This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_fail2ban [2022/03/09 11:39] val [Интеграция fail2ban и cisco log] |
сервис_fail2ban [2024/05/11 10:54] val [Интеграция fail2ban и snort] |
||
---|---|---|---|
Line 6: | Line 6: | ||
* [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | * [[https://help.ubuntu.com/community/Fail2ban|Fail2ban]] | ||
+ | * [[https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/2055114|fail2ban is broken in 24.04 Noble]] | ||
<code> | <code> | ||
debian11# apt install iptables | debian11# apt install iptables | ||
+ | debian12# apt install iptables rsyslog | ||
# apt install fail2ban | # apt install fail2ban | ||
+ | |||
+ | ubuntu24# wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb | ||
+ | ubuntu24# dpkg -i fail2ban_1.1.0-1_all.deb | ||
</code> | </code> | ||
Line 30: | Line 35: | ||
[sshd] | [sshd] | ||
maxretry = 6 | maxretry = 6 | ||
+ | #ignoreip = 192.168.X.0/24 192.168.100+X.0/24 | ||
[asterisk] | [asterisk] | ||
enabled = true | enabled = true | ||
maxretry = 3 | maxretry = 3 | ||
+ | #bantime = 30d | ||
+ | #action = iptables-allports[blocktype=DROP] | ||
+ | #action = route[blocktype=blackhole] | ||
</code> | </code> | ||
Line 96: | Line 105: | ||
bantime = 300 | bantime = 300 | ||
filter = snort_filter | filter = snort_filter | ||
- | maxretry = 1 | + | maxretry = 3 |
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
#action = mail-admin | #action = mail-admin | ||
+ | #action = iptables-allports | ||
#action = iptables-allports-forward | #action = iptables-allports-forward | ||
#action = cisco-acl | #action = cisco-acl | ||
Line 108: | Line 118: | ||
failregex = .*snort.*Priority: 1.*} <HOST>.* | failregex = .*snort.*Priority: 1.*} <HOST>.* | ||
# .*snort.*Priority: 2.*} <HOST>.* | # .*snort.*Priority: 2.*} <HOST>.* | ||
+ | |||
+ | #failregex = .*Original Client IP: <HOST>.* | ||
</code> | </code> | ||
Line 132: | Line 144: | ||
dest = student | dest = student | ||
</code> | </code> | ||
+ | |||
+ | * [[#Запуск и отладка]] | ||
==== Блокировка через iptables ==== | ==== Блокировка через iptables ==== | ||
Line 153: | Line 167: | ||
</code> | </code> | ||
+ | * [[#Запуск и отладка]] | ||
==== Блокировка через cisco acl ==== | ==== Блокировка через cisco acl ==== | ||
<code> | <code> | ||
+ | server# rsh router show access-lists | ||
+ | </code><code> | ||
# cat /root/cisco-acl-deny.sh | # cat /root/cisco-acl-deny.sh | ||
</code><code> | </code><code> | ||
Line 175: | Line 192: | ||
permit udp any any | permit udp any any | ||
permit tcp any any established | permit tcp any any established | ||
- | deny ip any any # log | + | deny ip any any ! log |
end | end | ||
</code><code> | </code><code> | ||
Line 204: | Line 221: | ||
</code> | </code> | ||
+ | * [[#Запуск и отладка]] | ||
===== Отладка собственных фильтров ===== | ===== Отладка собственных фильтров ===== | ||