安裝前先弄好epel-release
yum -y install fail2ban
主要設定檔:
vim /etc/fail2ban/fail2ban.conf
日誌級別
loglevel = 3
確認log輸出檔
logtarget = /var/log/fail2ban.log
socket&pid 應該是預設不需改動
再把以下設定補上
syslogsocket = auto
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400
設定jail檔vim /etc/fail2ban/jail.conf (關掉EMAIL通知功能)
設定某些特殊ip不用管制
ignoreip = 127.0.0.1/8 192.168.0.0/24
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/24
bantime = 600
findtime = 600
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5
bantime = 14400 #單位為秒,這邊是4小時
防止email主機被試探帳號
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,smtp,smtps,submission,sieve", protocol=tcp]
ignoreip = 127.0.0.1/8 192.168.0.0/24
logpath = /var/log/secure
maxretry = 1 #已設例外IP,這邊可以設嚴緊一些
bantime = 36000 #單位為秒,這邊是10小時
防止webmail被試探帳號(roundcube那邊 $config['log_logins'] = true;)
[roundcube-iptables]
enabled = true
filter = roundcube-auth
action = iptables-multiport[name=RoundCube, port="http,https"]
ignoreip = 127.0.0.1/8 192.168.0.0/24
logpath = /var/log/roundcubemail/userlogins.log
bantime = 36000
maxretry = 3
防止網頁被試探路徑與script
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
action = iptables-multiport[name=apache-noscript, port="http,https"]
ignoreip = 127.0.0.1/8 192.168.0.0/24
logpath = /var/log/httpd/error_log
maxretry = 1
bantime = 36000
防止mail主機被嘗試登入
[postfix-sasl]
filter = postfix[mode=auth]
action = iptables-multiport[name=Postfix-sasl, port="smtp,465"]
backend = %(postfix_backend)s
logpath = /var/log/maillog
enabled = true
maxretry = 1
bantime = 360000
有關DNS攻擊的部份,需搭配named log設定輸出,在DNS設定那篇會提到(若造成CPU負載過重,請勿使用)
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/named/named_security.log
bantime = 30000000
[named-refused-tcp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/named/named_security.log
bantime = 30000000
systemctl start fail2ban 開始執行
開機設定執行
systemctl enable fail2ban
fail2ban-client status 查看全部有幾組設定檔
Status
|- Number of jail: 6
`- Jail list: dovecot, dovecot-auth, named-refused-tcp, named-refused-udp, ssh-iptables, vsftpd-iptables
fail2ban-client status dovecot 查看dovecot規則的狀態
查看目前防火牆阻擋的情況
iptables -L -n
iptables -S
錯誤排除:
若出現var/run/fail2ban/fail2ban.sock. Is fail2ban running?
代表jail.conf設定檔內有錯誤
使用systemctl -l status fail2ban來除錯
誤判清除與開放:
若是某些原因造成誤鎖,可用iptables打開它
先查看規則鏈 iptables -n -L
Chain f2b-dovecot (1 references)
target prot opt source destination
REJECT all -- 123.456.789.123 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables -D f2b-dovecot -s 123.456.789.123 -j REJECT
這樣就移掉了
跑過防火牆異動後,通常都會一併清空CHAIN規則,連帶fail2ban的規則都被清掉
可以在防火牆批次檔最後面加上 fail2ban-client reload 即可避免
fail2ban安裝文件有提到,HAKER可以偽造地址,惡意讓主機遮蔽正常的IP,造成DNS無法解析,所以named-refused-udp必需要小心使用,並注意CPU loading的問題
# UNBAN sshd 某IP
fail2ban-client set sshd unbanip XXX.XXX.XXX.XXX
# UNBAN SSHD 全部
fail2ban-client set sshd unbanip --all
#手動加入SSHD IP
fail2ban-client set sshd banip XXX.XXX.XXX.XXX
#永久清空fail2ban所有資料庫
fail2ban-client reload --unban
沒有留言:
張貼留言