This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_fail2ban [2020/02/27 15:25] val [Интеграция fail2ban и cisco log] |
сервис_fail2ban [2022/03/09 11:51] val [Блокировка через cisco acl] |
||
---|---|---|---|
Line 2: | Line 2: | ||
* [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]] | ||
+ | * [[https://forum.yunohost.org/t/fail2ban-high-cpu-usage/2439|Fail2ban high CPU usage]] | ||
===== Установка ===== | ===== Установка ===== | ||
Line 7: | Line 8: | ||
<code> | <code> | ||
- | # apt install fail2ban | + | debian11# apt install iptables |
- | # cd /etc/fail2ban/ | + | # apt install fail2ban |
</code> | </code> | ||
Line 15: | Line 16: | ||
<code> | <code> | ||
- | # cat jail.conf | + | # cat /etc/fail2ban/jail.conf |
+ | |||
+ | # ls /etc/fail2ban/jail.d/ | ||
- | # ls jail.d/ | + | # cat /etc/fail2ban/jail.d/defaults-debian.conf |
- | # cat filter.d/sshd.conf | + | # cat /etc/fail2ban/filter.d/sshd.conf |
- | # cat filter.d/asterisk.conf | + | # cat /etc/fail2ban/filter.d/asterisk.conf |
</code><code> | </code><code> | ||
- | # cat jail.local | + | # cat /etc/fail2ban/jail.local |
</code><code> | </code><code> | ||
[sshd] | [sshd] | ||
Line 30: | Line 33: | ||
[asterisk] | [asterisk] | ||
enabled = true | enabled = true | ||
- | maxretry = 3 | + | maxretry = 3 |
</code> | </code> | ||
Line 53: | Line 56: | ||
===== Интеграция fail2ban и cisco log ===== | ===== Интеграция fail2ban и cisco log ===== | ||
+ | |||
+ | * Резервное копирование конфигурации | ||
+ | |||
<code> | <code> | ||
# cat /etc/fail2ban/jail.d/cisco-change-config.conf | # cat /etc/fail2ban/jail.d/cisco-change-config.conf | ||
Line 66: | Line 72: | ||
# cat /etc/fail2ban/filter.d/cisco-change-config.conf | # cat /etc/fail2ban/filter.d/cisco-change-config.conf | ||
</code><code> | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
- | failregex = <HOST>.*Configured from console.* | + | failregex = <HOST>.*Configured from.* |
</code><code> | </code><code> | ||
# cat /etc/fail2ban/action.d/cisco-backup-config.conf | # cat /etc/fail2ban/action.d/cisco-backup-config.conf | ||
Line 77: | Line 81: | ||
actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config | ||
- | + | cd /srv/tftp/ | |
- | cd /srv/tftp/ | + | /usr/bin/git add * |
- | git add * | + | /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F - |
- | git commit -a -m `date '+%Y-%m-%d_%H:%M:%S'` | + | |
</code> | </code> | ||
- | |||
===== Интеграция fail2ban и snort ===== | ===== Интеграция fail2ban и snort ===== | ||
Line 88: | Line 90: | ||
<code> | <code> | ||
- | # cat jail.d/snort_jail.conf | + | # cat /etc/fail2ban/jail.d/snort_jail.conf |
</code><code> | </code><code> | ||
[snort] | [snort] | ||
Line 96: | Line 98: | ||
maxretry = 1 | maxretry = 1 | ||
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
- | #action = iptables-allports | + | #action = mail-admin |
+ | #action = iptables-allports-forward | ||
#action = cisco-acl | #action = cisco-acl | ||
</code><code> | </code><code> | ||
- | # cat filter.d/snort_filter.conf | + | # cat /etc/fail2ban/filter.d/snort_filter.conf |
</code><code> | </code><code> | ||
- | [INCLUDES] | ||
- | |||
[Definition] | [Definition] | ||
failregex = .*snort.*Priority: 1.*} <HOST>.* | failregex = .*snort.*Priority: 1.*} <HOST>.* | ||
# .*snort.*Priority: 2.*} <HOST>.* | # .*snort.*Priority: 2.*} <HOST>.* | ||
+ | </code> | ||
+ | |||
+ | ==== Уведомление по email ==== | ||
+ | <code> | ||
+ | # cat /etc/fail2ban/action.d/mail-admin.conf | ||
+ | </code><code> | ||
+ | [Definition] | ||
+ | |||
+ | actionban = printf %%b "Hi,\n | ||
+ | Ban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest> | ||
+ | |||
+ | actionunban = printf %%b "Hi,\n | ||
+ | Unban this <ip> | ||
+ | Regards,\n | ||
+ | Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest> | ||
+ | |||
+ | [Init] | ||
+ | |||
+ | name = mail-admin | ||
- | ignoreregex = | + | dest = student |
</code> | </code> | ||
Line 114: | Line 136: | ||
<code> | <code> | ||
- | # iptables -A FORWARD -j f2b-default | + | # cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf |
+ | |||
+ | # cat /etc/fail2ban/action.d/iptables-allports-forward.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | before = iptables-common-forward.conf | ||
+ | ... | ||
+ | </code><code> | ||
+ | # cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf | ||
+ | |||
+ | # cat /etc/fail2ban/action.d/iptables-common-forward.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | chain = FORWARD | ||
+ | ... | ||
</code> | </code> | ||
Line 120: | Line 156: | ||
<code> | <code> | ||
+ | server# rsh router show access-lists | ||
+ | </code><code> | ||
# cat /root/cisco-acl-deny.sh | # cat /root/cisco-acl-deny.sh | ||
</code><code> | </code><code> | ||
Line 135: | Line 173: | ||
permit tcp any host 192.168.X.10 eq 80 | permit tcp any host 192.168.X.10 eq 80 | ||
permit tcp any host 192.168.X.10 eq 22 | permit tcp any host 192.168.X.10 eq 22 | ||
- | permit icmp any 192.168.X.0 0.0.0.255 | + | permit icmp any 192.168.0.0 0.0.255.255 |
permit ip any host 172.16.1.X | permit ip any host 172.16.1.X | ||
permit udp any any | permit udp any any | ||
permit tcp any any established | permit tcp any any established | ||
- | deny ip any any log | + | deny ip any any # log |
end | end | ||
</code><code> | </code><code> | ||
Line 164: | Line 202: | ||
actionunban = /root/cisco-change-firewall.sh | actionunban = /root/cisco-change-firewall.sh | ||
+ | # if atack from DNS) | ||
+ | #actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min | ||
</code> | </code> | ||