gentoo fail2ban

・11 分钟阅读

fail2ban服务扫描特定重复尝试(例如,失败的SSH身份验证尝试或web服务器上的大量GET/POST请求)模式,并在检测到时自动创建防火墙或TCP包装或拒绝规则。

尽管该服务支持许多现成的服务,但它的配置非常通用,并且可以轻松地进行增强。

功能

监狱(jail)

fail2ban的主要目的是 jail服务当一个服务,比如,锁定了SSHd,然后fail2ban将不断地查看该服务的日志,以便查找重复的尝试,在特定时间窗口中检测到一个给定的数字(maxretry )时,会自动设置一个阻塞规则(比如,通过iptables )。

这些监狱的设置是通过 /etc/fail2ban/jail.conf 默认情况下,fail2ban已经提供了一个很好jail.conf 文件,但是,默认情况下所有都被禁用,因此服务在管理员启动时不会意外筛选出有效请求。

文件 for /etc/fail2ban/jail.confssh监狱示例代码
[DEFAULT]ignoreip=127.0.0.1ignoreip=192.168.100.24 # Management networkbantime=86400 # 1 day (in seconds)findtime=300 # 5 minutes (in seconds)maxretry=3 # default repeat count# Jail entry for SSH, using iptables for firewall[ssh-iptables]enabled=true # Note that it is by default disabledfilter=sshdaction=iptables[name=SSH, port=ssh, protocol=tcp]logpath=/var/log/auth.logmaxretry=5 # Override the default of 3

jail.d

监狱可以被分割成单独的监狱文件,单个jail更容易进行排序,禁用或启用,Fail2ban使用 jail.d/*.conf 语法,所以移动 sshd.confsshd.conf.backup 将禁止监狱。

文件/etc/fail2ban/jail.d/sshd.conf系统日志& ufw示例
[ssh-iptables]enabled=truefilter=sshdaction=ufw[name=SSH, port=ssh, protocol=tcp]logpath=/var/log/messagesmaxretry=5 # Override the default of 3

Filter表达式

内部 /etc/fail2ban/filter.d 可以创建各种筛选定义,通常,这些文件包含匹配尝试的正规表达式,当一个正则表达式匹配一个文件,那么该监狱的计数器和有问题的主机就会增加。

操作 (Actions)

内部 /etc/fail2ban/action.d 可以创建各种操作定义,这些文件包含执行指定主机的命令,默认情况下,对于iptables,nftables,tcpwrappers,shorewall和更多的。

日志扫描

fail2ban服务支持文件轮询或更高效的文件修改通知; 如果安装了dev/pyinotifyapp-admin/gamin,并且用户没有更改backend指令,那么将使用pyinotify或gamin,否则将进行轮询。 这当然可以配置/etc/fail2ban/jail.conf

使用fail2ban

安装

安装net-analyzer/fail2ban的操作非常简单:

root #emerge --ask net-analyzer/fail2ban

在编写本文时,不会设置使用标志(SELinux使用标志不可选,供SELinux使能系统使用)。如果你想使用gamin,也可以安装app-admin/gamin:

root #emerge --ask app-admin/gamin

配置

若要配置fail2ban,请转到 /etc/fail2ban

jail.conf 因为它包含您要使用的规则(以及要控制的服务),并且只覆盖适当的设置并启用规则,jail.d/*.conf 如果需要,可以创建自己的筛选器或操作。

例如为用户启用默认的SSH过滤器:

文件 /etc/fail2ban/jail.d/sshd.confrsyslog
[sshd]enabled=true

或者对于syslog-ng用户:

文件/etc/fail2ban/jail.d/sshd.conf
[sshd]enabled=truelogpath=/var/log/messages


完成后,启动fail2ban服务,你可能还想将它添加到缺省运行级别。

root #rc-service fail2ban start
root #rc-update add fail2ban default

交互

作为fail2ban服务的一部分,还有一个fail2ban-client可用,使用此应用程序,你可以查询fail2ban服务。

例如要查看正在运行的jail :

root #fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

你可以获得关于每个监狱的具体信息,比如,当前被禁止的地址列表,执行的过滤器等等。

root #fail2ban-client status sshd
Status for the jail: sshd
|- filter
| |- File list: /var/log/auth.log 
| |- Currently failed:  1
| `- Total failed:      12
`- action
 |- Currently banned:   1
 | `- IP list:  192.168.100.50 
 `- Total banned:       2

问题处理

当你认为过滤器工作不正常时,你可以使用fail2ban-regex来尝试它们,你将它传递给要检查的日志文件和筛选器,并将它发送回来的内容。

root #fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file  : /var/log/auth.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*(?:error: PAM: )?Authentication failure for .* from s*$
| [2] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*(?:error: PAM: )?User not known to the underlying authentication module for .* from s*$
| [3] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*Failed (?:password|publickey) for .* from (?: port d*)?(?: sshd*)?$
| [4] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*ROOT LOGIN REFUSED.* FROM s*$
| [5] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*[iI](?:llegal|nvalid) user .* from s*$
| [6] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*User S+ from  not allowed because not listed in AllowUsers$
| [7] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*authentication failure; logname=S* uid=S* euid=S* tty=S* ruser=S* rhost=(?:s+user=.*)?s*$
| [8] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*refused connect from S+ ()s*$
| [9] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*reverse mapping checking getaddrinfo for .* [] .* POSSIBLE BREAK-IN ATTEMPT!s*
| [10] ^s*(?:S+ )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*User S+ from  not allowed because none of user's groups are listed in AllowGroups$
|
`- Number of matches:
 [1] 30 match(es)
 [2] 0 match(es)
 [3] 0 match(es)
 [4] 0 match(es)
 [5] 0 match(es)
 [6] 0 match(es)
 [7] 0 match(es)
 [8] 0 match(es)
 [9] 0 match(es)
 [10] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
 192.168.100.50 (Wed Dec 28 12:46:56 2011)
 192.168.100.50 (Wed Dec 28 12:47:00 2011)
 192.168.100.50 (Wed Dec 28 12:47:03 2011)
 192.168.100.50 (Wed Dec 28 12:47:15 2011)
 192.168.100.50 (Wed Dec 28 12:47:18 2011)
 192.168.100.50 (Wed Dec 28 12:47:21 2011)
 192.168.100.50 (Wed Dec 28 14:23:08 2011)
 192.168.100.50 (Wed Dec 28 14:23:12 2011)
 192.168.100.50 (Wed Dec 28 14:23:23 2011)
 192.168.100.50 (Wed Dec 28 14:23:28 2011)
 192.168.100.50 (Wed Dec 28 14:23:31 2011)
 192.168.100.50 (Wed Dec 28 14:23:35 2011)
 192.168.100.50 (Wed Dec 28 15:15:09 2011)
 192.168.100.50 (Wed Dec 28 15:15:12 2011)
 192.168.100.50 (Wed Dec 28 15:15:14 2011)
 192.168.100.50 (Wed Dec 28 15:15:17 2011)
 192.168.100.50 (Wed Dec 28 15:15:20 2011)
 192.168.100.50 (Wed Dec 28 15:15:23 2011)
 192.168.100.50 (Wed Dec 28 15:21:29 2011)
 192.168.100.50 (Wed Dec 28 15:21:32 2011)
 192.168.100.50 (Wed Dec 28 15:21:34 2011)
 192.168.100.50 (Wed Dec 28 15:21:38 2011)
 192.168.100.50 (Wed Dec 28 15:21:41 2011)
 192.168.100.50 (Wed Dec 28 15:21:43 2011)
 192.168.100.50 (Wed Dec 28 17:36:00 2011)
 192.168.100.50 (Wed Dec 28 17:36:03 2011)
 192.168.100.50 (Wed Dec 28 17:36:05 2011)
 192.168.100.50 (Wed Dec 28 17:36:10 2011)
 192.168.100.50 (Wed Dec 28 17:36:13 2011)
 192.168.100.50 (Wed Dec 28 17:36:16 2011)
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
Date template hits:
2120 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): 
Success, the total number of match is 30
However, look at the above section 'Running tests' which could contain important
information.
Zhongy0410 profile image