Сервис Fail2ban
Установка
debian11# apt install iptables
debian12# apt install iptables rsyslog
# apt install fail2ban
ubuntu24# wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
ubuntu24# dpkg -i fail2ban_1.1.0-1_all.deb
Настройка
# cat /etc/fail2ban/jail.conf
# ls /etc/fail2ban/jail.d/
# cat /etc/fail2ban/jail.d/defaults-debian.conf
# cat /etc/fail2ban/filter.d/sshd.conf
# cat /etc/fail2ban/filter.d/asterisk.conf
# cat /etc/fail2ban/jail.local
[sshd]
maxretry = 6
#ignoreip = 192.168.X.0/24 192.168.100+X.0/24
[asterisk]
enabled = true
maxretry = 3
#bantime = 30d
#action = iptables-allports[blocktype=DROP]
#action = route[blocktype=blackhole]
Запуск и отладка
# service fail2ban reload
# tail -f /var/log/fail2ban.log
Мониторинг и управление
# fail2ban-client status
# fail2ban-client status asterisk
# fail2ban-client set asterisk unbanip 172.16.1.150
# tail -f /var/log/fail2ban.log
Интеграция fail2ban и cisco log
# cat /etc/fail2ban/jail.d/cisco-change-config.conf
[cisco-change-config]
enabled = true
maxretry = 1
bantime = 30
filter = cisco-change-config
logpath = /var/log/cisco.log
action = cisco-backup-config
# cat /etc/fail2ban/filter.d/cisco-change-config.conf
[Definition]
failregex = <HOST>.*Configured from.*
# cat /etc/fail2ban/action.d/cisco-backup-config.conf
[Definition]
actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config
cd /srv/tftp/
/usr/bin/git add *
/usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F -
Интеграция fail2ban и snort
# cat /etc/fail2ban/jail.d/snort_jail.conf
[snort]
enabled = true
bantime = 300
filter = snort_filter
maxretry = 3
logpath = /var/log/auth.log
#action = mail-admin
#action = iptables-allports
#action = iptables-allports-forward
#action = cisco-acl
# cat /etc/fail2ban/filter.d/snort_filter.conf
[Definition]
failregex = .*snort.*Priority: 1.*} <HOST>.*
# .*snort.*Priority: 2.*} <HOST>.*
#failregex = .*Original Client IP: <HOST>.*
Уведомление по email
# cat /etc/fail2ban/action.d/mail-admin.conf
[Definition]
actionban = printf %%b "Hi,\n
Ban this <ip>
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest>
actionunban = printf %%b "Hi,\n
Unban this <ip>
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest>
[Init]
name = mail-admin
dest = student
Блокировка через iptables
# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf
# cat /etc/fail2ban/action.d/iptables-allports-forward.conf
...
before = iptables-common-forward.conf
...
# cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf
# cat /etc/fail2ban/action.d/iptables-common-forward.conf
...
chain = FORWARD
...
Блокировка через cisco acl
server# rsh router show access-lists
# cat /root/cisco-acl-deny.sh
#!/bin/sh
fail2ban-client status snort | grep Banned | cut -d':' -f2 | tr -s ' ' | tr " " "\n" |
while read ip
do
test -z "$ip" && continue
echo " deny ip host $ip any"
done
# cat /root/cisco-acl-permit.txt
permit tcp any host 192.168.X.10 eq 80
permit tcp any host 192.168.X.10 eq 22
permit icmp any 192.168.0.0 0.0.255.255
permit ip any host 172.16.1.X
permit udp any any
permit tcp any any established
deny ip any any ! log
end
# cat /root/cisco-change-firewall.sh
#!/bin/sh
cat > /srv/tftp/firewall.acl <<EOF
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
EOF
/root/cisco-acl-deny.sh >> /srv/tftp/firewall.acl
cat /root/cisco-acl-permit.txt >> /srv/tftp/firewall.acl
#/usr/bin/rcp /srv/tftp/firewall.acl router:running-config
#/usr/bin/snmpset -c write -v2c router .1.3.6.1.4.1.9.2.1.53.192.168.X.10 string "firewall.acl"
# cat /etc/fail2ban/action.d/cisco-acl.conf
[Definition]
actionban = /root/cisco-change-firewall.sh
actionunban = /root/cisco-change-firewall.sh
# if atack from DNS)
#actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min
Отладка собственных фильтров
# fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf
# cat action.d/tmp_file_action.conf
[Definition]
actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log
Дополнительные материалы
Asterisk logs only the local IP
Аsterisk failregex от Владимира Блинова
# less filter.d/asterisk.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: <HOST> failed to authenticate as '.*'
NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*'
VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
NOTICE.* .*: Failed to authenticate device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
NOTICE.* .*: Sending fake auth rejection for device .*\;tag=.* \(<HOST>:.*\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Аsterisk failregex от Стрельникова Романа
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*