Fail2BANを使ってみる

Last-modified: Thu, 18 Oct 2018 21:19:53 JST (27d)

サーバのログから特定のキーワードを抽出し、該当アクセスを遮断してくれるFail2BANというソフトがあります。
似たようなことはシェルスクリプトでも出来なくはないのですが、N回連続でアクセスがあったら10分ブロック。のようなことができます。

なお、Fail2BANはiptablesにルールを動的に差し込むことで遮断しますので、iptablesが動作する環境が必要です。

  • インストール
    apt-get install fail2ban
  • 設定
    jail.localに設定をすると、jail.confを上書きできます。jail.confはアップデート時に変更されることがあるので
    jail.localのほうへ設定をします。
  • jail.localの設定例
    [INCLUDES]
    
    #before = paths-distro.conf
    before = paths-debian.conf      #Ubuntuなので、こちらを読み込ます
    
    # The DEFAULT allows a global definition of the options. They can be overridden
    # in each jail afterwards.
    
    [DEFAULT]
    
    #
    # MISCELLANEOUS OPTIONS
    #
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1/8 # BAN対象外ネットワークを設定。
    
    # External command that will take an tagged arguments to ignore, e.g. <ip>,
    # and return true if the IP is to be ignored. False otherwise.
    #
    # ignorecommand = /path/to/command <ip>
    ignorecommand =
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 3600   # BANする秒数
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 30  # 条件に合致したとカウントする秒数
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 1  # 条件に合致した回数
    
    
    #
    # ACTIONS
    #
    [ACTIONS]
    # Some options used for actions
    
    # Destination email address used solely for the interpolations in
    # jail.{conf,local,d/*} configuration files.
    destemail = fail2ban@example.com
    
    # Sender email address used solely for some actions
    sender = fail2ban@example.com
    
    
    #
    # JAILS
    #
    
  • 設定例
    • PHPMYADMINへのアタック防御
      まずはログから対象となるキーワードをひっかける設定を行います。参考
      • filter.d/apache-phpmyadmin.confを作成
        [Definition]
        failregex = \[client <HOST>\] File does not exist:.*(?i)admin.*
                    \[client <HOST>\] File does not exist:.*(?i)manager.*
                    \[client <HOST>\] File does not exist:.*(?i)setup.*
                    \[client <HOST>\] File does not exist:.*(?i)mysql.*
                    \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
                    \[client <HOST>\] File does not exist:.*(?i)webdb.*
                    \[client <HOST>\] File does not exist:.*(?i)pma.*
                    \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
                    ^<HOST>.*GET.*(?i)admin.*
                    ^<HOST>.*GET.*(?i)manager.*
                    ^<HOST>.*GET.*(?i)setup.*
                    ^<HOST>.*GET.*(?i)mysql.*
                    ^<HOST>.*GET.*(?i)sqlweb.*
                    ^<HOST>.*GET.*(?i)webdb.*
                    ^<HOST>.*GET.*(?i)pma.*
                    ^<HOST>.*GET.*(?i)vtigercrm.*
        
                    [[]client <HOST>[]] user .* authentication failure
                    [[]client <HOST>[]] user .* not found
                    [[]client <HOST>[]] user .* password mismatch
        
                    ^<HOST> -.*"POST /wp-login.php HTTP.*$
        
                    [[]client <HOST>[]] script '.*' not found or unable to stat$
                    [[]client <HOST>[]] client denied by server configuration:
                    [[]client <HOST>[]] File does not exist: .*([Aa]dmin|[Mm]anager|[Ee]ditor|[Uu]ser|login)
                    [[]client <HOST>[]] File does not exist: .*/([Pp][Mm][Aa]|[Mm][Yy][Ss][Qq][Ll])
                    [[]client <HOST>[]] File does not exist: .*/(db|scripts|forum|board|[vV][bB])
                    [[]client <HOST>[]] File does not exist: .*/(blog|wordpress|wp)
                    [[]client <HOST>[]] File does not exist: .*/(catalog|shop|oscommerce|ipb)
        
        ignoreregex =
      • 設定がマッチするかをチェックします。
        fail2ban-regex  /var/log/apache2/access_log /etc/fail2ban/filter.d/apache-phpmyadmin.conf
      • jail.localに以下追記します。
        [apache-admin]
        enabled  = true
        filter   = apache-phpmyadmin
        action  = iptables[name=admin, port=http,https protocol=tcp]
                  sendmail-whois[name=admin, dest=root]
        logpath  = /var/log/apache2/error.log
                   /var/log/apache2/access.log
        maxretry = 10
        findtime = 1200
        bantime = 1200

Counter: 21, today: 1, yesterday: 1

このページの参照回数は、21です。