查看完整版本: 以 Fail2ban 封鎖嘗試侵入的 IP

以 Fail2ban 封鎖嘗試侵入的 IP

基本運作原理: [url=http://www.fail2ban.org/wiki/index.php/Main_Page][color=#0000ff]fail2ban[/color][/url] (daemon) → 監視 log file → 連續出現多次錯誤訊息 → 封鎖來源 IP
以下是分別在 Fedora Core 3 (python-2.3 & fail2ban 0.6.1) 與 Fedora 7 (python-2.5 & fail2ban 0.8) 針對 sshd 與 proftpd 的防護設置
[color=#ffff00]環境[/color]
[list][*]Fedora Core 3[*]python-2.3.4[*]fail2ban 0.6.1 (required: python >= 2.3)[/list][color=#ffff00]安裝 fail2ban 0.6.1[/color]
[indent][url=http://fail2ban.sourceforge.net/rpms/][color=#0000ff]download page[/color][/url]
[color=#00ffff]wget[/color] [url=http://fail2ban.sourceforge.net/rpms/fail2ban-0.6.1-2jik.noarch.rpm][color=#0000ff]http://fail2ban.sourceforge.net/rpms/fail2ban-0.6.1-2jik.noarch.rpm[/color][/url]
[color=#00ffff]rpm -ivh fail2ban-0.6.1-2jik.noarch.rpm[/color]
[/indent][color=#ffff00]啟用 fail2ban[/color]
[indent][color=#00ffff]vi /etc/fail2ban.conf[/color]
[indent][color=#808080]#以 daemon 方式啟動 fail2ban[/color]
background = [color=#ff00ff]true[/color]
[color=#808080]#允許嘗試次數[/color]
maxfailures = [color=#ff00ff]3[/color]
[color=#808080]#觸發 maxfailures 之後的封鎖時間(秒); 設為 -1 表示永遠封鎖[/color]
bantime = [color=#ff00ff]600[/color]
[color=#808080]#以 findtime (秒) 時間內的錯誤記錄作為 maxfailures 的計數基準[/color]
findtime = [color=#ff00ff]600[/color]
[color=#808080]#排除 IP 範圍, 以空白隔開[/color]
ignoreip = [color=#ff00ff]127.0.0.1 192.168.0.0/24[/color]
[color=#808080]#不啟用 mail 通知[/color]
[MAIL]
enabled = [color=#ff00ff]false[/color]
[color=#808080]#修改自 VSFTPD, 未提及的部份保持原設定[/color]
[[color=#ff00ff]PROFTPD[/color]]
enabled = [color=#ff00ff]true[/color]
logfile = [color=#ff00ff]/var/log/proftpd/proftpd.log[/color]
failregex =[color=#ff00ff] no such user|Incorrect password[/color]
[color=#808080]#未提及的部份保持原設定[/color]
[SSH]
enabled = [color=#ff00ff]true[/color]
logfile = [color=#ff00ff]/var/log/secure[/color]
[/indent][color=#00ffff]service fail2ban start[/color]
[/indent][color=#ffff00]環境[/color]
[list][*]Fedora 7[*]python-2.5[*]fail2ban 0.8 (required: python >= 2.4)[/list][color=#ffff00]安裝 fail2ban 0.8[/color]
[indent][url=http://sourceforge.net/project/showfiles.php?group_id=121032][color=#0000ff]download page[/color][/url]
[color=#00ffff]yum install python-devel[/color]
[color=#00ffff]wget[/color] [url=http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.0.tar.bz2][color=#0000ff]http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.0.tar.bz2[/color][/url]
[color=#00ffff]tar jxf fail2ban-0.8.0.tar.bz2[/color]
[color=#00ffff]cd fail2ban-0.8.0[/color]
[color=#00ffff]python setup.py install[/color]
[/indent][color=#ffff00]啟用 fail2ban[/color]
[indent][color=#00ffff]cd /etc/fail2ban[/color]
[color=#00ffff]vi jail.conf[/color]
[indent][color=#808080]#全域設置[/color]
[DEFAULT]
[color=#808080]#排除 IP 範圍, 以空白隔開[/color]
ignoreip = [color=#ff00ff]127.0.0.1 192.168.0.0/24[/color]
[color=#808080]#觸發 maxretry 之後的封鎖時間(秒); 設為 -1 表示永遠封鎖[/color]
bantime = [color=#ff00ff]600[/color]
[color=#808080]#以 findtime (秒) 時間內的錯誤記錄作為 maxretry 的計數基準[/color]
findtime = [color=#ff00ff]600[/color]
[color=#808080]#允許嘗試次數[/color]
maxretry = [color=#ff00ff]3[/color]
[color=#808080]#以 iptables 阻擋嚐試登入 sshd 的來源 ip[/color]
[ssh-iptables]
enabled = [color=#ff00ff]true[/color]
filter = [color=#ff00ff]sshd[/color] [color=#808080]#對應 /etc/fail2ban/filter.d[/color]
action = [color=#ff00ff]iptables[name=SSH, port=ssh, portocol=tcp][/color] [color=#808080]#對應 /etc/fail2ban/action.d
[/color]logpath = [color=#ff00ff]/var/log/secure[/color] [color=#808080]#這是 Fedora 的 sshd log file[/color]
maxretry = [color=#ff00ff]5[/color] [color=#808080]#取代全域設定值 (maxretry = 3)[/color]
[proftpd-iptables]
enabled = [color=#ff00ff]true[/color]
filter = [color=#ff00ff]proftpd[/color]
action = [color=#ff00ff]iptables[name=ProFTPD, port=ftp, protocol=tcp][/color]
logpath = [color=#ff00ff]/var/log/proftpd/proftpd.log[/color]
maxretry = [color=#ff00ff]6[/color]
[/indent][color=#00ffff]fail2ban-client start[/color]
[/indent]
[color=#ffff00]ProFTPD 補充[/color]
[list][*]產生 log 檔:[list][*]編輯 proftpd.conf[*]加入: [color=#ff00ff]SystemLog /var/log/proftpd/proftpd.log[/color][/list][*]若要連密碼錯誤也一併計入 "maxretry":[list][*]編輯 /etc/fail2ban/filter.d/proftpd.conf[*]於 failregex 加入一行: [color=#ff00ff]Incorrect password[/color][/list][/list]
參考資料
[list][*][url=http://www.fail2ban.org/wiki/index.php/Main_Page][color=#0000ff]Fail2ban 官方網頁[/color][/url][*][url=http://www.enterprisenetworkingplanet.com/netsecur/article.php/3681281][color=#0000ff]"Armor SSH and Block Brute Force Attacks" by Carla Schroder[/color][/url][/list]