Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
сервис_fail2ban [2020/11/18 14:23]
val [Интеграция fail2ban и snort] 		сервис_fail2ban [2025/10/20 12:00] (current)
val [Мониторинг и управление]
Line 6: Line 6:
  
   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]   * [[https://​help.ubuntu.com/​community/​Fail2ban|Fail2ban]]
 +  * [[https://​bugs.launchpad.net/​ubuntu/​+source/​fail2ban/​+bug/​2055114|fail2ban is broken in 24.04 Noble]]
  
 <​code>​ <​code>​
 +debian11# apt install iptables
 +debian12# apt install iptables rsyslog
 +
 # apt install fail2ban # apt install fail2ban
 +
 +ubuntu24# ###wget https://​launchpad.net/​ubuntu/​+source/​fail2ban/​1.1.0-1/​+build/​28291332/​+files/​fail2ban_1.1.0-1_all.deb
 +ubuntu24# ###dpkg -i fail2ban_1.1.0-1_all.deb ​
 </​code>​ </​code>​
  
Line 28: Line 35:
 [sshd] [sshd]
 maxretry = 6 maxretry = 6
 +#port = 2222
 +#ignoreip = 192.168.X.0/​24 192.168.100+X.0/​24
  
 [asterisk] [asterisk]
 enabled = true enabled = true
 maxretry = 3 maxretry = 3
 +#bantime = 30d
 +#action = iptables-allports[blocktype=DROP]
 +#action = route[blocktype=blackhole]
 +
 +#​https://​github.com/​fail2ban/​fail2ban/​discussions/​3836|Asterisk 20.6 on Ubuntu 24.04: Fail2Ban not working
 +#backend = auto
 +#​logpath ​ = /​var/​log/​asterisk/​messages.log
 </​code>​ </​code>​
  
Line 47: Line 63:
  
 # fail2ban-client status asterisk # fail2ban-client status asterisk
 +
 +# iptables-save
 +# nft list ruleset
  
 # fail2ban-client set asterisk unbanip 172.16.1.150 # fail2ban-client set asterisk unbanip 172.16.1.150
Line 54: Line 73:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 78: Line 100:
             cd /srv/tftp/             cd /srv/tftp/
             /​usr/​bin/​git add *             /​usr/​bin/​git add *
-            /​usr/​bin/​git status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -+            /​usr/​bin/​git ​--no-optional-locks ​status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
  
   * [[https://​github.com/​frankiejol/​snortban|frankiejol/​snortban]]   * [[https://​github.com/​frankiejol/​snortban|frankiejol/​snortban]]
 +  * Сервис SNORT [[Сервис SNORT#​Копирование alert_unified2 в syslog]]
  
 <​code>​ <​code>​
Line 91: Line 114:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
 +#​action ​     = mail-admin
 +#​action ​     = iptables-allports
 #​action ​     = iptables-allports-forward #​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
Line 103: Line 128:
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
  
-ignoreregex ​=+#​failregex ​.*Original Client IP: <​HOST>​.*
 </​code>​ </​code>​
 +
 +==== Уведомление по email ====
 +<​code>​
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf
 +</​code><​code>​
 +[Definition]
 +
 +actionban = printf %%b "Hi,\n
 +            Ban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​
 +
 +actionunban = printf %%b "Hi,\n
 +            Unban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​
 +
 +[Init]
 +
 +name = mail-admin
 +
 +dest = student
 +</​code>​
 +
 +  * [[#​Запуск и отладка]]
  
 ==== Блокировка через iptables ==== ==== Блокировка через iptables ====
Line 126: Line 176:
 </​code>​ </​code>​
  
 +  * [[#​Запуск и отладка]]
 ==== Блокировка через cisco acl ==== ==== Блокировка через cisco acl ====
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 148: Line 201:
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 155: Line 208:
 #!/bin/sh #!/bin/sh
  
-cat > /root/​firewall.acl <<EOF+cat > /srv/tftp/​firewall.acl <<EOF
 no ip access-list extended ACL_FIREWALL no ip access-list extended ACL_FIREWALL
 ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL
 EOF EOF
  
-/​root/​cisco-acl-deny.sh >> /root/​firewall.acl+/​root/​cisco-acl-deny.sh >> /srv/tftp/​firewall.acl
  
-cat /​root/​cisco-acl-permit.txt >> /root/​firewall.acl+cat /​root/​cisco-acl-permit.txt >> /srv/tftp/​firewall.acl
  
-/​usr/​bin/​rcp /root/​firewall.acl router:​running-config+#/​usr/​bin/​rcp /srv/tftp/​firewall.acl router:​running-config 
 +#/​usr/​bin/​snmpset -c write -v2c router .1.3.6.1.4.1.9.2.1.53.192.168.X.10 string "​firewall.acl"​
 </​code><​code>​ </​code><​code>​
 # cat /​etc/​fail2ban/​action.d/​cisco-acl.conf # cat /​etc/​fail2ban/​action.d/​cisco-acl.conf
Line 173: Line 227:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
 +  * [[#​Запуск и отладка]]
 ===== Отладка собственных фильтров ===== ===== Отладка собственных фильтров =====
  
сервис_fail2ban.1605698605.txt.gz · Last modified: 2020/11/18 14:23 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki