This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_fail2ban [2020/09/16 13:07] val [Сервис Fail2ban] |
сервис_fail2ban [2022/05/20 13:25] val [Настройка] |
||
---|---|---|---|
Line 8: | Line 8: | ||
<code> | <code> | ||
+ | debian11# apt install iptables | ||
+ | |||
# apt install fail2ban | # apt install fail2ban | ||
</code> | </code> | ||
Line 32: | Line 34: | ||
enabled = true | enabled = true | ||
maxretry = 3 | maxretry = 3 | ||
+ | #bantime = 30d | ||
+ | #action = iptables-allports[blocktype=DROP] | ||
</code> | </code> | ||
Line 54: | Line 58: | ||
===== Интеграция fail2ban и cisco log ===== | ===== Интеграция fail2ban и cisco log ===== | ||
+ | |||
+ | * Резервное копирование конфигурации | ||
+ | |||
<code> | <code> | ||
# cat /etc/fail2ban/jail.d/cisco-change-config.conf | # cat /etc/fail2ban/jail.d/cisco-change-config.conf | ||
Line 67: | Line 74: | ||
# cat /etc/fail2ban/filter.d/cisco-change-config.conf | # cat /etc/fail2ban/filter.d/cisco-change-config.conf | ||
</code><code> | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
Line 80: | Line 85: | ||
cd /srv/tftp/ | cd /srv/tftp/ | ||
/usr/bin/git add * | /usr/bin/git add * | ||
- | /usr/bin/git status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F - | + | /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F - |
</code> | </code> | ||
===== Интеграция fail2ban и snort ===== | ===== Интеграция fail2ban и snort ===== | ||
Line 93: | Line 98: | ||
bantime = 300 | bantime = 300 | ||
filter = snort_filter | filter = snort_filter | ||
- | maxretry = 1 | + | maxretry = 3 |
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
+ | #action = mail-admin | ||
#action = iptables-allports-forward | #action = iptables-allports-forward | ||
#action = cisco-acl | #action = cisco-acl | ||
Line 100: | Line 106: | ||
# cat /etc/fail2ban/filter.d/snort_filter.conf | # cat /etc/fail2ban/filter.d/snort_filter.conf | ||
</code><code> | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
failregex = .*snort.*Priority: 1.*} <HOST>.* | failregex = .*snort.*Priority: 1.*} <HOST>.* | ||
# .*snort.*Priority: 2.*} <HOST>.* | # .*snort.*Priority: 2.*} <HOST>.* | ||
+ | </code> | ||
+ | |||
+ | ==== Уведомление по email ==== | ||
+ | <code> | ||
+ | # cat /etc/fail2ban/action.d/mail-admin.conf | ||
+ | </code><code> | ||
+ | [Definition] | ||
+ | |||
+ | actionban = printf %%b "Hi,\n | ||
+ | Ban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest> | ||
+ | |||
+ | actionunban = printf %%b "Hi,\n | ||
+ | Unban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest> | ||
+ | |||
+ | [Init] | ||
+ | |||
+ | name = mail-admin | ||
- | ignoreregex = | + | dest = student |
</code> | </code> | ||
Line 133: | Line 158: | ||
<code> | <code> | ||
+ | server# rsh router show access-lists | ||
+ | </code><code> | ||
# cat /root/cisco-acl-deny.sh | # cat /root/cisco-acl-deny.sh | ||
</code><code> | </code><code> | ||
Line 152: | Line 179: | ||
permit udp any any | permit udp any any | ||
permit tcp any any established | permit tcp any any established | ||
- | deny ip any any log | + | deny ip any any ! log |
end | end | ||
</code><code> | </code><code> | ||
Line 177: | Line 204: | ||
actionunban = /root/cisco-change-firewall.sh | actionunban = /root/cisco-change-firewall.sh | ||
+ | # if atack from DNS) | ||
+ | #actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min | ||
</code> | </code> | ||