fail2ban 是一個用於抵擋字典攻擊好用的小工具,而且支援許多服務,很值得花時間去熟悉它。
系統環境: debian 6 64bit
首先下指令安裝 fail2ban
aptitude install fail2ban
它最主要的設定檔就是 /etc/fail2ban/jail.conf 建議你最好先將此檔備份起來,因為設定錯誤或語法錯誤都會造成 fail2ban 無法正常啟動,而且有時還不會有任時提示訊息告訴你是哪一段錯誤了,反正就是無法啟動,讓你查老半天也查不出問題,反而只要將原始的設定檔一還原後就 ok 了。
若你不幸弄壞了此檔又忘了備份的話,可以從這裡 copy /usr/share/doc/fail2ban/examples/jail.conf.gz 範例檔回來。
原文件裡提到,最好不要修改此檔 /etc/fail2ban/jail.conf ,避免弄壞此檔,若有需要加入新規則的話,可另建立一檔名為 /etc/fail2ban/jail.local 這裡面的規則仍會被套用。
底下介紹 jail.conf 的內容
[DEFAULT] #↑預設值,也就是全域設定,底下個別的服務設定若沒有寫到的設定值,就會套用這裡的預設值 #設定不擋的 IP,可以是 CIDR mask 或域名 ignoreip = 127.0.0.1 192.168.0.0/16 #阻擋時間,單位為秒,過了設定的阻擋時間後,又會重新放行 (設數字 -1代表無限) bantime = 600 #被封鎖前的最大嘗試失敗次數 maxretry = 3 #間隔時間,單位為秒,與上面那行搭配解釋就是,60秒內輸入錯誤達3次即封鎖IP findtime = 60 # backend 指要用何種方式去偵測 log 檔案是否有異動,可用設定值有三個 gamin | polling | auto # 但目前在 debian 的版本只有 polling 能正常運作,所以沒得選,就設 polling 吧 backend = polling #阻擋發生後通知信要寄給誰 destemail = root@localhost #################### # ACTIONS # 封鎖行為 # banaction 封鎖時所要執行的動作,可執行的動作盡在此目錄內 /etc/fail2ban/action.d banaction = iptables-multiport # 寄信要用什麼程式,保留預設值即可。 mta = sendmail #通訊協定, protocol = tcp # 底下英文部份保留原始設定即可,不需修改 # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # 監獄 # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # 底下就是個別監獄的設定內容 # # [SECTION_NAME] ← 個別監獄名稱 # enabled = true # 你可以把你的個別設定,另外設定在此檔內 /etc/fail2ban/jail.local. # jail.local 此設定檔的參數可以覆蓋掉原本的預設值 # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local #底下就是各位服務的個別設定 [ssh] #服務名稱 enabled = true #是否啟用此服務 port = ssh # port 可輸入數字 filter = sshd # 過濾條件,可用的過濾條件盡在此目錄內 /etc/fail2ban/filter.d # 若該目錄內沒有你要的過濾條件的話,那麼你就要自己寫 logpath = /var/log/auth.log # log 檔路徑位置 maxretry = 6 # 允許最大失敗次數之後,便開始封鎖 |
由於 ssh 服務已內建於設定檔,現在我們就要新增一個設定檔沒有的服務
新增 asterisk 服務 參考資料
1.編輯此檔 jail.local
vim /etc/fail2ban/jail.local
貼上底下內容
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org] logpath = /var/log/asterisk/messages maxretry = 3 #允許輸入密碼失敗次數 bantime = 600 #封鎖時間,單位為秒 |
新版的fail2ban可能需要這樣寫
[asterisk] enabled = true port = all protocol = udp banaction = iptables-allports filter = asterisk logpath = /var/log/asterisk/messages maxretry = 5 #允許輸入密碼失敗次數 bantime = -1 #封鎖時間,單位為秒 |
2.再新增過濾條件
vim /etc/fail2ban/filter.d/asterisk.conf
貼上底下內容,或是可直接下載此檔
# Fail2Ban configuration file # # # $Revision: 250 $ # http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:\d+' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:\d+' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny) NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
這個過濾條件的最大用意就是用 正規表示法(regular expression) 去抓 log 檔內含攻擊者IP的特殊字串,變數 HOST 所抓取到的數值就會送給下一步的 action 所使用,
filter 微調說明:
NOTICE.* .*: Registration from '.*' failed for '<HOST>:\d+' - No matching peer found 上面這條規則適用底下訊息 [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"phonea"<sip:phonea@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"linea"<sip:linea@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"receptiona"<sip:receptiona@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"ab"<sip:ab@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"bb"<sip:bb@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"cb"<sip:cb@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found [Sep 26 13:20:45] NOTICE[1398] chan_sip.c: Registration from '"db"<sip:db@59.125.33.108>' failed for '74.92.87.220:4430' - No matching peer found 上面這條規則適用底下訊息 [2014-03-13 10:57:20] NOTICE[2355]: chan_sip.c:25958 handle_request_register: Registration from '"422073419" <sip:422073419@ligcc.gogosip.com>' failed for '114.35.27.193:5060' - Wrong password |
3.修改log設定檔
vim /etc/asterisk/logger.conf
在[general] 這個區段加入底下這行
dateformat=%F %T
然後再下個指令
asterisk -rx “logger reload”
因為 asterisk log 預設的日期格式與 fail2ban不符,所以我們要修改一下才行
filter 寫好之後,可用底下的指令來測試語法是否正確
測試 filter 語法
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
看運作狀態
fail2ban-client status
↑這會秀出已啟用的規則,例如
Status
|- Number of jail: 2
– Jail list: asterisk-iptables, ssh
以上就是說我們目前啟用了兩個規則
觀看阻擋狀態,後面請帶規則名稱
fail2ban-client status asterisk-iptables
action 的設定
action 設定檔示意圖 定義動作內容,可以編輯 /etc/fail2ban/action.d/*.(conf|local) 目錄下的檔案,如「iptables.conf」,後續於 jail.conf 中使用該 action 則名為 iptables。每個 action 設定檔中可分為以下幾個主要部分:
INCLUDES
可用來載入其他檔案的設定值,預設可自動引用 .local 檔案。
Init
可用來預先定義變數,供 Definition 中使用。
Definition
actionstart:定義當 Fail2ban 啟動時,所要執行的指令,如初使化設定。
actionstop:定義當 Fail2ban 停止時,所要執行的指令。
actionban:定義要阻擋某個 IP 時,所要執行的指令。
actionunban:定義要取消阻擋某個 IP 時,所要執行的指令。
actioncheck:定義於每次執行 actionban 或 actionunban 前,所要執行的指令,以判斷是否要執行 actionban 或 actionunban。
可用此指令看 iptables 的變化
iptables -S
注意: asterisk 預設的 log 等級不可修改,否則的話, fail2ban 無法正常運作。請檢查一下此檔 /etc/asterisk/logger.conf 裡的內容是否有這一行
messages => notice,warning,error
若filter正規表示法已有正確抓到IP,但就是沒有封鎖那個IP。可試著修改 jail.conf 裡面的 backend=auto 將它改為 backend=polling
補充說明:
相同功能的程式: DenyHosts 它與fail2ban的差別在於它是用 /etc/hosts.deny 這個設定檔在做的,而不是用 iptables 做的。
補充說明:
debian 原始碼安裝
apt-get build-dep fail2ban
#去官網下載 fail2ban-0.8.4.tar.bz2
tar jxvf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4.tar.bz2
python setup.py install
#下載啟動程式
wget http://note.vic.mh4u.org/setup/debian-fail2ban-initd.txt
chmod 755 debian-fail2ban-initd.txt
#設定開機啟動
cp debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban start 98 2 3 4 5 . stop 01 0 1 6 .
太感動了…寫得好詳細!!! 謝謝分享:)