Fail2ban
Fail2ban helps you to protect yourself from brute force attacks coming from a single IP-address by monitoring the log files on your server. Fail2ban can be used - for example - to prevent logging in after a set amount of failed login attempts.
You can get different kinds of filters for Fail2ban which work for instance with Apache, Dovecot, Postfix and SSH.
The problem with Fail2ban is that it does not support IPv6 addresses and does not protect well against distributed brute force attacks.
Sisällysluettelo
Installation
Debian / Ubuntu
aptitude install fail2ban
OR
apt-get install fail2ban
Red Hat / CentOS / Fedora
Download installation package
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install with the command
yum install fail2ban
Configuration
Open /etc/fail2ban/jail.conf
nano /etc/fail2ban/jail.conf
Default settings:
ignoreip = IP-addresses which bypass the filters
bantime = Determines how long an address is kept on the ban list, default is 600 seconds
findtime = Blocks an IP-address if it has failed to login three times consecutively within the set time, findtime
maxretry = Kuinka monta yritystä, ennen kuin osoite estetään
Esimerkki konfiguroinnista:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto
Eli jätetään estolistan ulkopuolelle IP-osoitteet 192.168.1.1 ja 172.0.0.1 (=localhost). Enintään 3 yritystä sallitaan ja jos ylittyy niin pistetään 600 sekunniksi estolistalle.
Ja lisäksi SSH:n konfiguraatiot:
[ssh] # fail2ban-ssh = Suodattimen nimi enabled = true # Onko siis suodatin käytössä? Vaihtoehtona true ja false. port = ssh # Portti missä on, voi olla siis ssh tai portti numero esim. 22 filter = sshd # Suodattimen tyyppi. Suodattimet löytyy /etc/fail2ban/filter.d/ hakemistosta. logpath = /var/log/auth.log # Lokien sijainti maxretry = 6 # Kuinka monta yritystä sallitaan
Seuraavassa esimerkit konfiguraatiosta:
Apache
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
# default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
[apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6
[apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2
SSH
[ssh]
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Oletuksena SSH sallii 6 yritystä muodostaessa yhteyttä, suositus on 3 yritystä.
port = ssh pitää muuttaa jos olet muuttanut SSH:n oletusporttia /etc/ssh/sshd.config tiedostosta.
Proftpd
[proftpd]
enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3
Postfix
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log
[dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
Lokitiedosto
Fail2ban tarkistaa estolistan fail2ban lokista, joka on polussa /var/log/fail2ban.log
nano /var/log/fail2ban.log
Tiedostossa näkyy kaikki lokit ja yritykset muodostaessa yhteyttä palvelimeen.
Esimerkkiloki:
2014-05-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116 2014-05-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100 2014-05-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116 2014-05-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100 2014-05-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164 2014-05-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164
Aiheeseen liittyvää
Lisätietoa
https://www.omaserveri.info/suojaa-ssh-yhteytesi-brute-force-hyokkayksilta/
Lähteet
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6