CentOS 安裝Fail2ban

我時常被客戶詢問的問題,帳號密碼被人使用暴力破解(brute force),好比說: SSH 登入、POP3登入…etc.,這該如何預防?

這個的確是一個非常頭痛的問題,有些人可能會從IPS的設備去做解決,但是一台專門的IPS這麼貴…買來只做這個功能,好像小題大作了點,當然其實有很多一般的Firewall就可以處理掉這個問題了,改天可以說明一下SOCUS Firewall 如何處理brute force.
如果確定防火牆不支援,而也沒錢買IPS,那就可以參考我以下的設定紀錄
主要設定如下:
1. 安裝EPEL repository
2. 安裝Fail2Ban套件
3. 設定Fail2Ban
4. 測試Fail2Ban是否生效

1. 安裝EPEL repository (我使用CentOS 6.3 32Bit)
因為CentOS並沒有 fail2ban ,所以安裝EPEL的repository

# rpm -Uvh http://mirror01.idc.hinet.net/EPEL/6/i386/epel-release-6-8.noarch.rpm

2. 安裝Fail2Ban套件

# yum install fail2ban

3. 設定Fail2Ban (使用SSH & Apache測試)
根據原廠文件的解釋 :
先讀取jail.conf 再讀取jail.local
如果是自定義的服務,建議把設定檔寫入jail.local

# vi /etc/fail2ban/jail.local
[ssh-iptables]
enabled  = true
filter   = sshd
logpath  = /var/log/secure
maxretry = 3
bantime  = 3600
ignoreip = 192.168.10.180/32
action   = iptables[name=SSH, port=2222, protocol=tcp]
           sendmail-whois[name=SSH, [email protected], [email protected]]

Note SSH:
enable: true (開啟)  false (關閉)
filter: sshd 指定使用 /etc/fail2ban/filter.d/sshd.conf
logpath: 所比對的log檔案
maxretry: 嘗試登入次數
bantime: 封鎖時間 (-1 為永久封鎖)
ignoreip: 忽略IP
action: 發生狀況時,所使用的選項(iptables) &觸發Port & 發信通知

# vi /etc/fail2ban/jail.conf
[apache-iptables]
enabled  = true
filter   = apache-auth
logpath  = /webmail/httpd/logs/error_log_ssl
maxretry = 5
findtime = 60
bantime  = 3600
action   = iptables[name=Apache-Auth, port=https, protocol=tcp]
           sendmail-whois[name=Apache-Auth, [email protected],[email protected]]

Note Apache:
enable: true (開啟)  false (關閉)
filter:  apache 指定使用/etc/fail2ban/filter.d/apache-auth.conf
logpath: 所比對的log檔案
maxretry: http GET  or Post request 次數
findtime: 時間內檢查maxretry次數
ignoreip: 忽略IP
action: 發生狀況時,所使用的選項(iptables) &觸發Port & 發信通知

觀察/etc/fail2ban/filter.d/sshd.conf

#vi /etc/fail2ban/filter.d/sshd.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port d*)?(?: sshd*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>s*$
            ^%(__prefix_line)sUser S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=S* uid=S* euid=S* tty=S* ruser=S* rhost=<HOST>(?:s+user=.*)?s*$
            ^%(__prefix_line)srefused connect from S+ (<HOST>)s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*s*$
            ^%(__prefix_line)sUser S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

觀察/etc/fail2ban/filter.d/apache-auth.conf

#vi /etc/fail2ban/filter.d/apache-auth.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

比對到的Log 應該是上面的藍色文字
啟動Fail2ban Service

# /etc/init.d/fail2ban start

設定開機自動啟動 (必須要在iptables 服務啟動之後)

# chkconfig fail2ban on 

4. 測試Fail2Ban是否生效
使用192.168.10.168 登入測試,查看一下/var/log/secure

# tail /var/log/secure

May 27 17:11:04 mail sshd[18972]: Invalid user ANGEL from 192.168.10.168
May 27 17:11:04 mail sshd[18977]: input_userauth_request: invalid user ANGEL
May 27 17:11:05 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:05 mail sshd[18972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.168
May 27 17:11:05 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:07 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2
May 27 17:11:07 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:07 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:09 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2
May 27 17:11:09 mail sshd[18972]: pam_unix(sshd:auth): check pass; user unknown
May 27 17:11:09 mail sshd[18972]: pam_succeed_if(sshd:auth): error retrieving information about user ANGEL
May 27 17:11:12 mail sshd[18972]: Failed password for invalid user ANGEL from 192.168.10.168 port 53265 ssh2

確認iptables 是否生效

# iptables -L -nv
Chain INPUT (policy DROP 2904 packets, 324K bytes)
......中間省略.......
Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination      
   18  3180 DROP       all  --  *      *       192.168.10.168       0.0.0.0/0        
32599  342M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

查看fail2ban狀態方式

# fail2ban-client status ssh-iptables 

Status for the jail: ssh-iptables
|- filter
|  |- File list: /var/log/secure
|  |- Currently failed: 1
|  `- Total failed: 7
`- action
|- Currently banned: 1
|  `- IP list: 192.168.10.168
`- Total banned: 2

看來的確是封鎖了192.168.10.168

Refer:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
http://pulipuli.blogspot.tw/2011/07/centosfail2ban.html
http://cyrilwang.blogspot.tw/2012/04/fail2ban.html

Facebook Comments