Centos Fail2ban 配置教程
时间:2014-05-04 23:22 来源:linux.it.net.cn 作者:it
系统环境:Centos 5.5
事项:在Centos上配置Fail2ban
##########################################################
一 安装 Fail2ban 服务
下载rpmforge , 里面有大量最新的rpm包.
wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
开始yum吧~~!
yum install fail2ban
fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k
Installing for dependencies:
gamin
gamin-python
安装是十分简单的拉.
fail2ban 原理
fail2ban 调用 iptables 实时阻挡外界的攻击,按照你的要求在一段时间内找出符合条件的日志,然后动作。
二 设定fail2ban服务
fail2ban 的设定档在这里
/etc/fail2ban
fail2ban.conf 日志设定文档
jail.conf 阻挡设定文档
/etc/fail2ban/filter.d 具体阻挡内容设定目录
三 为何需要安装fail2ban呢?
Extmail 本身是没有邮件系统被攻击的解决方案,黑客是会不断user unknow地试探pop3 smtp 认证得到密码或电邮地址,大家可能问得到邮地址有何作用呢?电邮地址是可以贩卖的哦!而且十分值钱的,如果垃圾邮件者购买了这些地址,你的邮件服务器就有排忙了。
你话需不需要安装个fail2ban保护呢?
四 实施保护
1. 保护 SSH 拦截
先看看fail2ban是如何拦截的?
cat /etc/fail2ban/filter.d/sshd.conf
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
fail2ban 使用了正则表达式找出:
Authentication failure/authentication failure
ROOT LOGIN REFUSED
refused connect from
POSSIBLE BREAK-IN ATTEMPT
not allowed because not listed in AllowUsers
以上的状况,可以根据你实际要求删减. 其中<HOST> 为建立连接的IP
开启 SSH 拦截
vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=收件者电邮地址, sender=寄件者电邮地址]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 86400
fail2ban 会按照你的要求去查看/var/log/secure日志文件,然后在findtime = 300 "5分钟" 之内符合条件
的记录下来,如果到达了maxretry = 3 "3次符合条件" 就阻挡这个IP连接22端口 bantime = 86400 "一天的时间".
2. POP3 保护拦截
cat /etc/fail2ban/filter.d/courierlogin.conf
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
这里表示错误地输入用户名/密码的pop3连接.
开启 pop3 保护
vi /etc/fail2ban/jail.conf
[POP3]
enabled = true
filter = courierlogin
action = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
大家应该懂得如何看了吧? 我不写拉!好累。参数可以按照你实际要求修改噢~!
3. POP3-SSL 保护拦截
cat /etc/fail2ban/filter.d/courierlogin-ssl.conf
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
这里表示错误地输入用户名/密码的pop3-ssl连接.
vi /etc/fail2ban/jail.conf
[POP3-SSL]
enabled = true
filter = courierlogin-ssl
action = iptables[name=pop3-ssl, port=995, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
4 SMTP 保护拦截
cat /etc/fail2ban/filter.d/couriersmtp.conf
failregex = postfix/smtpd.* warning: unknown\[<HOST>\]: SASL LOGIN authentication failed: authentication failure
这里表示错误地输入用户名/密码的smtp连接.
vi /etc/fail2ban/jail.conf
[SMTP]
enabled = true
filter = couriersmtp
action = iptables[name=smtp, port=25:366, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
参数可以按照你实际要求修改.
5. Extmail 登录保护
由于Extmail 的web mail 登入没有做到保护,现在加固吧!
vi /etc/fail2ban/filter.d/extmail.conf
failregex = extmail.*: user=.*, client=<HOST>, module=login, status=badlogin
这里表示错误地输入用户名/密码的web mail 登入.
vi /etc/fail2ban/jail.conf
[extmail]
enabled = true
filter = extmail
action = iptables[name=httpd, port=http, protocol=tcp]
logpath = /var/log/maillog
bantime = 300
findtime = 300
maxretry = 6
6. POSTFIX 保护User unknow 的试探.
不知道这个动作的意思先看看这篇文章。
http://hi.baidu.com/enjoyunix/blog/item/e8506058fd3c3189810a183a.html
vi /etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)\[<HOST>\]: 450
vi /etc/fail2ban/jail.conf
[POSTFIX]
enabled = true
filter = postfix
action = iptables[name=postfix, port=25, protocol=tcp]
logpath = /var/log/maillog
bantime = 43200
findtime = 1200
maxretry = 5
这里保护了User unknow 的试探以及垃圾邮件跳信攻击。
五 看看iptables
iptables -L -nv
pkts bytes target prot opt in out source destination
0 0 fail2ban-pop3-ssl tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
773 83329 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
299 12660 fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
301 12740 fail2ban-ftp tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3354 253K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
438 33979 fail2ban-httpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5703 packets, 829K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
3354 253K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ftp (1 references)
pkts bytes target prot opt in out source destination
301 12740 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-httpd (1 references)
pkts bytes target prot opt in out source destination
438 33979 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pop3 (1 references)
pkts bytes target prot opt in out source destination
299 12660 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pop3-ssl (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
773 83329 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-smtp (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
如何监察呢?
#watch -n 1 fail2ban-client status POSTFIX
Status for the jail: POSTFIX
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 2
| `- Total failed: 22
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
看看那些垃圾邮件者真是好无聊!不断地试探我的邮件服务器呢。
六 看看fail2ban的日志
# cat fail2ban.log | grep '] Ban '
2009-04-07 20:22:44,575 fail2ban.actions: WARNING [POSTFIX] Ban ip地址
就以看到过去有那些IP拦截了,以及是那个服务。
# cat fail2ban.log | grep '] Unban '
可以查看什么时候解的
(责任编辑:IT)
| 系统环境:Centos 5.5 事项:在Centos上配置Fail2ban ########################################################## 一 安装 Fail2ban 服务 下载rpmforge , 里面有大量最新的rpm包. wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm 开始yum吧~~! yum install fail2ban fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k Installing for dependencies: gamin gamin-python 安装是十分简单的拉. fail2ban 原理 fail2ban 调用 iptables 实时阻挡外界的攻击,按照你的要求在一段时间内找出符合条件的日志,然后动作。 二 设定fail2ban服务 fail2ban 的设定档在这里 /etc/fail2ban fail2ban.conf 日志设定文档 jail.conf 阻挡设定文档 /etc/fail2ban/filter.d 具体阻挡内容设定目录 三 为何需要安装fail2ban呢? Extmail 本身是没有邮件系统被攻击的解决方案,黑客是会不断user unknow地试探pop3 smtp 认证得到密码或电邮地址,大家可能问得到邮地址有何作用呢?电邮地址是可以贩卖的哦!而且十分值钱的,如果垃圾邮件者购买了这些地址,你的邮件服务器就有排忙了。 你话需不需要安装个fail2ban保护呢? 四 实施保护 1. 保护 SSH 拦截 先看看fail2ban是如何拦截的? cat /etc/fail2ban/filter.d/sshd.conf failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$ fail2ban 使用了正则表达式找出: Authentication failure/authentication failure ROOT LOGIN REFUSED refused connect from POSSIBLE BREAK-IN ATTEMPT not allowed because not listed in AllowUsers 以上的状况,可以根据你实际要求删减. 其中<HOST> 为建立连接的IP 开启 SSH 拦截 vi /etc/fail2ban/jail.conf [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=收件者电邮地址, sender=寄件者电邮地址] logpath = /var/log/secure maxretry = 3 findtime = 300 bantime = 86400 fail2ban 会按照你的要求去查看/var/log/secure日志文件,然后在findtime = 300 "5分钟" 之内符合条件 的记录下来,如果到达了maxretry = 3 "3次符合条件" 就阻挡这个IP连接22端口 bantime = 86400 "一天的时间". 2. POP3 保护拦截 cat /etc/fail2ban/filter.d/courierlogin.conf failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ 这里表示错误地输入用户名/密码的pop3连接. 开启 pop3 保护 vi /etc/fail2ban/jail.conf [POP3] enabled = true filter = courierlogin action = iptables[name=pop3, port=110, protocol=tcp] logpath = /var/log/maillog bantime = 1800 findtime = 300 maxretry = 15 大家应该懂得如何看了吧? 我不写拉!好累。参数可以按照你实际要求修改噢~! 3. POP3-SSL 保护拦截 cat /etc/fail2ban/filter.d/courierlogin-ssl.conf failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ 这里表示错误地输入用户名/密码的pop3-ssl连接. vi /etc/fail2ban/jail.conf [POP3-SSL] enabled = true filter = courierlogin-ssl action = iptables[name=pop3-ssl, port=995, protocol=tcp] logpath = /var/log/maillog bantime = 1800 findtime = 300 maxretry = 15 4 SMTP 保护拦截 cat /etc/fail2ban/filter.d/couriersmtp.conf failregex = postfix/smtpd.* warning: unknown\[<HOST>\]: SASL LOGIN authentication failed: authentication failure 这里表示错误地输入用户名/密码的smtp连接. vi /etc/fail2ban/jail.conf [SMTP] enabled = true filter = couriersmtp action = iptables[name=smtp, port=25:366, protocol=tcp] logpath = /var/log/maillog bantime = 1800 findtime = 300 maxretry = 15 参数可以按照你实际要求修改. 5. Extmail 登录保护 由于Extmail 的web mail 登入没有做到保护,现在加固吧! vi /etc/fail2ban/filter.d/extmail.conf failregex = extmail.*: user=.*, client=<HOST>, module=login, status=badlogin 这里表示错误地输入用户名/密码的web mail 登入. vi /etc/fail2ban/jail.conf [extmail] enabled = true filter = extmail action = iptables[name=httpd, port=http, protocol=tcp] logpath = /var/log/maillog bantime = 300 findtime = 300 maxretry = 6 6. POSTFIX 保护User unknow 的试探. 不知道这个动作的意思先看看这篇文章。 http://hi.baidu.com/enjoyunix/blog/item/e8506058fd3c3189810a183a.html vi /etc/fail2ban/filter.d/postfix.conf failregex = reject: RCPT from (.*)\[<HOST>\]: 450 vi /etc/fail2ban/jail.conf [POSTFIX] enabled = true filter = postfix action = iptables[name=postfix, port=25, protocol=tcp] logpath = /var/log/maillog bantime = 43200 findtime = 1200 maxretry = 5 这里保护了User unknow 的试探以及垃圾邮件跳信攻击。 五 看看iptables iptables -L -nv pkts bytes target prot opt in out source destination 0 0 fail2ban-pop3-ssl tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 773 83329 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 299 12660 fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 301 12740 fail2ban-ftp tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 3354 253K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 438 33979 fail2ban-httpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5703 packets, 829K bytes) pkts bytes target prot opt in out source destination Chain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination 3354 253K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ftp (1 references) pkts bytes target prot opt in out source destination 301 12740 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-httpd (1 references) pkts bytes target prot opt in out source destination 438 33979 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pop3 (1 references) pkts bytes target prot opt in out source destination 299 12660 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pop3-ssl (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-postfix (1 references) pkts bytes target prot opt in out source destination 773 83329 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-smtp (0 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 如何监察呢? #watch -n 1 fail2ban-client status POSTFIX Status for the jail: POSTFIX |- filter | |- File list: /var/log/maillog | |- Currently failed: 2 | `- Total failed: 22 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 看看那些垃圾邮件者真是好无聊!不断地试探我的邮件服务器呢。 六 看看fail2ban的日志 # cat fail2ban.log | grep '] Ban ' 2009-04-07 20:22:44,575 fail2ban.actions: WARNING [POSTFIX] Ban ip地址 就以看到过去有那些IP拦截了,以及是那个服务。 # cat fail2ban.log | grep '] Unban ' 可以查看什么时候解的 (责任编辑:IT) |