User Tools

Site Tools


сервис_fail2ban

This is an old revision of the document!


Сервис Fail2ban

Установка

Debian/Ubuntu

# apt install fail2ban

# cd /etc/fail2ban/

FreeBSD

# pkg install py27-fail2ban

# cat /etc/rc.conf
...
fail2ban_enable="YES"
# cd /usr/local/etc/fail2ban/

Настройка

Debian/Ubuntu/FreeBSD

# cat jail.conf

# ls jail.d/

# cat filter.d/sshd.conf

# cat filter.d/asterisk.conf

Debian/Ubuntu

# cat jail.local
[sshd]
maxretry = 6

[asterisk]
enabled = true
maxretry    = 3

FreeBSD

# cat jail.local
[sshd]
enabled     = true
filter      = sshd
action      = pf
maxretry    = 6
logpath     = /var/log/auth.log

[asterisk]
# ignoreip    = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
enabled     = true
action      = pf
maxretry    = 3

Запуск и отладка

Debian/Ubuntu

# service fail2ban reload

FreeBSD

# service fail2ban start

Debian/Ubuntu/FreeBSD

# tail -f /var/log/fail2ban.log

Мониторинг и управление

# fail2ban-client status

# fail2ban-client status asterisk

# fail2ban-client set asterisk unbanip 172.16.1.21

# tail -f /var/log/fail2ban.log

Отладка собственных фильтров

# fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf
# cat action.d/tmp_file_action.conf
[Definition]

actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log

Интеграция fail2ban и snort

# cat jail.d/snort_jail.conf
[snort]
enabled     = true
bantime     = 300
filter      = snort_filter
maxretry    = 1
logpath     = /var/log/auth.log
#action      = iptables-allports
#action      = cisco-acl
# cat filter.d/snort_filter.conf
[INCLUDES]

[Definition]

failregex = .*snort.*Priority: 1.*} <HOST>.*
#        .*snort.*Priority: 2.*} <HOST>.*

ignoreregex =

Блокировка через iptables

# iptables -A FORWARD -j f2b-default

Блокировка через cisco acl

# cat /root/cisco-acl-deny.sh
#!/bin/sh

fail2ban-client status snort | grep Banned | cut -d':' -f2 | tr -s ' ' | tr " " "\n" |
while read ip
do
        test -z "$ip" && continue
        echo deny ip host $ip any
done
# cat /root/cisco-acl-permit.txt
 permit tcp any host 192.168.X.10 eq 80
 permit tcp any host 192.168.X.10 eq 22
 permit icmp any 192.168.X.0 0.0.0.255
 permit ip any host 172.16.1.X
 permit udp any any
 permit tcp any any established
 deny   ip any any log
# cat /root/cisco-change-firewall.sh
#!/bin/sh

cat > /root/firewall.acl <<EOF
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
EOF

/root/cisco-acl-deny.sh >> /root/firewall.acl

cat /root/cisco-acl-permit.txt >> /root/firewall.acl

echo end >> /root/firewall.acl

/usr/bin/rcp /root/firewall.acl router:running-config
# cat /etc/fail2ban/action.d/cisco-acl.conf
[Definition]

actionban = /root/cisco-change-firewall.sh

Интеграция fail2ban и cisco log

# cat /etc/fail2ban/jail.d/cisco-change-config.conf
[cisco-change-config]
enabled  = true
maxretry = 1
bantime  = 30
filter   = cisco-change-config
logpath  = /var/log/cisco.log
action   = cisco-backup-config
# cat /etc/fail2ban/filter.d/cisco-change-config.conf
[INCLUDES]

[Definition]

failregex = <HOST>.*Configured from console.*
# cat /etc/fail2ban/action.d/cisco-backup-config.conf
[Definition]

actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config

Дополнительные материалы

Asterisk logs only the local IP

Аsterisk failregex от Владимира Блинова

# less filter.d/asterisk.conf
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
        NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
        NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
        NOTICE.* .*: Failed to authenticate device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
            NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
            NOTICE.* .*: Sending fake auth rejection for device .*\;tag=.* \(<HOST>:.*\)


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Аsterisk failregex от Стрельникова Романа

failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
сервис_fail2ban.1567144782.txt.gz · Last modified: 2019/08/30 08:59 by val