This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
сервис_fail2ban [2019/08/30 15:08] val [Блокировка через cisco acl] |
сервис_fail2ban [2024/06/23 16:45] val [Блокировка через cisco acl] |
||
---|---|---|---|
Line 2: | Line 2: | ||
* [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | ||
+ | * [[https://forum.yunohost.org/t/fail2ban-high-cpu-usage/2439|Fail2ban high CPU usage]] | ||
===== Установка ===== | ===== Установка ===== | ||
- | |||
- | ==== Debian/Ubuntu ==== | ||
* [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | * [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | ||
+ | * [[https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/2055114|fail2ban is broken in 24.04 Noble]] | ||
<code> | <code> | ||
+ | debian11# apt install iptables | ||
+ | debian12# apt install iptables rsyslog | ||
+ | |||
# apt install fail2ban | # apt install fail2ban | ||
- | # cd /etc/fail2ban/ | + | ubuntu24# wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb |
- | </code> | + | ubuntu24# dpkg -i fail2ban_1.1.0-1_all.deb |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | # pkg install py27-fail2ban | + | |
- | + | ||
- | # cat /etc/rc.conf | + | |
- | </code><code> | + | |
- | ... | + | |
- | fail2ban_enable="YES" | + | |
- | </code><code> | + | |
- | # cd /usr/local/etc/fail2ban/ | + | |
</code> | </code> | ||
===== Настройка ===== | ===== Настройка ===== | ||
- | |||
- | ==== Debian/Ubuntu/FreeBSD ==== | ||
<code> | <code> | ||
- | # cat jail.conf | + | # cat /etc/fail2ban/jail.conf |
- | # ls jail.d/ | + | # ls /etc/fail2ban/jail.d/ |
- | # cat filter.d/sshd.conf | + | # cat /etc/fail2ban/jail.d/defaults-debian.conf |
- | # cat filter.d/asterisk.conf | + | # cat /etc/fail2ban/filter.d/sshd.conf |
- | </code> | + | |
- | ==== Debian/Ubuntu ==== | + | # cat /etc/fail2ban/filter.d/asterisk.conf |
- | <code> | + | </code><code> |
- | # cat jail.local | + | # cat /etc/fail2ban/jail.local |
</code><code> | </code><code> | ||
[sshd] | [sshd] | ||
maxretry = 6 | maxretry = 6 | ||
+ | #ignoreip = 192.168.X.0/24 192.168.100+X.0/24 | ||
[asterisk] | [asterisk] | ||
enabled = true | enabled = true | ||
- | maxretry = 3 | + | maxretry = 3 |
- | </code> | + | #bantime = 30d |
- | + | #action = iptables-allports[blocktype=DROP] | |
- | ==== FreeBSD ==== | + | #action = route[blocktype=blackhole] |
- | + | ||
- | * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]]) | + | |
- | + | ||
- | <code> | + | |
- | # cat jail.local | + | |
- | </code><code> | + | |
- | [sshd] | + | |
- | enabled = true | + | |
- | filter = sshd | + | |
- | action = pf | + | |
- | maxretry = 6 | + | |
- | logpath = /var/log/auth.log | + | |
- | + | ||
- | [asterisk] | + | |
- | # ignoreip = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 | + | |
- | enabled = true | + | |
- | action = pf | + | |
- | maxretry = 3 | + | |
</code> | </code> | ||
===== Запуск и отладка ===== | ===== Запуск и отладка ===== | ||
- | |||
- | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
# service fail2ban reload | # service fail2ban reload | ||
- | </code> | + | </code><code> |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | # service fail2ban start | + | |
- | </code> | + | |
- | + | ||
- | ==== Debian/Ubuntu/FreeBSD ==== | + | |
- | <code> | + | |
# tail -f /var/log/fail2ban.log | # tail -f /var/log/fail2ban.log | ||
</code> | </code> | ||
Line 97: | Line 59: | ||
# fail2ban-client status asterisk | # fail2ban-client status asterisk | ||
- | # fail2ban-client set asterisk unbanip 172.16.1.21 | + | # fail2ban-client set asterisk unbanip 172.16.1.150 |
# tail -f /var/log/fail2ban.log | # tail -f /var/log/fail2ban.log | ||
</code> | </code> | ||
- | ===== Отладка собственных фильтров ===== | + | ===== Интеграция fail2ban и cisco log ===== |
+ | |||
+ | * Резервное копирование конфигурации | ||
<code> | <code> | ||
- | # fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf | + | # cat /etc/fail2ban/jail.d/cisco-change-config.conf |
</code><code> | </code><code> | ||
- | # cat action.d/tmp_file_action.conf | + | [cisco-change-config] |
+ | enabled = true | ||
+ | maxretry = 1 | ||
+ | bantime = 30 | ||
+ | filter = cisco-change-config | ||
+ | logpath = /var/log/cisco.log | ||
+ | action = cisco-backup-config | ||
+ | </code><code> | ||
+ | # cat /etc/fail2ban/filter.d/cisco-change-config.conf | ||
</code><code> | </code><code> | ||
[Definition] | [Definition] | ||
- | actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log | + | failregex = <HOST>.*Configured from.* |
- | </code> | + | </code><code> |
+ | # cat /etc/fail2ban/action.d/cisco-backup-config.conf | ||
+ | </code><code> | ||
+ | [Definition] | ||
+ | actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | ||
+ | cd /srv/tftp/ | ||
+ | /usr/bin/git add * | ||
+ | /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F - | ||
+ | </code> | ||
===== Интеграция fail2ban и snort ===== | ===== Интеграция fail2ban и snort ===== | ||
* [[https://github.com/frankiejol/snortban|frankiejol/snortban]] | * [[https://github.com/frankiejol/snortban|frankiejol/snortban]] | ||
+ | * Сервис SNORT [[Сервис SNORT#Копирование alert_unified2 в syslog]] | ||
<code> | <code> | ||
- | # cat jail.d/snort_jail.conf | + | # cat /etc/fail2ban/jail.d/snort_jail.conf |
</code><code> | </code><code> | ||
[snort] | [snort] | ||
Line 125: | Line 106: | ||
bantime = 300 | bantime = 300 | ||
filter = snort_filter | filter = snort_filter | ||
- | maxretry = 1 | + | maxretry = 3 |
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
+ | #action = mail-admin | ||
#action = iptables-allports | #action = iptables-allports | ||
+ | #action = iptables-allports-forward | ||
#action = cisco-acl | #action = cisco-acl | ||
</code><code> | </code><code> | ||
- | # cat filter.d/snort_filter.conf | + | # cat /etc/fail2ban/filter.d/snort_filter.conf |
</code><code> | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
Line 139: | Line 120: | ||
# .*snort.*Priority: 2.*} <HOST>.* | # .*snort.*Priority: 2.*} <HOST>.* | ||
- | ignoreregex = | + | #failregex = .*Original Client IP: <HOST>.* |
</code> | </code> | ||
+ | |||
+ | ==== Уведомление по email ==== | ||
+ | <code> | ||
+ | # cat /etc/fail2ban/action.d/mail-admin.conf | ||
+ | </code><code> | ||
+ | [Definition] | ||
+ | |||
+ | actionban = printf %%b "Hi,\n | ||
+ | Ban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest> | ||
+ | |||
+ | actionunban = printf %%b "Hi,\n | ||
+ | Unban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest> | ||
+ | |||
+ | [Init] | ||
+ | |||
+ | name = mail-admin | ||
+ | |||
+ | dest = student | ||
+ | </code> | ||
+ | |||
+ | * [[#Запуск и отладка]] | ||
==== Блокировка через iptables ==== | ==== Блокировка через iptables ==== | ||
<code> | <code> | ||
- | # iptables -A FORWARD -j f2b-default | + | # cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf |
+ | |||
+ | # cat /etc/fail2ban/action.d/iptables-allports-forward.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | before = iptables-common-forward.conf | ||
+ | ... | ||
+ | </code><code> | ||
+ | # cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf | ||
+ | |||
+ | # cat /etc/fail2ban/action.d/iptables-common-forward.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | chain = FORWARD | ||
+ | ... | ||
</code> | </code> | ||
+ | * [[#Запуск и отладка]] | ||
==== Блокировка через cisco acl ==== | ==== Блокировка через cisco acl ==== | ||
<code> | <code> | ||
+ | server# rsh router show access-lists | ||
+ | </code><code> | ||
# cat /root/cisco-acl-deny.sh | # cat /root/cisco-acl-deny.sh | ||
</code><code> | </code><code> | ||
Line 166: | Line 189: | ||
permit tcp any host 192.168.X.10 eq 80 | permit tcp any host 192.168.X.10 eq 80 | ||
permit tcp any host 192.168.X.10 eq 22 | permit tcp any host 192.168.X.10 eq 22 | ||
- | permit icmp any 192.168.X.0 0.0.0.255 | + | permit icmp any 192.168.0.0 0.0.255.255 |
permit ip any host 172.16.1.X | permit ip any host 172.16.1.X | ||
permit udp any any | permit udp any any | ||
permit tcp any any established | permit tcp any any established | ||
- | deny ip any any log | + | deny ip any any ! log |
+ | end | ||
</code><code> | </code><code> | ||
# cat /root/cisco-change-firewall.sh | # cat /root/cisco-change-firewall.sh | ||
Line 176: | Line 200: | ||
#!/bin/sh | #!/bin/sh | ||
- | cat > /root/firewall.acl <<EOF | + | cat > /srv/tftp/firewall.acl <<EOF |
no ip access-list extended ACL_FIREWALL | no ip access-list extended ACL_FIREWALL | ||
ip access-list extended ACL_FIREWALL | ip access-list extended ACL_FIREWALL | ||
EOF | EOF | ||
- | /root/cisco-acl-deny.sh >> /root/firewall.acl | + | /root/cisco-acl-deny.sh >> /srv/tftp/firewall.acl |
- | cat /root/cisco-acl-permit.txt >> /root/firewall.acl | + | cat /root/cisco-acl-permit.txt >> /srv/tftp/firewall.acl |
- | echo end >> /root/firewall.acl | + | #/usr/bin/rcp /srv/tftp/firewall.acl router:running-config |
- | + | #/usr/bin/snmpset -c write -v2c router .1.3.6.1.4.1.9.2.1.53.192.168.X.10 string "firewall.acl" | |
- | /usr/bin/rcp /root/firewall.acl router:running-config | + | |
</code><code> | </code><code> | ||
# cat /etc/fail2ban/action.d/cisco-acl.conf | # cat /etc/fail2ban/action.d/cisco-acl.conf | ||
Line 194: | Line 217: | ||
actionban = /root/cisco-change-firewall.sh | actionban = /root/cisco-change-firewall.sh | ||
+ | |||
+ | actionunban = /root/cisco-change-firewall.sh | ||
+ | # if atack from DNS) | ||
+ | #actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min | ||
</code> | </code> | ||
- | ===== Интеграция fail2ban и cisco log ===== | + | * [[#Запуск и отладка]] |
+ | ===== Отладка собственных фильтров ===== | ||
<code> | <code> | ||
- | # cat /etc/fail2ban/jail.d/cisco-change-config.conf | + | # fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf |
</code><code> | </code><code> | ||
- | [cisco-change-config] | + | # cat action.d/tmp_file_action.conf |
- | enabled = true | + | |
- | maxretry = 1 | + | |
- | bantime = 30 | + | |
- | filter = cisco-change-config | + | |
- | logpath = /var/log/cisco.log | + | |
- | action = cisco-backup-config | + | |
</code><code> | </code><code> | ||
- | # cat /etc/fail2ban/filter.d/cisco-change-config.conf | ||
- | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
- | failregex = <HOST>.*Configured from console.* | + | actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log |
- | </code><code> | + | </code> |
- | # cat /etc/fail2ban/action.d/cisco-backup-config.conf | + | |
- | </code><code> | + | |
- | [Definition] | + | |
- | actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | ||
- | </code> | ||
===== Дополнительные материалы ===== | ===== Дополнительные материалы ===== | ||