User Tools

Site Tools


сервис_fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
сервис_fail2ban [2020/06/26 14:04]
val [Блокировка через iptables]
сервис_fail2ban [2022/05/20 13:25] (current)
val [Настройка]
Line 2: Line 2:
  
   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]   * [[https://​thefragens.com/​2010/​11/​checking-fail2ban-regex/​|Checking Fail2ban regex]]
 +  * [[https://​forum.yunohost.org/​t/​fail2ban-high-cpu-usage/​2439|Fail2ban high CPU usage]]
 ===== Установка ===== ===== Установка =====
  
Line 7: Line 8:
  
 <​code>​ <​code>​
-# apt install ​fail2ban+debian11# apt install ​iptables
  
-cd /etc/fail2ban/+apt install ​fail2ban
 </​code>​ </​code>​
  
Line 15: Line 16:
  
 <​code>​ <​code>​
-# cat jail.conf+# cat /​etc/​fail2ban/​jail.conf 
 + 
 +# ls /​etc/​fail2ban/​jail.d/​
  
-ls jail.d/+cat /​etc/​fail2ban/​jail.d/defaults-debian.conf
  
-# cat filter.d/​sshd.conf+# cat /​etc/​fail2ban/​filter.d/​sshd.conf
  
-# cat filter.d/​asterisk.conf+# cat /​etc/​fail2ban/​filter.d/​asterisk.conf
 </​code><​code>​ </​code><​code>​
-# cat jail.local+# cat /​etc/​fail2ban/​jail.local
 </​code><​code>​ </​code><​code>​
 [sshd] [sshd]
Line 30: Line 33:
 [asterisk] [asterisk]
 enabled = true enabled = true
-maxretry ​   = 3+maxretry = 3 
 +#bantime = 30d 
 +#action = iptables-allports[blocktype=DROP]
 </​code>​ </​code>​
  
Line 53: Line 58:
  
 ===== Интеграция fail2ban и cisco log ===== ===== Интеграция fail2ban и cisco log =====
 +
 +  * Резервное копирование конфигурации
 +
 <​code>​ <​code>​
 # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​jail.d/​cisco-change-config.conf
Line 66: Line 74:
 # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf # cat /​etc/​fail2ban/​filter.d/​cisco-change-config.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
Line 79: Line 85:
             cd /srv/tftp/             cd /srv/tftp/
             /​usr/​bin/​git add *             /​usr/​bin/​git add *
-            /​usr/​bin/​git status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -+            /​usr/​bin/​git ​--no-optional-locks ​status | grep '​modified\|deleted\|new file' | /​usr/​bin/​git commit -a -F -
 </​code>​ </​code>​
 ===== Интеграция fail2ban и snort ===== ===== Интеграция fail2ban и snort =====
Line 92: Line 98:
 bantime ​    = 300 bantime ​    = 300
 filter ​     = snort_filter filter ​     = snort_filter
-maxretry ​   = 1+maxretry ​   = 3
 logpath ​    = /​var/​log/​auth.log logpath ​    = /​var/​log/​auth.log
 +#​action ​     = mail-admin
 #​action ​     = iptables-allports-forward #​action ​     = iptables-allports-forward
 #​action ​     = cisco-acl #​action ​     = cisco-acl
Line 99: Line 106:
 # cat /​etc/​fail2ban/​filter.d/​snort_filter.conf # cat /​etc/​fail2ban/​filter.d/​snort_filter.conf
 </​code><​code>​ </​code><​code>​
-[INCLUDES] 
- 
 [Definition] [Definition]
  
 failregex = .*snort.*Priority:​ 1.*} <​HOST>​.* failregex = .*snort.*Priority:​ 1.*} <​HOST>​.*
 #        .*snort.*Priority:​ 2.*} <​HOST>​.* #        .*snort.*Priority:​ 2.*} <​HOST>​.*
 +</​code>​
 +
 +==== Уведомление по email ====
 +<​code>​
 +# cat /​etc/​fail2ban/​action.d/​mail-admin.conf
 +</​code><​code>​
 +[Definition]
 +
 +actionban = printf %%b "Hi,\n
 +            Ban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Ban <​name>​ <​ip>"​ <​dest>​
 +
 +actionunban = printf %%b "Hi,\n
 +            Unban this <ip>
 +            Regards,\n
 +            Fail2Ban"​|mail -s "​[Fail2Ban] Unban <​name>​ <​ip>"​ <​dest>​
 +
 +[Init]
 +
 +name = mail-admin
  
-ignoreregex ​=+dest student
 </​code>​ </​code>​
  
Line 132: Line 158:
  
 <​code>​ <​code>​
 +server# rsh router show access-lists
 +</​code><​code>​
 # cat /​root/​cisco-acl-deny.sh # cat /​root/​cisco-acl-deny.sh
 </​code><​code>​ </​code><​code>​
Line 151: Line 179:
  ​permit udp any any  ​permit udp any any
  ​permit tcp any any established  ​permit tcp any any established
- ​deny ​  ip any any log+ ​deny ​  ip any any log
 end end
 </​code><​code>​ </​code><​code>​
Line 176: Line 204:
  
 actionunban = /​root/​cisco-change-firewall.sh actionunban = /​root/​cisco-change-firewall.sh
 +# if atack from DNS)
 +#​actionunban = echo /​root/​cisco-change-firewall.sh | at now + 1 min
 </​code>​ </​code>​
  
сервис_fail2ban.1593169461.txt.gz · Last modified: 2020/06/26 14:04 by val