf
|-- proftpd.conf
|-- pure-ftpd.conf
|-- qmail.conf
|-- recidive.conf
|-- sasl.conf
|-- sieve.conf
|-- sshd-ddos.conf
|-- sshd.conf
|-- vsftpd.conf
|-- webmin-auth.conf
|-- wuftpd.conf
`-- xinetd-fail.conf
デフォルトのまま
/etc/fail2ban/fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
修正
/etc/fail2ban/jail.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=xxx@example.jp, sender=xxx@example]
logpath = /var/log/secure
maxretry = 5
デフォルトのまま
/etc/fail2ban/filter.d/sshd.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
ignoreregex =
デフォルトのまま
/etc/fail2ban/action.d/iptables.conf
[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT
送信されるメールの日付がおかしくなるので
http://katabami.org/su-kaku/169/ を参考にLC_TIME="en_US.UTF-8"を設定
/etc/sysconfig/i18n
LANG="ja_JP.UTF-8"
SYSFONT="latarcyrheb-sun16"
# for Fail2Ban
LC_TIME="en_US.UTF-8"
起動
shell
# /etc/init.d/fail2ban start
# chkconfig fail2ban on
起動直後のiptables
shell
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 #■自動で追加
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references) #■自動で追加
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
攻撃を加えた後のiptables
shell
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 172.16.0.2 0.0.0.0/0 #■←はじいてくれている
RETURN all -- 0.0.0.0/0 0.0.0.0/0