Last-modified: Thu, 13 Jun 2019 00:40:16 JST (1727d)
Top > Fail2BANを使ってみる



  • インストール
    apt-get install fail2ban
  • 設定
  • jail.localの設定例
    #before = paths-distro.conf
    before = paths-debian.conf      #Ubuntuなので、こちらを読み込ます
    # The DEFAULT allows a global definition of the options. They can be overridden
    # in each jail afterwards.
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = # BAN対象外ネットワークを設定。
    # External command that will take an tagged arguments to ignore, e.g. <ip>,
    # and return true if the IP is to be ignored. False otherwise.
    # ignorecommand = /path/to/command <ip>
    ignorecommand =
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 3600   # BANする秒数
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 30  # 条件に合致したとカウントする秒数
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 1  # 条件に合致した回数
    # Some options used for actions
    # Destination email address used solely for the interpolations in
    # jail.{conf,local,d/*} configuration files.
    destemail =
    # Sender email address used solely for some actions
    sender =
    # JAILS
  • 設定例
    • PHPMYADMINへのアタック防御
      • filter.d/apache-phpmyadmin.confを作成
        failregex = \[client <HOST>\] File does not exist:.*(?i)admin.*
                    \[client <HOST>\] File does not exist:.*(?i)manager.*
                    \[client <HOST>\] File does not exist:.*(?i)setup.*
                    \[client <HOST>\] File does not exist:.*(?i)mysql.*
                    \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
                    \[client <HOST>\] File does not exist:.*(?i)webdb.*
                    \[client <HOST>\] File does not exist:.*(?i)pma.*
                    \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
                    [[]client <HOST>[]] user .* authentication failure
                    [[]client <HOST>[]] user .* not found
                    [[]client <HOST>[]] user .* password mismatch
                    ^<HOST> -.*"POST /wp-login.php HTTP.*$
                    [[]client <HOST>[]] script '.*' not found or unable to stat$
                    [[]client <HOST>[]] client denied by server configuration:
                    [[]client <HOST>[]] File does not exist: .*([Aa]dmin|[Mm]anager|[Ee]ditor|[Uu]ser|login)
                    [[]client <HOST>[]] File does not exist: .*/([Pp][Mm][Aa]|[Mm][Yy][Ss][Qq][Ll])
                    [[]client <HOST>[]] File does not exist: .*/(db|scripts|forum|board|[vV][bB])
                    [[]client <HOST>[]] File does not exist: .*/(blog|wordpress|wp)
                    [[]client <HOST>[]] File does not exist: .*/(catalog|shop|oscommerce|ipb)
        ignoreregex =
      • 設定がマッチするかをチェックします。
        fail2ban-regex  /var/log/apache2/access_log /etc/fail2ban/filter.d/apache-phpmyadmin.conf
      • jail.localに以下追記します。
        enabled  = true
        filter   = apache-phpmyadmin
        action  = iptables[name=admin, port=http,https protocol=tcp]
                  sendmail-whois[name=admin, dest=root]
        logpath  = /var/log/apache2/error.log
        maxretry = 10
        findtime = 1200
        bantime = 1200

Counter: 610, today: 1, yesterday: 1