User Tools

Site Tools


сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
сервис_fail2ban [2020/03/04 10:05]
val [Интеграция fail2ban и cisco log]
сервис_fail2ban [2022/03/09 11:39]
val [Интеграция fail2ban и cisco log]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
  
Line 7: Line 8:
  
 <​code>​ <​code>​
-# apt install ​fail2ban+debian11# apt install ​iptables
  
-cd /etc/fail2ban/+apt install ​fail2ban
 </​code>​ </​code>​
  
Line 15: Line 16:
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf 
 + 
 +# ls /​etc/​fail2ban/​jail.d/​
  
-ls jail.d/+cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/​sshd.conf+# cat /​etc/​fail2ban/​filter.d/​sshd.conf
  
-# cat filter.d/​asterisk.conf+# cat /​etc/​fail2ban/​filter.d/​asterisk.conf
 </​code><​code>​ </​code><​code>​
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
Line 30: Line 33:
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3+maxretry = 3
 </​code>​ </​code>​
  
Line 53: Line 56:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 66: Line 72:
 # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
-failregex = <​HOST>​.*Configured from console.*+failregex = <​HOST>​.*Configured from.*
 </​code><​code>​ </​code><​code>​
 # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf # cat /​etc/​fail2ban/​action.d/​cisco-backup-config.conf
Line 79: Line 83:
             cd /srv/tftp/             cd /srv/tftp/
             /​usr/​bin/​git add *             /​usr/​bin/​git add *
-            /​usr/​bin/​git status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -+            /​usr/​bin/​git ​--no-optional-locks ​status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
Line 86: Line 90:
  
 <​code>​ <​code>​
-# cat jail.d/​snort_jail.conf+# cat /​etc/​fail2ban/​jail.d/​snort_jail.conf
 </​code><​code>​ </​code><​code>​
 [snort] [snort]
Line 94: Line 98:
 maxretry ​   = 1 maxretry ​   = 1
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
-#​action ​     = iptables-allports+#​action ​     = mail-admin 
 +#​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
 </​code><​code>​ </​code><​code>​
-# cat filter.d/​snort_filter.conf+# cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
  
-ignoreregex ​=+==== Уведомление по email ==== 
 +<​code>​ 
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf 
 +</​code><​code>​ 
 +[Definition] 
 + 
 +actionban = printf %%b "​Hi,​\n 
 +            Ban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +actionunban = printf %%b "​Hi,​\n 
 +            Unban this <​ip>​ 
 +            Regards,​\n 
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​ 
 + 
 +[Init] 
 + 
 +name = mail-admin 
 + 
 +dest = student
 </​code>​ </​code>​
  
Line 112: Line 136:
  
 <​code>​ <​code>​
-# iptables -A FORWARD ​-j f2b-default+cp /​etc/​fail2ban/​action.d/​iptables-allports.conf /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-allports-forward.conf 
 +</​code><​code>​ 
 +... 
 +before = iptables-common-forward.conf 
 +... 
 +</​code><​code>​ 
 +# cp /​etc/​fail2ban/​action.d/​iptables-common.conf /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 + 
 +# cat /​etc/​fail2ban/​action.d/​iptables-common-forward.conf 
 +</​code><​code>​ 
 +... 
 +chain = FORWARD  
 +...
 </​code>​ </​code>​
  
Line 133: Line 171:
  ​permit tcp any host 192.168.X.10 eq 80  ​permit tcp any host 192.168.X.10 eq 80
  ​permit tcp any host 192.168.X.10 eq 22  ​permit tcp any host 192.168.X.10 eq 22
- ​permit icmp any 192.168.X.0 0.0.0.255+ ​permit icmp any 192.168.0.0 0.0.255.255
  ​permit ip any host 172.16.1.X  ​permit ip any host 172.16.1.X
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 162: Line 200:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
сервис_fail2ban.txt · Last modified: 2024/05/11 15:47 by val