User Tools
сервис_fail2ban
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
сервис_fail2ban [2020/02/27 09:37] val |
сервис_fail2ban [2021/07/26 09:29] admin [Блокировка через cisco acl] |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | ||
| + | * [[https://forum.yunohost.org/t/fail2ban-high-cpu-usage/2439|Fail2ban high CPU usage]] | ||
| ===== Установка ===== | ===== Установка ===== | ||
| - | |||
| - | ==== Debian/Ubuntu ==== | ||
| * [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | * [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | ||
| Line 10: | Line 9: | ||
| <code> | <code> | ||
| # apt install fail2ban | # apt install fail2ban | ||
| - | |||
| - | # cd /etc/fail2ban/ | ||
| - | </code> | ||
| - | |||
| - | ==== FreeBSD ==== | ||
| - | <code> | ||
| - | # pkg install py27-fail2ban | ||
| - | |||
| - | # cat /etc/rc.conf | ||
| - | </code><code> | ||
| - | ... | ||
| - | fail2ban_enable="YES" | ||
| - | </code><code> | ||
| - | # cd /usr/local/etc/fail2ban/ | ||
| </code> | </code> | ||
| ===== Настройка ===== | ===== Настройка ===== | ||
| - | |||
| - | ==== Debian/Ubuntu/FreeBSD ==== | ||
| <code> | <code> | ||
| - | # cat jail.conf | + | # cat /etc/fail2ban/jail.conf |
| - | # ls jail.d/ | + | # ls /etc/fail2ban/jail.d/ |
| - | # cat filter.d/sshd.conf | + | # cat /etc/fail2ban/jail.d/defaults-debian.conf |
| - | # cat filter.d/asterisk.conf | + | # cat /etc/fail2ban/filter.d/sshd.conf |
| - | </code> | + | |
| - | ==== Debian/Ubuntu ==== | + | # cat /etc/fail2ban/filter.d/asterisk.conf |
| - | <code> | + | </code><code> |
| - | # cat jail.local | + | # cat /etc/fail2ban/jail.local |
| </code><code> | </code><code> | ||
| [sshd] | [sshd] | ||
| Line 49: | Line 31: | ||
| [asterisk] | [asterisk] | ||
| enabled = true | enabled = true | ||
| - | maxretry = 3 | + | maxretry = 3 |
| - | </code> | + | |
| - | + | ||
| - | ==== FreeBSD ==== | + | |
| - | + | ||
| - | * Настройка PF ([[Сервис Firewall#Конфигурация для защиты от bruteforce]]) | + | |
| - | + | ||
| - | <code> | + | |
| - | # cat jail.local | + | |
| - | </code><code> | + | |
| - | [sshd] | + | |
| - | enabled = true | + | |
| - | filter = sshd | + | |
| - | action = pf | + | |
| - | maxretry = 6 | + | |
| - | logpath = /var/log/auth.log | + | |
| - | + | ||
| - | [asterisk] | + | |
| - | # ignoreip = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 | + | |
| - | enabled = true | + | |
| - | action = pf | + | |
| - | maxretry = 3 | + | |
| </code> | </code> | ||
| ===== Запуск и отладка ===== | ===== Запуск и отладка ===== | ||
| - | |||
| - | ==== Debian/Ubuntu ==== | ||
| <code> | <code> | ||
| # service fail2ban reload | # service fail2ban reload | ||
| - | </code> | + | </code><code> |
| - | + | ||
| - | ==== FreeBSD ==== | + | |
| - | <code> | + | |
| - | # service fail2ban start | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Debian/Ubuntu/FreeBSD ==== | + | |
| - | <code> | + | |
| # tail -f /var/log/fail2ban.log | # tail -f /var/log/fail2ban.log | ||
| </code> | </code> | ||
| Line 116: | Line 67: | ||
| # cat /etc/fail2ban/filter.d/cisco-change-config.conf | # cat /etc/fail2ban/filter.d/cisco-change-config.conf | ||
| </code><code> | </code><code> | ||
| - | [INCLUDES] | ||
| - | |||
| [Definition] | [Definition] | ||
| - | failregex = <HOST>.*Configured from console.* | + | failregex = <HOST>.*Configured from.* |
| </code><code> | </code><code> | ||
| # cat /etc/fail2ban/action.d/cisco-backup-config.conf | # cat /etc/fail2ban/action.d/cisco-backup-config.conf | ||
| Line 127: | Line 76: | ||
| actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | ||
| + | cd /srv/tftp/ | ||
| + | /usr/bin/git add * | ||
| + | /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F - | ||
| </code> | </code> | ||
| - | |||
| ===== Интеграция fail2ban и snort ===== | ===== Интеграция fail2ban и snort ===== | ||
| Line 134: | Line 85: | ||
| <code> | <code> | ||
| - | # cat jail.d/snort_jail.conf | + | # cat /etc/fail2ban/jail.d/snort_jail.conf |
| </code><code> | </code><code> | ||
| [snort] | [snort] | ||
| Line 142: | Line 93: | ||
| maxretry = 1 | maxretry = 1 | ||
| logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
| - | #action = iptables-allports | + | #action = mail-admin |
| + | #action = iptables-allports-forward | ||
| #action = cisco-acl | #action = cisco-acl | ||
| </code><code> | </code><code> | ||
| - | # cat filter.d/snort_filter.conf | + | # cat /etc/fail2ban/filter.d/snort_filter.conf |
| </code><code> | </code><code> | ||
| - | [INCLUDES] | ||
| - | |||
| [Definition] | [Definition] | ||
| failregex = .*snort.*Priority: 1.*} <HOST>.* | failregex = .*snort.*Priority: 1.*} <HOST>.* | ||
| # .*snort.*Priority: 2.*} <HOST>.* | # .*snort.*Priority: 2.*} <HOST>.* | ||
| + | </code> | ||
| + | |||
| + | ==== Уведомление по email ==== | ||
| + | <code> | ||
| + | # cat /etc/fail2ban/action.d/mail-admin.conf | ||
| + | </code><code> | ||
| + | [Definition] | ||
| + | |||
| + | actionban = printf %%b "Hi,\n | ||
| + | Ban this <ip> | ||
| + | Regards,\n | ||
| + | Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest> | ||
| + | |||
| + | actionunban = printf %%b "Hi,\n | ||
| + | Unban this <ip> | ||
| + | Regards,\n | ||
| + | Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest> | ||
| + | |||
| + | [Init] | ||
| + | |||
| + | name = mail-admin | ||
| - | ignoreregex = | + | dest = student |
| </code> | </code> | ||
| Line 160: | Line 131: | ||
| <code> | <code> | ||
| - | # iptables -A FORWARD -j f2b-default | + | # cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf |
| + | |||
| + | # cat /etc/fail2ban/action.d/iptables-allports-forward.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | before = iptables-common-forward.conf | ||
| + | ... | ||
| + | </code><code> | ||
| + | # cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf | ||
| + | |||
| + | # cat /etc/fail2ban/action.d/iptables-common-forward.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | chain = FORWARD | ||
| + | ... | ||
| </code> | </code> | ||
| Line 181: | Line 166: | ||
| permit tcp any host 192.168.X.10 eq 80 | permit tcp any host 192.168.X.10 eq 80 | ||
| permit tcp any host 192.168.X.10 eq 22 | permit tcp any host 192.168.X.10 eq 22 | ||
| - | permit icmp any 192.168.X.0 0.0.0.255 | + | permit icmp any 192.168.0.0 0.0.255.255 |
| permit ip any host 172.16.1.X | permit ip any host 172.16.1.X | ||
| permit udp any any | permit udp any any | ||
| permit tcp any any established | permit tcp any any established | ||
| - | deny ip any any log | + | deny ip any any # log |
| end | end | ||
| </code><code> | </code><code> | ||
| Line 210: | Line 195: | ||
| actionunban = /root/cisco-change-firewall.sh | actionunban = /root/cisco-change-firewall.sh | ||
| + | # if atack from DNS) | ||
| + | #actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min | ||
| </code> | </code> | ||
сервис_fail2ban.txt · Last modified: 2024/06/23 16:45 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
