Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
сервис_fail2ban [2019/08/30 16:52]
val [Блокировка через cisco acl] 		сервис_fail2ban [2024/05/11 15:47]
val [Интеграция fail2ban и snort]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
- 
-==== Debian/​Ubuntu ==== 
  
   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]
 +  * [[https://​bugs.launchpad.net/​ubuntu/​+source/​fail2ban/​+bug/​2055114|fail2ban is broken in 24.04 Noble]]
  
 <​code>​ <​code>​
 +debian11# apt install iptables
 +debian12# apt install iptables rsyslog
 +
 # apt install fail2ban # apt install fail2ban
  
-cd /etc/fail2ban/ +ubuntu24wget https://launchpad.net/ubuntu/​+source/fail2ban/1.1.0-1/​+build/​28291332/+files/​fail2ban_1.1.0-1_all.deb 
-</code> +ubuntu24dpkg -i fail2ban_1.1.0-1_all.deb ​
- +
-==== FreeBSD ==== +
-<​code>​ +
-# pkg install py27-fail2ban +
- +
-# cat /etc/rc.conf +
-</code><​code>​ +
-... +
-fail2ban_enable="​YES"​ +
-</​code><​code>​ +
-cd /​usr/​local/​etc/​fail2ban/​+
 </​code>​ </​code>​
  
 ===== Настройка ===== ===== Настройка =====
- 
-==== Debian/​Ubuntu/​FreeBSD ==== 
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf
  
-# ls jail.d/+# ls /​etc/​fail2ban/​jail.d/
  
-# cat filter.d/sshd.conf+# cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/asterisk.conf +# cat /​etc/​fail2ban/​filter.d/sshd.conf
-</​code>​+
  
-==== Debian/Ubuntu ==== +# cat /etc/​fail2ban/​filter.d/​asterisk.conf 
-<​code>​ +</​code>​<​code>​ 
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
 maxretry = 6 maxretry = 6
 +#ignoreip = 192.168.X.0/​24 192.168.100+X.0/​24
  
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3 +maxretry = 3 
-</​code>​ +#​bantime ​30d 
- +#action = iptables-allports[blocktype=DROP
-==== FreeBSD ===+#action = route[blocktype=blackhole]
- +
-  * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]]) +
- +
-<​code>​ +
-# cat jail.local +
-</​code><​code>​ +
-[sshd] +
-enabled ​    = true +
-filter ​     = sshd +
-action ​     pf +
-maxretry ​   ​+
-logpath ​    = /​var/​log/​auth.log +
- +
-[asterisk+
-ignoreip ​   = 10.0.0.0/8 172.16.0.0/​12 192.168.0.0/​16 +
-enabled ​    = true +
-action ​     pf +
-maxretry ​   ​3+
 </​code>​ </​code>​
  
 ===== Запуск и отладка ===== ===== Запуск и отладка =====
- 
-==== Debian/​Ubuntu ==== 
  
 <​code>​ <​code>​
 # service fail2ban reload # service fail2ban reload
-</​code>​ +</​code><​code>​
- +
-==== FreeBSD ==== +
-<​code>​ +
-# service fail2ban start +
-</​code>​ +
- +
-==== Debian/​Ubuntu/​FreeBSD ==== +
-<​code>​+
 # tail -f /​var/​log/​fail2ban.log # tail -f /​var/​log/​fail2ban.log
 </​code>​ </​code>​
Line 97: Line 59:
 # fail2ban-client status asterisk # fail2ban-client status asterisk
  
-# fail2ban-client set asterisk unbanip 172.16.1.21+# fail2ban-client set asterisk unbanip 172.16.1.150
  
 # tail -f /​var/​log/​fail2ban.log # tail -f /​var/​log/​fail2ban.log
 </​code>​ </​code>​
  
-===== Отладка собственных ​фильтров =====+===== Интеграция fail2ban и cisco log ===== 
 + 
 +  * Резервное ​копирование конфигурации
  
 <​code>​ <​code>​
-fail2ban-regex /​var/​log/​tmp_file.log ​/​etc/​fail2ban/​filter.d/tmp_file_filter.conf+cat /​etc/​fail2ban/​jail.d/cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-# cat action.d/tmp_file_action.conf+[cisco-change-config] 
 +enabled ​ = true 
 +maxretry = 1 
 +bantime ​ = 30 
 +filter ​  = cisco-change-config 
 +logpath ​ = /​var/​log/​cisco.log 
 +action ​  = cisco-backup-config 
 +</​code><​code>​ 
 +# cat /​etc/​fail2ban/​filter.d/cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
 [Definition] [Definition]
  
-actionban = echo "​`date` f2ban detect ​ip: <ip>" >> ​/tmp/file_action.log+failregex = <​HOST>​.*Configured from.* 
 +</​code><​code>​ 
 +# cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf 
 +</​code><​code>​ 
 +[Definition] 
 + 
 +actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <ip>:running-config /srv/tftp/<ip>-running-config 
 +            cd /srv/tftp/ 
 +            /​usr/​bin/​git add * 
 +            /​usr/​bin/​git --no-optional-locks status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
- 
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
  
   * [[https://​github.com/​frankiejol/​snortban|frankiejol/​snortban]]   * [[https://​github.com/​frankiejol/​snortban|frankiejol/​snortban]]
 +  * Сервис SNORT [[Сервис SNORT#​Копирование alert_unified2 в syslog]]
  
 <​code>​ <​code>​
-# cat jail.d/​snort_jail.conf+# cat /​etc/​fail2ban/​jail.d/​snort_jail.conf
 </​code><​code>​ </​code><​code>​
 [snort] [snort]
Line 125: Line 106:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
 +#​action ​     = mail-admin
 #​action ​     = iptables-allports #​action ​     = iptables-allports
 +#​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
 </​code><​code>​ </​code><​code>​
-# cat filter.d/​snort_filter.conf+# cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
Line 139: Line 120:
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
  
-ignoreregex ​=+#​failregex ​.*Original Client IP: <​HOST>​.*
 </​code>​ </​code>​
 +
 +==== Уведомление по email ====
 +<​code>​
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf
 +</​code><​code>​
 +[Definition]
 +
 +actionban = printf %%b "Hi,\n
 +            Ban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​
 +
 +actionunban = printf %%b "Hi,\n
 +            Unban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​
 +
 +[Init]
 +
 +name = mail-admin
 +
 +dest = student
 +</​code>​
 +
 +  * [[#​Запуск и отладка]]
  
 ==== Блокировка через iptables ==== ==== Блокировка через iptables ====
  
 <​code>​ <​code>​
-# iptables -A FORWARD ​-j f2b-default+cp /​etc/​fail2ban/​action.d/​iptables-allports.conf /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 +</​code><​code>​ 
 +... 
 +before = iptables-common-forward.conf 
 +... 
 +</​code><​code>​ 
 +# cp /​etc/​fail2ban/​action.d/​iptables-common.conf /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 +</​code><​code>​ 
 +... 
 +chain = FORWARD  
 +...
 </​code>​ </​code>​
  
 +  * [[#​Запуск и отладка]]
 ==== Блокировка через cisco acl ==== ==== Блокировка через cisco acl ====
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 166: Line 189:
  ​permit tcp any host 192.168.X.10 eq 80  ​permit tcp any host 192.168.X.10 eq 80
  ​permit tcp any host 192.168.X.10 eq 22  ​permit tcp any host 192.168.X.10 eq 22
- ​permit icmp any 192.168.X.0 0.0.0.255+ ​permit icmp any 192.168.0.0 0.0.255.255
  ​permit ip any host 172.16.1.X  ​permit ip any host 172.16.1.X
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 195: Line 218:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
-===== Интеграция fail2ban и cisco log =====+  * [[#​Запуск и отладка]] 
 +===== Отладка собственных фильтров ​===== 
 <​code>​ <​code>​
-cat /​etc/​fail2ban/​jail.d/cisco-change-config.conf+fail2ban-regex /​var/​log/​tmp_file.log ​/​etc/​fail2ban/​filter.d/tmp_file_filter.conf
 </​code><​code>​ </​code><​code>​
-[cisco-change-config] +# cat action.d/tmp_file_action.conf
-enabled ​ = true +
-maxretry = 1 +
-bantime ​ = 30 +
-filter ​  = cisco-change-config +
-logpath ​ = /var/​log/​cisco.log +
-action ​  = cisco-backup-config+
 </​code><​code>​ </​code><​code>​
-# cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf 
-</​code><​code>​ 
-[INCLUDES] 
- 
 [Definition] [Definition]
  
-failregex ​= <HOST>.*Configured from console.* +actionban ​echo "​`date` f2ban detect ip: <ip>" ​>> /tmp/file_action.log 
-</code><code> +</​code>​
-# cat /etc/fail2ban/​action.d/​cisco-backup-config.conf +
-</​code>​<​code>​ +
-[Definition]+
  
-actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config 
-</​code>​ 
 ===== Дополнительные материалы ===== ===== Дополнительные материалы =====
  
сервис_fail2ban.txt · Last modified: 2024/06/23 16:45 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki