CentOS 安裝Fail2ban

我時常被客戶詢問的問題,帳號密碼被人使用暴力破解(brute force),好比說: SSH 登入、POP3登入…etc.,這該如何預防?

這個的確是一個非常頭痛的問題,有些人可能會從IPS的設備去做解決,但是一台專門的IPS這麼貴…買來只做這個功能,好像小題大作了點,當然其實有很多一般的Firewall就可以處理掉這個問題了,改天可以說明一下SOCUS Firewall 如何處理brute force.
如果確定防火牆不支援,而也沒錢買IPS,那就可以參考我以下的設定紀錄
主要設定如下:
1. 安裝EPEL repository
2. 安裝Fail2Ban套件
3. 設定Fail2Ban
4. 測試Fail2Ban是否生效

1. 安裝EPEL repository (我使用CentOS 6.3 32Bit)
因為CentOS並沒有 fail2ban ,所以安裝EPEL的repository

# rpm -Uvh http://mirror01.idc.hinet.net/EPEL/6/i386/epel-release-6-8.noarch.rpm

2. 安裝Fail2Ban套件

# yum install fail2ban

3. 設定Fail2Ban (使用SSH & Apache測試)
根據原廠文件的解釋 :
先讀取jail.conf 再讀取jail.local
如果是自定義的服務,建議把設定檔寫入jail.local

# vi /etc/fail2ban/jail.local
[ssh-iptables]
enabled  = true
filter   = sshd
logpath  = /var/log/secure
maxretry = 3
bantime  = 3600
ignoreip = 192.168.10.180/32
action   = iptables[name=SSH, port=2222, protocol=tcp]
           sendmail-whois[name=SSH, [email protected], [email protected]]

Note SSH:
enable: true (開啟)  false (關閉)
filter: sshd 指定使用 /etc/fail2ban/filter.d/sshd.conf
logpath: 所比對的log檔案
maxretry: 嘗試登入次數
bantime: 封鎖時間 (-1 為永久封鎖)
ignoreip: 忽略IP
action: 發生狀況時,所使用的選項(iptables) &觸發Port & 發信通知

# vi /etc/fail2ban/jail.conf
[apache-iptables]
enabled  = true
filter   = apache-auth
logpath  = /webmail/httpd/logs/error_log_ssl
maxretry = 5
findtime = 60
bantime  = 3600
action   = iptables[name=Apache-Auth, port=https, protocol=tcp]
           sendmail-whois[name=Apache-Auth, [email protected],[email protected]]

Note Apache:
enable: true (開啟)  false (關閉)
filter:  apache 指定使用/etc/fail2ban/filter.d/apache-auth.conf
logpath: 所比對的log檔案
maxretry: http GET  or Post request 次數
findtime: 時間內檢查maxretry次數
ignoreip: 忽略IP
action: 發生狀況時,所使用的選項(iptables) &觸發Port & 發信通知

觀察/etc/fail2ban/filter.d/sshd.conf

#vi /etc/fail2ban/filter.d/sshd.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port d*)?(?: sshd*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>s*$
            ^%(__prefix_line)sUser S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=S* uid=S* euid=S* tty=S* ruser=S* rhost=<HOST>(?:s+user=.*)?s*$
            ^%(__prefix_line)srefused connect from S+ (<HOST>)s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*s*$
            ^%(__prefix_line)sUser S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

觀察/etc/fail2ban/filter.d/apache-auth.conf

#vi /etc/fail2ban/filter.d/apache-auth.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

比對到的Log 應該是上面的藍色文字
啟動Fail2ban Service

# /etc/init.d/fail2ban start

設定開機自動啟動 (必須要在iptables 服務啟動之後)

# chkconfig fail2ban on 

4. 測試Fail2Ban是否生效
使用192.168.10.168 登入測試,查看一下/var/log/secure

# tail /var/log/secure

May 27 17:11:04 mail sshd[18972]: Invalid user ANGEL from 192.168.10.168
May 27 17:11:04 mail sshd[18977]: input_userauth_request: invalid user ANGEL
May 27 17:11:05 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:05 mail sshd[18972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.168
May 27 17:11:05 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:07 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2
May 27 17:11:07 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:07 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:09 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2
May 27 17:11:09 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:09 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:12 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2

確認iptables 是否生效

# iptables -L -nv
Chain INPUT (policy DROP 2904 packets, 324K bytes)
......中間省略.......
Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination      
   18  3180 DROP       all  --  *      *       192.168.10.168       0.0.0.0/0        
32599  342M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

查看fail2ban狀態方式

# fail2ban-client status ssh-iptables 

Status for the jail: ssh-iptables
|- filter
|  |- File list: /var/log/secure
|  |- Currently failed: 1
|  `- Total failed: 7
`- action
|- Currently banned: 1
|  `- IP list: 192.168.10.168
`- Total banned: 2

看來的確是封鎖了192.168.10.168

Refer:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
http://pulipuli.blogspot.tw/2011/07/centosfail2ban.html
http://cyrilwang.blogspot.tw/2012/04/fail2ban.html

Facebook Comments
machine rape hentai hentaihug.com read hentai magna
ladki chodna pornude.mobi bluefilm com video
hindi video new pornozavr.me gora aur kala
نيك عنيف مترجم 24h-porn.net ينيكها وهي نايمه
يشبفسثء freebigassporn.org فيلم اجنبى قليل الادب
elizabeth olsen bf blondeporntrends.com malayalam sexi
chudai karwai indiandesiclips.com bhabisex.com
haryana village sex video ganstagirls.net wwwxnxcom
bf sexy vidio indiantubetv.com bhaagamathie songs naa songs
open sex free brownporntube.info open dance
bp hd sexy palimas.mobi xexi movie
malayalifuck dunato.mobi sex vedios malayalam
sexy film video hindi mai collegeporntrends.com tamilplay.com 2015 movies download
hot romantic sex porn alohaporn.net xnxx japnese
دانا فسبولى arabicaporn.com مصريه متناكه