Differences

This shows you the differences between two versions of the page.

--- сервис_fail2ban [2019/08/30 08:16]
val [Интеграция fail2ban и snort]
+++ сервис_fail2ban [2022/12/05 07:20]
val [Настройка]
@@ Line 2: / Line 2: @@
   * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]]
+  * [[https://forum.yunohost.org/t/fail2ban-high-cpu-usage/2439|Fail2ban high CPU usage]]
 ===== Установка =====
-==== Debian/Ubuntu ====
   * [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]]
 <code>
+debian11# apt install iptables
 # apt install fail2ban
-# cd /etc/fail2ban/
-</code>
-==== FreeBSD ====
-<code>
-# pkg install py27-fail2ban
-# cat /etc/rc.conf
-</code><code>
-...
-fail2ban_enable="YES"
-</code><code>
-# cd /usr/local/etc/fail2ban/
 </code>
 ===== Настройка =====
-==== Debian/Ubuntu/FreeBSD ====
 <code>
-# cat jail.conf
+# cat /etc/fail2ban/jail.conf
-# ls jail.d/
+# ls /etc/fail2ban/jail.d/
-# cat filter.d/sshd.conf
+# cat /etc/fail2ban/jail.d/defaults-debian.conf
-# cat filter.d/asterisk.conf
+# cat /etc/fail2ban/filter.d/sshd.conf
-</code>
-==== Debian/Ubuntu ====
+# cat /etc/fail2ban/filter.d/asterisk.conf
-<code>
+</code><code>
-# cat jail.local
+# cat /etc/fail2ban/jail.local
 </code><code>
 [sshd]
@@ Line 49: / Line 33: @@
 [asterisk]
 enabled = true
-maxretry    = 3
+maxretry = 3
-</code>
+#bantime = 30d
+#action = iptables-allports[blocktype=DROP]
-==== FreeBSD ====
+#action = route[blocktype=blackhole]
-  * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]])
-<code>
-# cat jail.local
-</code><code>
-[sshd]
-enabled     = true
-filter      = sshd
-action      = pf
-maxretry    = 6
-logpath     = /var/log/auth.log
-[asterisk]
-# ignoreip    = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
-enabled     = true
-action      = pf
-maxretry    = 3
 </code>
 ===== Запуск и отладка =====
-==== Debian/Ubuntu ====
 <code>
 # service fail2ban reload
-</code>
+</code><code>
-==== FreeBSD ====
-<code>
-# service fail2ban start
-</code>
-==== Debian/Ubuntu/FreeBSD ====
-<code>
 # tail -f /var/log/fail2ban.log
 </code>
@@ Line 97: / Line 53: @@
 # fail2ban-client status asterisk
-# fail2ban-client set asterisk unbanip 172.16.1.21
+# fail2ban-client set asterisk unbanip 172.16.1.150
 # tail -f /var/log/fail2ban.log
 </code>
+===== Интеграция fail2ban и cisco log =====
+  * Резервное копирование конфигурации
+<code>
+# cat /etc/fail2ban/jail.d/cisco-change-config.conf
+</code><code>
+[cisco-change-config]
+enabled  = true
+maxretry = 1
+bantime  = 30
+filter   = cisco-change-config
+logpath  = /var/log/cisco.log
+action   = cisco-backup-config
+</code><code>
+# cat /etc/fail2ban/filter.d/cisco-change-config.conf
+</code><code>
+[Definition]
+failregex = <HOST>.*Configured from.*
+</code><code>
+# cat /etc/fail2ban/action.d/cisco-backup-config.conf
+</code><code>
+[Definition]
+actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config
+            cd /srv/tftp/
+            /usr/bin/git add *
+            /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F -
+</code>
 ===== Интеграция fail2ban и snort =====
@@ Line 107: / Line 93: @@
 <code>
-# cat jail.d/snort_jail.conf
+# cat /etc/fail2ban/jail.d/snort_jail.conf
 </code><code>
 [snort]
 enabled     = true
-bantime     = 30
+bantime     = 300
 filter      = snort_filter
 maxretry    = 3
 logpath     = /var/log/auth.log
-#action      = tmp_file_action
+#action      = mail-admin
-#action      = iptables-allports
+#action      = iptables-allports-forward
+#action      = cisco-acl
 </code><code>
-# cat filter.d/snort_filter.conf
+# cat /etc/fail2ban/filter.d/snort_filter.conf
 </code><code>
-[INCLUDES]
 [Definition]
 failregex = .*snort.*Priority: 1.*} <HOST>.*
 #        .*snort.*Priority: 2.*} <HOST>.*
+</code>
-ignoreregex =
+==== Уведомление по email ====
+<code>
+# cat /etc/fail2ban/action.d/mail-admin.conf
 </code><code>
-# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/snort_filter.conf
+[Definition]
+actionban = printf %%b "Hi,\n
+            Ban this <ip>
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest>
+actionunban = printf %%b "Hi,\n
+            Unban this <ip>
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest>
+[Init]
+name = mail-admin
+dest = student
+</code>
+==== Блокировка через iptables ====
+<code>
+# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf
+# cat /etc/fail2ban/action.d/iptables-allports-forward.conf
 </code><code>
-# cat action.d/tmp_file_action.conf
+...
+before = iptables-common-forward.conf
+...
 </code><code>
-[Definition]
+# cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf
-actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log
+# cat /etc/fail2ban/action.d/iptables-common-forward.conf
 </code><code>
-# iptables -A FORWARD -j f2b-default
+...
+chain = FORWARD
+...
 </code>
-===== Интеграция fail2ban и cisco =====
+==== Блокировка через cisco acl ====
 <code>
-# cat /etc/fail2ban/jail.d/cisco-change-config.conf
+server# rsh router show access-lists
 </code><code>
-[cisco-change-config]
+# cat /root/cisco-acl-deny.sh
-enabled  = true
-maxretry = 1
-bantime  = 30
-filter   = cisco-change-config
-logpath  = /var/log/cisco.log
-action   = cisco-backup-config
 </code><code>
-# cat /etc/fail2ban/filter.d/cisco-change-config.conf
+#!/bin/sh
+fail2ban-client status snort | grep Banned | cut -d':' -f2 | tr -s ' ' | tr " " "\n" |
+while read ip
+do
+        test -z "$ip" && continue
+        echo " deny ip host $ip any"
+done
+</code><code>
+# cat /root/cisco-acl-permit.txt
+</code><code>
+ permit tcp any host 192.168.X.10 eq 80
+ permit tcp any host 192.168.X.10 eq 22
+ permit icmp any 192.168.0.0 0.0.255.255
+ permit ip any host 172.16.1.X
+ permit udp any any
+ permit tcp any any established
+ deny   ip any any ! log
+end
+</code><code>
+# cat /root/cisco-change-firewall.sh
 </code><code>
-[INCLUDES]
+#!/bin/sh
+cat > /root/firewall.acl <<EOF
+no ip access-list extended ACL_FIREWALL
+ip access-list extended ACL_FIREWALL
+EOF
+/root/cisco-acl-deny.sh >> /root/firewall.acl
+cat /root/cisco-acl-permit.txt >> /root/firewall.acl
+/usr/bin/rcp /root/firewall.acl router:running-config
+</code><code>
+# cat /etc/fail2ban/action.d/cisco-acl.conf
+</code><code>
 [Definition]
-failregex = <HOST>.*Configured from console.*
+actionban = /root/cisco-change-firewall.sh
+actionunban = /root/cisco-change-firewall.sh
+# if atack from DNS)
+#actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min
+</code>
+===== Отладка собственных фильтров =====
+<code>
+# fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf
 </code><code>
-# cat /etc/fail2ban/action.d/cisco-backup-config.conf
+# cat action.d/tmp_file_action.conf
 </code><code>
 [Definition]
-actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config
+actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log
 </code>
 ===== Дополнительные материалы =====

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools