Mainos / Advertisement:

Fail2ban

Kohteesta Taisto
Versio hetkellä 20. heinäkuuta 2015 kello 11.41 – tehnyt Frans (keskustelu | muokkaukset) (Ak: Uusi sivu: This configuration excludes the IP-addresses 192.168.1.1 and 172.0.0.1 (=localhost) from the ban list. Maximum 3 login attempts allowed until address is placed on a 600 second ban...)
Siirry navigaatioon Siirry hakuun
Muut kielet:
English • ‎suomi

Fail2ban helps you to protect yourself from brute force attacks coming from a single IP-address by monitoring the log files on your server. Fail2ban can be used - for example - to prevent logging in after a set amount of failed login attempts.

You can get different kinds of filters for Fail2ban which work for instance with Apache, Dovecot, Postfix and SSH.

The problem with Fail2ban is that it does not support IPv6 addresses and does not protect well against distributed brute force attacks.


Installation

Debian / Ubuntu

 aptitude install fail2ban

OR 

 apt-get install fail2ban

Red Hat / CentOS / Fedora

Download installation package

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install with the command 

 yum install fail2ban

Configuration

Open /etc/fail2ban/jail.conf 

 nano /etc/fail2ban/jail.conf

Default settings:

ignoreip = IP-addresses which bypass the filters

bantime = Determines how long an address is kept on the ban list, default is 600 seconds

findtime = Blocks an IP-address if it has failed to login three times consecutively within the set time, findtime

maxretry = How many attempts an address is allowed until it is blocked


Example configuration:

[DEFAULT] 

 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = 127.0.0.1 192.168.1.1
 bantime  = 600
 maxretry = 3
 
 # "backend" specifies the backend used to get files modification. Available
 # options are "gamin", "polling" and "auto


This configuration excludes the IP-addresses 192.168.1.1 and 172.0.0.1 (=localhost) from the ban list. Maximum 3 login attempts allowed until address is placed on a 600 second ban list.

Ja lisäksi SSH:n konfiguraatiot: 

[ssh]                                      # fail2ban-ssh = Suodattimen nimi
 
enabled  = true                            # Onko siis suodatin käytössä? Vaihtoehtona true ja false.
port     = ssh                             # Portti missä on, voi olla siis ssh tai portti numero  esim. 22 
filter   = sshd                            # Suodattimen tyyppi. Suodattimet löytyy /etc/fail2ban/filter.d/ hakemistosta.
logpath  = /var/log/auth.log               # Lokien sijainti
maxretry = 6                               # Kuinka monta yritystä sallitaan

Seuraavassa esimerkit konfiguraatiosta:

Apache

 [apache]
 
 enabled  = true
 port     = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 6

 # default action is now multiport, so apache-multiport jail was left
 # for compatibility with previous (<0.7.6-2) releases
 [apache-multiport]
 
 enabled   = true
 port      = http,https
 filter    = apache-auth
 logpath   = /var/log/apache*/*error.log
 maxretry  = 6

 [apache-noscript]
 
 enabled  = true
 port     = http,https
 filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6

 [apache-overflows]
 
 enabled  = true
 port     = http,https
 filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2


SSH

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Oletuksena SSH sallii 6 yritystä muodostaessa yhteyttä, suositus on 3 yritystä.

port = ssh pitää muuttaa jos olet muuttanut SSH:n oletusporttia /etc/ssh/sshd.config tiedostosta.

Proftpd

 [proftpd]

 enabled  = true
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 3

Postfix

 [postfix]
 
 enabled  = true
 port     = smtp,ssmtp
 filter   = postfix
 logpath  = /var/log/mail.log

 [sasl]
 
 enabled  = true
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = /var/log/mail.log

 [dovecot]
 
 enabled = true
 port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter  = dovecot
 logpath = /var/log/mail.log

Lokitiedosto

Fail2ban tarkistaa estolistan fail2ban lokista, joka on polussa /var/log/fail2ban.log 

 nano /var/log/fail2ban.log


Tiedostossa näkyy kaikki lokit ja yritykset muodostaessa yhteyttä palvelimeen.


Esimerkkiloki: 


 2014-05-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116
 2014-05-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100
 2014-05-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116
 2014-05-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100
 2014-05-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164
 2014-05-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164

Aiheeseen liittyvää

Iptables

Lisätietoa

https://www.omaserveri.info/suojaa-ssh-yhteytesi-brute-force-hyokkayksilta/

Lähteet

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6

Noudettu kohteesta ”https://taisto.org/index.php?title=Fail2ban/en&oldid=7864
Mainos / Advertisement: