Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
сервис_fail2ban [2020/02/27 09:37]
val 		сервис_fail2ban [2022/12/05 07:20]
val [Настройка]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
- 
-==== Debian/​Ubuntu ==== 
  
   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]
  
 <​code>​ <​code>​
 +debian11# apt install iptables
 +
 # apt install fail2ban # apt install fail2ban
- 
-# cd /​etc/​fail2ban/​ 
-</​code>​ 
- 
-==== FreeBSD ==== 
-<​code>​ 
-# pkg install py27-fail2ban 
- 
-# cat /​etc/​rc.conf 
-</​code><​code>​ 
-... 
-fail2ban_enable="​YES"​ 
-</​code><​code>​ 
-# cd /​usr/​local/​etc/​fail2ban/​ 
 </​code>​ </​code>​
  
 ===== Настройка ===== ===== Настройка =====
- 
-==== Debian/​Ubuntu/​FreeBSD ==== 
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf
  
-# ls jail.d/+# ls /​etc/​fail2ban/​jail.d/
  
-# cat filter.d/sshd.conf+# cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/asterisk.conf +# cat /​etc/​fail2ban/​filter.d/sshd.conf
-</​code>​+
  
-==== Debian/Ubuntu ==== +# cat /etc/​fail2ban/​filter.d/​asterisk.conf 
-<​code>​ +</​code>​<​code>​ 
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
Line 49: Line 33:
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3 +maxretry = 3 
-</​code>​ +#​bantime ​30d 
- +#action = iptables-allports[blocktype=DROP
-==== FreeBSD ===+#action = route[blocktype=blackhole]
- +
-  * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]]) +
- +
-<​code>​ +
-# cat jail.local +
-</​code><​code>​ +
-[sshd] +
-enabled ​    = true +
-filter ​     = sshd +
-action ​     pf +
-maxretry ​   ​+
-logpath ​    = /​var/​log/​auth.log +
- +
-[asterisk+
-ignoreip ​   = 10.0.0.0/8 172.16.0.0/​12 192.168.0.0/​16 +
-enabled ​    = true +
-action ​     pf +
-maxretry ​   ​3+
 </​code>​ </​code>​
  
 ===== Запуск и отладка ===== ===== Запуск и отладка =====
- 
-==== Debian/​Ubuntu ==== 
  
 <​code>​ <​code>​
 # service fail2ban reload # service fail2ban reload
-</​code>​ +</​code><​code>​
- +
-==== FreeBSD ==== +
-<​code>​ +
-# service fail2ban start +
-</​code>​ +
- +
-==== Debian/​Ubuntu/​FreeBSD ==== +
-<​code>​+
 # tail -f /​var/​log/​fail2ban.log # tail -f /​var/​log/​fail2ban.log
 </​code>​ </​code>​
Line 103: Line 59:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 116: Line 75:
 # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
-failregex = <​HOST>​.*Configured from console.*+failregex = <​HOST>​.*Configured from.*
 </​code><​code>​ </​code><​code>​
 # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf
Line 127: Line 84:
  
 actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config
 +            cd /srv/tftp/
 +            /​usr/​bin/​git add *
 +            /​usr/​bin/​git --no-optional-locks status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
- 
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
  
Line 134: Line 93:
  
 <​code>​ <​code>​
-# cat jail.d/​snort_jail.conf+# cat /​etc/​fail2ban/​jail.d/​snort_jail.conf
 </​code><​code>​ </​code><​code>​
 [snort] [snort]
Line 140: Line 99:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
-#​action ​     = iptables-allports+#​action ​     = mail-admin 
 +#​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
 </​code><​code>​ </​code><​code>​
-# cat filter.d/​snort_filter.conf+# cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
  
-ignoreregex ​=+==== Уведомление по email ==== 
 +<​code>​ 
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf 
 +</​code><​code>​ 
 +[Definition] 
 + 
 +actionban = printf %%b "​Hi,​\n 
 +            Ban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +actionunban = printf %%b "​Hi,​\n 
 +            Unban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +[Init] 
 + 
 +name = mail-admin 
 + 
 +dest = student
 </​code>​ </​code>​
  
Line 160: Line 139:
  
 <​code>​ <​code>​
-# iptables -A FORWARD ​-j f2b-default+cp /​etc/​fail2ban/​action.d/​iptables-allports.conf /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 +</​code><​code>​ 
 +... 
 +before = iptables-common-forward.conf 
 +... 
 +</​code><​code>​ 
 +# cp /​etc/​fail2ban/​action.d/​iptables-common.conf /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 +</​code><​code>​ 
 +... 
 +chain = FORWARD  
 +...
 </​code>​ </​code>​
  
Line 166: Line 159:
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 181: Line 176:
  ​permit tcp any host 192.168.X.10 eq 80  ​permit tcp any host 192.168.X.10 eq 80
  ​permit tcp any host 192.168.X.10 eq 22  ​permit tcp any host 192.168.X.10 eq 22
- ​permit icmp any 192.168.X.0 0.0.0.255+ ​permit icmp any 192.168.0.0 0.0.255.255
  ​permit ip any host 172.16.1.X  ​permit ip any host 172.16.1.X
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 210: Line 205:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
сервис_fail2ban.txt · Last modified: 2023/12/20 07:18 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki