Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
сервис_fail2ban [2019/08/30 15:08]
val [Блокировка через cisco acl] 		сервис_fail2ban [2022/12/05 07:20]
val [Настройка]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
- 
-==== Debian/​Ubuntu ==== 
  
   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]
  
 <​code>​ <​code>​
-# apt install ​fail2ban+debian11# apt install ​iptables
  
-cd /​etc/​fail2ban/​ +apt install fail2ban
-</​code>​ +
- +
-==== FreeBSD ==== +
-<​code>​ +
-# pkg install ​py27-fail2ban +
- +
-# cat /​etc/​rc.conf +
-</​code><​code>​ +
-... +
-fail2ban_enable="​YES"​ +
-</​code><​code>​ +
-# cd /​usr/​local/​etc/​fail2ban/+
 </​code>​ </​code>​
  
 ===== Настройка ===== ===== Настройка =====
- 
-==== Debian/​Ubuntu/​FreeBSD ==== 
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf
  
-# ls jail.d/+# ls /​etc/​fail2ban/​jail.d/
  
-# cat filter.d/sshd.conf+# cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/asterisk.conf +# cat /​etc/​fail2ban/​filter.d/sshd.conf
-</​code>​+
  
-==== Debian/Ubuntu ==== +# cat /etc/​fail2ban/​filter.d/​asterisk.conf 
-<​code>​ +</​code>​<​code>​ 
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
Line 49: Line 33:
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3 +maxretry = 3 
-</​code>​ +#​bantime ​30d 
- +#action = iptables-allports[blocktype=DROP
-==== FreeBSD ===+#action = route[blocktype=blackhole]
- +
-  * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]]) +
- +
-<​code>​ +
-# cat jail.local +
-</​code><​code>​ +
-[sshd] +
-enabled ​    = true +
-filter ​     = sshd +
-action ​     pf +
-maxretry ​   ​+
-logpath ​    = /​var/​log/​auth.log +
- +
-[asterisk+
-ignoreip ​   = 10.0.0.0/8 172.16.0.0/​12 192.168.0.0/​16 +
-enabled ​    = true +
-action ​     pf +
-maxretry ​   ​3+
 </​code>​ </​code>​
  
 ===== Запуск и отладка ===== ===== Запуск и отладка =====
- 
-==== Debian/​Ubuntu ==== 
  
 <​code>​ <​code>​
 # service fail2ban reload # service fail2ban reload
-</​code>​ +</​code><​code>​
- +
-==== FreeBSD ==== +
-<​code>​ +
-# service fail2ban start +
-</​code>​ +
- +
-==== Debian/​Ubuntu/​FreeBSD ==== +
-<​code>​+
 # tail -f /​var/​log/​fail2ban.log # tail -f /​var/​log/​fail2ban.log
 </​code>​ </​code>​
Line 97: Line 53:
 # fail2ban-client status asterisk # fail2ban-client status asterisk
  
-# fail2ban-client set asterisk unbanip 172.16.1.21+# fail2ban-client set asterisk unbanip 172.16.1.150
  
 # tail -f /​var/​log/​fail2ban.log # tail -f /​var/​log/​fail2ban.log
 </​code>​ </​code>​
  
-===== Отладка собственных ​фильтров =====+===== Интеграция fail2ban и cisco log ===== 
 + 
 +  * Резервное ​копирование конфигурации
  
 <​code>​ <​code>​
-fail2ban-regex /​var/​log/​tmp_file.log ​/​etc/​fail2ban/​filter.d/tmp_file_filter.conf+cat /​etc/​fail2ban/​jail.d/cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-# cat action.d/tmp_file_action.conf+[cisco-change-config] 
 +enabled ​ = true 
 +maxretry = 1 
 +bantime ​ = 30 
 +filter ​  = cisco-change-config 
 +logpath ​ = /​var/​log/​cisco.log 
 +action ​  = cisco-backup-config 
 +</​code><​code>​ 
 +# cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf 
 +</​code><​code>​ 
 +[Definition] 
 + 
 +failregex = <​HOST>​.*Configured from.* 
 +</​code><​code>​ 
 +# cat /​etc/​fail2ban/​action.d/cisco-backup-config.conf
 </​code><​code>​ </​code><​code>​
 [Definition] [Definition]
  
-actionban = echo "​`date` f2ban detect ​ip: <ip>" >> ​/tmp/file_action.log+actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <ip>:running-config /srv/tftp/<ip>-running-config 
 +            cd /​srv/​tftp/​ 
 +            /​usr/​bin/​git add * 
 +            /​usr/​bin/​git --no-optional-locks status | grep '​modified\|deleted\|new file' | /usr/bin/git commit -a -F -
 </​code>​ </​code>​
- 
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
  
Line 119: Line 93:
  
 <​code>​ <​code>​
-# cat jail.d/​snort_jail.conf+# cat /​etc/​fail2ban/​jail.d/​snort_jail.conf
 </​code><​code>​ </​code><​code>​
 [snort] [snort]
Line 125: Line 99:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
-#​action ​     = iptables-allports+#​action ​     = mail-admin 
 +#​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
 </​code><​code>​ </​code><​code>​
-# cat filter.d/​snort_filter.conf+# cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
  
-ignoreregex ​=+==== Уведомление по email ==== 
 +<​code>​ 
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf 
 +</​code><​code>​ 
 +[Definition] 
 + 
 +actionban = printf %%b "​Hi,​\n 
 +            Ban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +actionunban = printf %%b "​Hi,​\n 
 +            Unban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +[Init] 
 + 
 +name = mail-admin 
 + 
 +dest = student
 </​code>​ </​code>​
  
Line 145: Line 139:
  
 <​code>​ <​code>​
-# iptables -A FORWARD ​-j f2b-default+cp /​etc/​fail2ban/​action.d/​iptables-allports.conf /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 +</​code><​code>​ 
 +... 
 +before = iptables-common-forward.conf 
 +... 
 +</​code><​code>​ 
 +# cp /​etc/​fail2ban/​action.d/​iptables-common.conf /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 +</​code><​code>​ 
 +... 
 +chain = FORWARD  
 +...
 </​code>​ </​code>​
  
Line 151: Line 159:
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 166: Line 176:
  ​permit tcp any host 192.168.X.10 eq 80  ​permit tcp any host 192.168.X.10 eq 80
  ​permit tcp any host 192.168.X.10 eq 22  ​permit tcp any host 192.168.X.10 eq 22
- ​permit icmp any 192.168.X.0 0.0.0.255+ ​permit icmp any 192.168.0.0 0.0.255.255
  ​permit ip any host 172.16.1.X  ​permit ip any host 172.16.1.X
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log 
 +end
 </​code><​code>​ </​code><​code>​
 # cat /​root/​cisco-change-firewall.sh # cat /​root/​cisco-change-firewall.sh
Line 184: Line 195:
  
 cat /​root/​cisco-acl-permit.txt >> /​root/​firewall.acl cat /​root/​cisco-acl-permit.txt >> /​root/​firewall.acl
- 
-echo end >> /​root/​firewall.acl 
  
 /​usr/​bin/​rcp /​root/​firewall.acl router:​running-config /​usr/​bin/​rcp /​root/​firewall.acl router:​running-config
Line 194: Line 203:
  
 actionban = /​root/​cisco-change-firewall.sh actionban = /​root/​cisco-change-firewall.sh
 +
 +actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
-===== Интеграция fail2ban и cisco log =====+===== Отладка собственных фильтров ​===== 
 <​code>​ <​code>​
-cat /​etc/​fail2ban/​jail.d/cisco-change-config.conf+fail2ban-regex /​var/​log/​tmp_file.log ​/​etc/​fail2ban/​filter.d/tmp_file_filter.conf
 </​code><​code>​ </​code><​code>​
-[cisco-change-config] +# cat action.d/tmp_file_action.conf
-enabled ​ = true +
-maxretry = 1 +
-bantime ​ = 30 +
-filter ​  = cisco-change-config +
-logpath ​ = /var/​log/​cisco.log +
-action ​  = cisco-backup-config+
 </​code><​code>​ </​code><​code>​
-# cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf 
-</​code><​code>​ 
-[INCLUDES] 
- 
 [Definition] [Definition]
  
-failregex ​= <HOST>.*Configured from console.* +actionban ​echo "​`date` f2ban detect ip: <ip>" ​>> /tmp/file_action.log 
-</code><code> +</​code>​
-# cat /etc/fail2ban/​action.d/​cisco-backup-config.conf +
-</​code>​<​code>​ +
-[Definition]+
  
-actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config 
-</​code>​ 
 ===== Дополнительные материалы ===== ===== Дополнительные материалы =====
  
сервис_fail2ban.txt · Last modified: 2023/12/20 07:18 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki