Differences

This shows you the differences between two versions of the page.

--- сервис_fail2ban [2020/03/04 10:05]
val [Интеграция fail2ban и cisco log]
+++ сервис_fail2ban [2021/07/26 09:29]
admin [Блокировка через cisco acl]
@@ Line 2: / Line 2: @@
   * [[https://thefragens.com/2010/11/checking-fail2ban-regex/|Checking Fail2ban regex]]
+  * [[https://forum.yunohost.org/t/fail2ban-high-cpu-usage/2439|Fail2ban high CPU usage]]
 ===== Установка =====
@@ Line 8: / Line 9: @@
 <code>
 # apt install fail2ban
-# cd /etc/fail2ban/
 </code>
@@ Line 15: / Line 14: @@
 <code>
-# cat jail.conf
+# cat /etc/fail2ban/jail.conf
+# ls /etc/fail2ban/jail.d/
-# ls jail.d/
+# cat /etc/fail2ban/jail.d/defaults-debian.conf
-# cat filter.d/sshd.conf
+# cat /etc/fail2ban/filter.d/sshd.conf
-# cat filter.d/asterisk.conf
+# cat /etc/fail2ban/filter.d/asterisk.conf
 </code><code>
-# cat jail.local
+# cat /etc/fail2ban/jail.local
 </code><code>
 [sshd]
@@ Line 30: / Line 31: @@
 [asterisk]
 enabled = true
-maxretry    = 3
+maxretry = 3
 </code>
@@ Line 66: / Line 67: @@
 # cat /etc/fail2ban/filter.d/cisco-change-config.conf
 </code><code>
-[INCLUDES]
 [Definition]
-failregex = <HOST>.*Configured from console.*
+failregex = <HOST>.*Configured from.*
 </code><code>
 # cat /etc/fail2ban/action.d/cisco-backup-config.conf
@@ Line 79: / Line 78: @@
             cd /srv/tftp/
             /usr/bin/git add *
-            /usr/bin/git status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F -
+            /usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F -
 </code>
 ===== Интеграция fail2ban и snort =====
@@ Line 86: / Line 85: @@
 <code>
-# cat jail.d/snort_jail.conf
+# cat /etc/fail2ban/jail.d/snort_jail.conf
 </code><code>
 [snort]
@@ Line 94: / Line 93: @@
 maxretry    = 1
 logpath     = /var/log/auth.log
-#action      = iptables-allports
+#action      = mail-admin
+#action      = iptables-allports-forward
 #action      = cisco-acl
 </code><code>
-# cat filter.d/snort_filter.conf
+# cat /etc/fail2ban/filter.d/snort_filter.conf
 </code><code>
-[INCLUDES]
 [Definition]
 failregex = .*snort.*Priority: 1.*} <HOST>.*
 #        .*snort.*Priority: 2.*} <HOST>.*
+</code>
-ignoreregex =
+==== Уведомление по email ====
+<code>
+# cat /etc/fail2ban/action.d/mail-admin.conf
+</code><code>
+[Definition]
+actionban = printf %%b "Hi,\n
+            Ban this <ip>
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] Ban <name> <ip>" <dest>
+actionunban = printf %%b "Hi,\n
+            Unban this <ip>
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] Unban <name> <ip>" <dest>
+[Init]
+name = mail-admin
+dest = student
 </code>
@@ Line 112: / Line 131: @@
 <code>
-# iptables -A FORWARD -j f2b-default
+# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports-forward.conf
+# cat /etc/fail2ban/action.d/iptables-allports-forward.conf
+</code><code>
+...
+before = iptables-common-forward.conf
+...
+</code><code>
+# cp /etc/fail2ban/action.d/iptables-common.conf /etc/fail2ban/action.d/iptables-common-forward.conf
+# cat /etc/fail2ban/action.d/iptables-common-forward.conf
+</code><code>
+...
+chain = FORWARD
+...
 </code>
@@ Line 133: / Line 166: @@
  permit tcp any host 192.168.X.10 eq 80
  permit tcp any host 192.168.X.10 eq 22
- permit icmp any 192.168.X.0 0.0.0.255
+ permit icmp any 192.168.0.0 0.0.255.255
  permit ip any host 172.16.1.X
  permit udp any any
  permit tcp any any established
- deny   ip any any log
+ deny   ip any any # log
 end
 </code><code>
@@ Line 162: / Line 195: @@
 actionunban = /root/cisco-change-firewall.sh
+# if atack from DNS)
+#actionunban = echo /root/cisco-change-firewall.sh | at now + 1 min
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools