這陣子觀察系統紀錄,發現每天都有不同的IP一直不斷的測試FTP的帳號及密碼,為了安全起見在網路上找到這篇介紹文章。
安裝說明如下 (我用的系統是CertOS 5.x)
Fail2ban 用途在於偵測錯誤登入而對其IP進行封鎖
1. 安裝需求套件python(這裡使用redhat的YUM 線上安裝套件管理程式)
yum install python python-devel gamin-python
2.安裝fail2ban
這邊我使用 RPM 安裝
b.安裝指令
rpm -ivh fail2ban-0.8.1-1.el5.rf.noarch.rpm
我主要是針對Proftpd防護,SSH我是設定防火牆所IP的。
修改fail2ban的設定檔
# vim /etc/fail2ban/jail.conf
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# 不列入的 IP 範圍,如果有二組以上以空白做為間隔 192.168.250.0/24ignoreip = 127.0.0.1
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# 不列入的 IP 範圍,如果有二組以上以空白做為間隔 192.168.250.0/24ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
# 設定 IP 被封鎖的時間(秒),如果值為 -1,代表永遠封鎖
bantime = 600 (這邊是預設值)
# 設定 IP 被封鎖的時間(秒),如果值為 -1,代表永遠封鎖
bantime = 600 (這邊是預設值)
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
# 設定在多少時間內達到 maxretry 的次數就封鎖
findtime = 600
# seconds.
# 設定在多少時間內達到 maxretry 的次數就封鎖
findtime = 600
# "maxretry" is the number of failures before a host get banned.
# 允許嘗試的次數
maxretry = 3
# 允許嘗試的次數
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
logpath = /var/log/secure
# 如果有個別的次數設定就設在這裡
maxretry = 5
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
logpath = /var/log/secure
# 如果有個別的次數設定就設在這裡
maxretry = 5
針對Proftpd防護 (我的系統是用Proftpd ,CentOS 預設是 vsftpd)
[Proftpd-iptables]
enabled = true
filter = Proftpd
action = iptables[name=PROFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=PROFTPD, dest=root]
logpath = /var/log/message (這邊請修改為你的Proftp的記錄檔)
maxretry = 3 (錯誤次數)
bantime = 1800 (鎖定時間)
filter = Proftpd
action = iptables[name=PROFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=PROFTPD, dest=root]
logpath = /var/log/message (這邊請修改為你的Proftp的記錄檔)
maxretry = 3 (錯誤次數)
bantime = 1800 (鎖定時間)
修改後請存檔離開
啟動服務: service fail2ban start
查看防火牆設定,使用 iptables -L -nv 會看到以下兩條紀錄
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
target prot opt source destination
RETURN 0 -- anywhere anywhere
Chain fail2ban-ProFTPD (1 references)
pkts bytes target prot opt in out source destination
117 5756 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
117 5756 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
最後設定開機啟動fail2ban 指令:
# chkconfig fail2ban on
補充內容
今天上班發現流量異常,並且主機顯的很忙碌,,查詢紀錄發現郵件伺服器一直有個IP不斷的測試轉信,網路上找到解決方式,用之前就安裝fail2ban
所以就把以下功能補上!!
Using Fail2ban with Dovecot
新增郵件過濾的檔案 Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =
將以下規則加到 /etc/fail2ban/jail.conf 設定檔中
Add the following to /etc/fail2ban/jail.conf
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
記得重新啟動 fail2ban 指令為 service fail2ban restart
沒有留言:
張貼留言