User Tools

Site Tools


сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
сервис_fail2ban [2020/02/27 15:25]
val [Интеграция fail2ban и cisco log]
сервис_fail2ban [2023/12/20 07:18] (current)
val [Настройка]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
  
Line 7: Line 8:
  
 <​code>​ <​code>​
-# apt install ​fail2ban+debian11# apt install ​iptables
  
-cd /etc/fail2ban/+apt install ​fail2ban
 </​code>​ </​code>​
  
Line 15: Line 16:
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf 
 + 
 +# ls /​etc/​fail2ban/​jail.d/​
  
-ls jail.d/+cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/​sshd.conf+# cat /​etc/​fail2ban/​filter.d/​sshd.conf
  
-# cat filter.d/​asterisk.conf+# cat /​etc/​fail2ban/​filter.d/​asterisk.conf
 </​code><​code>​ </​code><​code>​
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
 maxretry = 6 maxretry = 6
 +#ignoreip = 192.168.X.0/​24 192.168.100+X.0/​24
  
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3+maxretry = 3 
 +#bantime = 30d 
 +#action = iptables-allports[blocktype=DROP] 
 +#action = route[blocktype=blackhole]
 </​code>​ </​code>​
  
Line 53: Line 60:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 66: Line 76:
 # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
-failregex = <​HOST>​.*Configured from console.*+failregex = <​HOST>​.*Configured from.*
 </​code><​code>​ </​code><​code>​
 # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf
Line 77: Line 85:
  
 actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config actionban = /​usr/​bin/​sshpass -p cisco /​usr/​bin/​scp <​ip>:​running-config /​srv/​tftp/<​ip>​-running-config
- +            ​cd /​srv/​tftp/​ 
-cd /​srv/​tftp/​ +            /​usr/​bin/​git add * 
-git add * +            /​usr/​bin/​git --no-optional-locks status | grep 'modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
-git commit ​--m `date '+%Y-%m-%d_%H:%M:%S'`+
 </​code>​ </​code>​
- 
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
  
Line 88: Line 94:
  
 <​code>​ <​code>​
-# cat jail.d/​snort_jail.conf+# cat /​etc/​fail2ban/​jail.d/​snort_jail.conf
 </​code><​code>​ </​code><​code>​
 [snort] [snort]
Line 94: Line 100:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
-#​action ​     = iptables-allports+#​action ​     = mail-admin 
 +#​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
 </​code><​code>​ </​code><​code>​
-# cat filter.d/​snort_filter.conf+# cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
 +
 +==== Уведомление по email ====
 +<​code>​
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf
 +</​code><​code>​
 +[Definition]
 +
 +actionban = printf %%b "Hi,\n
 +            Ban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​
 +
 +actionunban = printf %%b "Hi,\n
 +            Unban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​
 +
 +[Init]
 +
 +name = mail-admin
  
-ignoreregex ​=+dest student
 </​code>​ </​code>​
  
Line 114: Line 140:
  
 <​code>​ <​code>​
-# iptables -A FORWARD ​-j f2b-default+cp /​etc/​fail2ban/​action.d/​iptables-allports.conf /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 +</​code><​code>​ 
 +... 
 +before = iptables-common-forward.conf 
 +... 
 +</​code><​code>​ 
 +# cp /​etc/​fail2ban/​action.d/​iptables-common.conf /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 +</​code><​code>​ 
 +... 
 +chain = FORWARD  
 +...
 </​code>​ </​code>​
  
Line 120: Line 160:
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 135: Line 177:
  ​permit tcp any host 192.168.X.10 eq 80  ​permit tcp any host 192.168.X.10 eq 80
  ​permit tcp any host 192.168.X.10 eq 22  ​permit tcp any host 192.168.X.10 eq 22
- ​permit icmp any 192.168.X.0 0.0.0.255+ ​permit icmp any 192.168.0.0 0.0.255.255
  ​permit ip any host 172.16.1.X  ​permit ip any host 172.16.1.X
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 164: Line 206:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
сервис_fail2ban.1582806306.txt.gz · Last modified: 2020/02/27 15:25 by val