User Tools

Site Tools


сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
сервис_fail2ban [2020/07/22 20:20]
val
сервис_fail2ban [2023/12/20 07:18] (current)
val [Настройка]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
  
Line 7: Line 8:
  
 <​code>​ <​code>​
 +debian11# apt install iptables
 +
 # apt install fail2ban # apt install fail2ban
 </​code>​ </​code>​
Line 16: Line 19:
  
 # ls /​etc/​fail2ban/​jail.d/​ # ls /​etc/​fail2ban/​jail.d/​
 +
 +# cat /​etc/​fail2ban/​jail.d/​defaults-debian.conf
  
 # cat /​etc/​fail2ban/​filter.d/​sshd.conf # cat /​etc/​fail2ban/​filter.d/​sshd.conf
Line 25: Line 30:
 [sshd] [sshd]
 maxretry = 6 maxretry = 6
 +#ignoreip = 192.168.X.0/​24 192.168.100+X.0/​24
  
 [asterisk] [asterisk]
 enabled = true enabled = true
 maxretry = 3 maxretry = 3
 +#bantime = 30d
 +#action = iptables-allports[blocktype=DROP]
 +#action = route[blocktype=blackhole]
 </​code>​ </​code>​
  
Line 51: Line 60:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 64: Line 76:
 # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
Line 77: Line 87:
             cd /srv/tftp/             cd /srv/tftp/
             /​usr/​bin/​git add *             /​usr/​bin/​git add *
-            /​usr/​bin/​git status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -+            /​usr/​bin/​git ​--no-optional-locks ​status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
Line 90: Line 100:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
 +#​action ​     = mail-admin
 #​action ​     = iptables-allports-forward #​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
Line 97: Line 108:
 # cat /​etc/​fail2ban/​filter.d/​snort_filter.conf # cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
 +
 +==== Уведомление по email ====
 +<​code>​
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf
 +</​code><​code>​
 +[Definition]
 +
 +actionban = printf %%b "Hi,\n
 +            Ban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​
 +
 +actionunban = printf %%b "Hi,\n
 +            Unban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​
 +
 +[Init]
 +
 +name = mail-admin
  
-ignoreregex ​=+dest student
 </​code>​ </​code>​
  
Line 130: Line 160:
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 149: Line 181:
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 174: Line 206:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
сервис_fail2ban.1595438402.txt.gz · Last modified: 2020/07/22 20:20 by val