Fail2BANを使ってみる

Last-modified: Thu, 13 Jun 2019 00:40:16 JST (1780d)
Top > Fail2BANを使ってみる

サーバのログから特定のキーワードを抽出し、該当アクセスを遮断してくれるFail2BANというソフトがあります。
似たようなことはシェルスクリプトでも出来なくはないのですが、N回連続でアクセスがあったら10分ブロック。のようなことができます。

なお、Fail2BANはiptablesにルールを動的に差し込むことで遮断しますので、iptablesが動作する環境が必要です。

  • インストール 
    apt-get install fail2ban
  • 設定
    jail.localに設定をすると、jail.confを上書きできます。jail.confはアップデート時に変更されることがあるので
    jail.localのほうへ設定をします。
  • jail.localの設定例 
    [INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf      #Ubuntuなので、こちらを読み込ます

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 # BAN対象外ネットワークを設定。

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600   # BANする秒数

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 30  # 条件に合致したとカウントする秒数

# "maxretry" is the number of failures before a host get banned.
maxretry = 1  # 条件に合致した回数


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = fail2ban@example.com

# Sender email address used solely for some actions
sender = fail2ban@example.com


#
# JAILS
#
  • 設定例
    • PHPMYADMINへのアタック防御
      まずはログから対象となるキーワードをひっかける設定を行います。参考
      • filter.d/apache-phpmyadmin.confを作成 
        [Definition]
failregex = \[client <HOST>\] File does not exist:.*(?i)admin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)admin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*

            [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch

            ^<HOST> -.*"POST /wp-login.php HTTP.*$

            [[]client <HOST>[]] script '.*' not found or unable to stat$
            [[]client <HOST>[]] client denied by server configuration:
            [[]client <HOST>[]] File does not exist: .*([Aa]dmin|[Mm]anager|[Ee]ditor|[Uu]ser|login)
            [[]client <HOST>[]] File does not exist: .*/([Pp][Mm][Aa]|[Mm][Yy][Ss][Qq][Ll])
            [[]client <HOST>[]] File does not exist: .*/(db|scripts|forum|board|[vV][bB])
            [[]client <HOST>[]] File does not exist: .*/(blog|wordpress|wp)
            [[]client <HOST>[]] File does not exist: .*/(catalog|shop|oscommerce|ipb)

ignoreregex =
      • 設定がマッチするかをチェックします。 
        fail2ban-regex  /var/log/apache2/access_log /etc/fail2ban/filter.d/apache-phpmyadmin.conf
      • jail.localに以下追記します。 
        [apache-admin]
enabled  = true
filter   = apache-phpmyadmin
action  = iptables[name=admin, port=http,https protocol=tcp]
          sendmail-whois[name=admin, dest=root]
logpath  = /var/log/apache2/error.log
           /var/log/apache2/access.log
maxretry = 10
findtime = 1200
bantime = 1200
Counter: 705, today: 2, yesterday: 1

このページの参照回数は、705です。