46

细述:Fail2ban 阻止暴力破解案例

 6 years ago
source link: https://www.linuxprobe.com/fail2ban-prevent-violence.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
导读 Fail2ban 能够监控系统日志,匹配日志中的错误信息(使用正则表达式),执行相应的屏蔽动作(支持多种,一般为调用 iptables ),是一款很实用、强大的软件。

攻击者不断尝试穷举 SSH 、SMTP 、FTP 密码等,只要达到预设值,fail2ban 就会调用防火墙屏蔽此 IP ,并且可以发送邮件通知系统管理员。

功能、特性:

1、支持大量服务:sshd 、apache 、qmail 等

2、支持多作动作:iptables 、tcp-wrapper 、shorewall 、mail notifications 等

3、logpath 选项中支持通配符

4、需要 Gamin 支持(Gamin 用于监控文件和目录是否更改)

5、如果需要邮件通知,则系统事先要确保能够正常发送邮件

fail2ban 安装
shell > yum -y install epel-release

shell > yum -y install fail2ban
fail2ban 结构
/etc/fail2ban                  ## fail2ban 服务配置目录

/etc/fail2ban/action.d     ## iptables 、mail 等动作文件目录

/etc/fail2ban/filter.d       ## 条件匹配文件目录,过滤日志关键内容

/etc/fail2ban/jail.conf     ## fail2ban 防护配置文件

/etc/fail2ban/fail2ban.conf   ## fail2ban 配置文件,定义日志级别、日志、sock 文件位置等
fail2ban.conf 配置
shell > grep -v ^# /etc/fail2ban/fail2ban.conf

[Definition]

loglevel = 3 ## 定义日志级别,默认

logtarget = /var/log/fail2ban.log ## 定义 fail2ban 日志文件

socket = /var/run/fail2ban/fail2ban.sock ## sock 文件存放位置,默认

pidfile = /var/run/fail2ban/fail2ban.pid ## pid 文件存放位置,默认
jail.conf 防护配置
shell > grep -v ^# /etc/fail2ban/jail.conf

[DEFAULT] ## 全局设置,优先级最小

ignoreip = 127.0.0.1/8 ## 不受限制的 IP ,多组用空格分割

bantime = 600 ## 非法 IP 被屏蔽时间(秒),-1 代表永远封锁

findtime = 600 ## 设置多长时间(秒)内超过 maxretry 限制次数即被封锁

maxretry = 3 ## 最大尝试次数

backend = auto ## 日志修改检测机制(gamin 、polling 、auto 三种)

usedns = warn

[ssh-iptables] ## 分类设置(基于 SSHD 服务的防护)

enabled = true ## 是否开启防护,false 为关闭

filter = sshd ## 过滤规则 filter 名称,对应 filter.d 目录下的 sshd.conf

action = iptables[name=SSH, port=ssh, protocol=tcp] ## 动作参数

sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"] ## 邮件通知参数

# 收件人地址           ## 发件人地址 

logpath = /var/log/secure ## 检测系统登陆日志文件

maxretry = 5 ## 最大尝试次数

## 默认此配置文件中还有大量的服务防护配置,只不过默认都是关闭(false)状态,不用理会。

fail2ban 启动、测试 SSHD 防护
shell > service fail2ban start ## 如果重启 iptables ,必须重启 fail2ban

shell > fail2ban-client status ## 可以看到有一个实例已经开始监控
Status
|- Number of jail: 1
`- Jail list: ssh-iptables

shell > iptables -nL ## iptables 也加入了一条规则

fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

## 同时,管理员邮箱也收到一封邮件..

[Fail2Ban] SSH: started on localhost.localdomain

发件人:Fail2Ban

收件人:1355*******

时 间:2015-06-05 23:58:5

Hi,

The jail SSH has been started successfully.

Regards,

Fail2Ban

## 这时客户端尝试登陆本机,故意输入五次密码,就会看到如下日志:

shell > tail -1 /var/log/fail2ban.log

2015-06-05 17:39:19,647 fail2ban.actions[1313]: WARNING [ssh-iptables] Ban 192.168.214.1
## 可以看到:192.168.214.1 被 Ban 掉了。


shell > cat /var/log/secure ## 系统登陆日志

Jun 5 17:39:01 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2
Jun 5 17:39:06 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2
Jun 5 17:39:11 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2
Jun 5 17:39:14 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2
Jun 5 17:39:18 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2
Jun 5 17:41:39 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)

## 收到的邮件通知

[Fail2Ban] SSH: banned 192.168.214.1 from localhost.localdomain

发件人:Fail2Ban
收件人:1355*******
时 间:2015-06-06 00:05:45

Hi,

The IP 192.168.214.1 has just been banned by Fail2Ban after
5 attempts against SSH.

Here is more information about 192.168.214.1:

missing whois program

Regards,

Fail2Ban

## 测试成功 !

加入 Nginx 防护( httpd 代替 )

## 目的是把规定时间内达到限定访问次数的 IP 封锁(例如,一分钟内有几百次请求)

shell > vim /etc/fail2ban/jail.conf

[nginx] ## nginx 防护

enabled = true

filter = nginx  ## 访问规则定义文件,位置在 /etc/fail2ban/filter.d/nginx.conf

action = iptables[name=nginx, port=http, protocol=tcp]

sendmail-whois[name=nginx, dest=1355*******@139.com, [email protected], sendername="Fail2Ban"]

logpath = /var/log/httpd/access_log ## nginx 访问日志

bantime = 86400 ## 符合规则的屏蔽一天,如果参数值与全局有冲突,优先级大于全局配置

findtime = 600  ## 10 分钟内访问超过 maxretry 次数的封锁 IP 

maxretry = 1000 ## 最大尝试次数

shell > vim /etc/fail2ban/filter.d/nginx.conf

[Definition]
failregex =.*-.*-.*$ ##  表示访问 IP ,其余的其实是最简单匹配了。因为这里没有要匹配精确的 URL ,只是限制访问次数
ignoreregex =

shell > fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/nginx.conf ## 可以测试条件规则是否可用

shell > service fail2ban restart ## 重启服务

shell > fail2ban-client status ## 可以看到有两个实例在监控中
Status
|- Number of jail: 2
`- Jail list: nginx, ssh-iptables

## 开始测试,通过脚本或者不管刷新页面测试 Nginx 防护( 便于测试,可以将 maxretry 的值调为 10 )

shell > fail2ban-client status nginx ## 可以看到被 Ban 掉的 IP
Status for the jail: nginx
|- filter
| |- File list: /var/log/httpd/access_log
| |- Currently failed: 1
| `- Total failed: 39
`- action
|- Currently banned: 1
| `- IP list: 192.168.214.1
`- Total banned: 1

## 同时也有对应的邮件通知

[Fail2Ban] nginx: banned 192.168.214.1 from localhost.localdomain

发件人:Fail2Ban
收件人:1355*******
时 间:2015-06-06 01:04:11

Hi,

The IP 192.168.214.1 has just been banned by Fail2Ban after
20 attempts against nginx.


Here is more information about 192.168.214.1:

missing whois program

Regards,

Fail2Ban

shell > tail -1 /var/log/fail2ban.log ## fail2ban 的日志信息

2015-06-05 19:04:11,705 fail2ban.actions[2592]: WARNING [nginx] Ban 192.168.214.1

## OK ,这就是 fail2ban 。很强大 !!!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK