Fail2BANを使ってみる
Last-modified: Thu, 13 Jun 2019 00:40:16 JST (2078d)
Top > Fail2BANを使ってみる
サーバのログから特定のキーワードを抽出し、該当アクセスを遮断してくれるFail2BANというソフトがあります。
似たようなことはシェルスクリプトでも出来なくはないのですが、N回連続でアクセスがあったら10分ブロック。のようなことができます。
なお、Fail2BANはiptablesにルールを動的に差し込むことで遮断しますので、iptablesが動作する環境が必要です。
- インストール
apt-get install fail2ban
- 設定
jail.localに設定をすると、jail.confを上書きできます。jail.confはアップデート時に変更されることがあるので
jail.localのほうへ設定をします。
- jail.localの設定例
[INCLUDES] #before = paths-distro.conf before = paths-debian.conf #Ubuntuなので、こちらを読み込ます # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # BAN対象外ネットワークを設定。 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 3600 # BANする秒数 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 30 # 条件に合致したとカウントする秒数 # "maxretry" is the number of failures before a host get banned. maxretry = 1 # 条件に合致した回数 # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = fail2ban@example.com # Sender email address used solely for some actions sender = fail2ban@example.com # # JAILS # - 設定例
- PHPMYADMINへのアタック防御
まずはログから対象となるキーワードをひっかける設定を行います。参考
- filter.d/apache-phpmyadmin.confを作成
[Definition] failregex = \[client <HOST>\] File does not exist:.*(?i)admin.* \[client <HOST>\] File does not exist:.*(?i)manager.* \[client <HOST>\] File does not exist:.*(?i)setup.* \[client <HOST>\] File does not exist:.*(?i)mysql.* \[client <HOST>\] File does not exist:.*(?i)sqlweb.* \[client <HOST>\] File does not exist:.*(?i)webdb.* \[client <HOST>\] File does not exist:.*(?i)pma.* \[client <HOST>\] File does not exist:.*(?i)vtigercrm.* ^<HOST>.*GET.*(?i)admin.* ^<HOST>.*GET.*(?i)manager.* ^<HOST>.*GET.*(?i)setup.* ^<HOST>.*GET.*(?i)mysql.* ^<HOST>.*GET.*(?i)sqlweb.* ^<HOST>.*GET.*(?i)webdb.* ^<HOST>.*GET.*(?i)pma.* ^<HOST>.*GET.*(?i)vtigercrm.* [[]client <HOST>[]] user .* authentication failure [[]client <HOST>[]] user .* not found [[]client <HOST>[]] user .* password mismatch ^<HOST> -.*"POST /wp-login.php HTTP.*$ [[]client <HOST>[]] script '.*' not found or unable to stat$ [[]client <HOST>[]] client denied by server configuration: [[]client <HOST>[]] File does not exist: .*([Aa]dmin|[Mm]anager|[Ee]ditor|[Uu]ser|login) [[]client <HOST>[]] File does not exist: .*/([Pp][Mm][Aa]|[Mm][Yy][Ss][Qq][Ll]) [[]client <HOST>[]] File does not exist: .*/(db|scripts|forum|board|[vV][bB]) [[]client <HOST>[]] File does not exist: .*/(blog|wordpress|wp) [[]client <HOST>[]] File does not exist: .*/(catalog|shop|oscommerce|ipb) ignoreregex = - 設定がマッチするかをチェックします。
fail2ban-regex /var/log/apache2/access_log /etc/fail2ban/filter.d/apache-phpmyadmin.conf
- jail.localに以下追記します。
[apache-admin] enabled = true filter = apache-phpmyadmin action = iptables[name=admin, port=http,https protocol=tcp] sendmail-whois[name=admin, dest=root] logpath = /var/log/apache2/error.log /var/log/apache2/access.log maxretry = 10 findtime = 1200 bantime = 1200
- filter.d/apache-phpmyadmin.confを作成
- PHPMYADMINへのアタック防御
Counter: 1071,
today: 1,
yesterday: 0
このページの参照回数は、1071です。