hidekiwiki


にほんブログ村 IT技術ブログ Linuxへ
にほんブログ村

インストールする環境

CentOS release 5.11
fail2banをインストールするバージョン
fail2ban-0.8.14-1.el5

yum install fail2banコマンドでインストール

[root@XXXXXXXXXXXX ~]# yum install fail2ban
Loaded plugins: downloadonly, fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: ftp.nara.wide.ad.jp
 * epel: ftp.jaist.ac.jp
 * extras: ftp.nara.wide.ad.jp
 * rpmforge: ftp.riken.jp
 * updates: ftp.nara.wide.ad.jp
base                                                                                                                                                                               | 1.1 kB     00:00
epel                                                                                                                                                                               | 3.7 kB     00:00
extras                                                                                                                                                                             | 2.1 kB     00:00
pgdg92                                                                                                                                                                             | 2.1 kB     00:00
rpmforge                                                                                                                                                                           | 1.9 kB     00:00
updates                                                                                                                                                                            | 1.9 kB     00:00
295 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.14-1.el5 set to be updated
--> Processing Dependency: python-inotify for package: fail2ban
--> Running transaction check
---> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
--> Processing Dependency: python-ctypes for package: python-inotify
--> Running transaction check
---> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                              Arch                                         Version                                               Repository                                  Size
==========================================================================================================================================================================================================
Installing:
 fail2ban                                             noarch                                       0.8.14-1.el5                                          epel                                       266 k
Installing for dependencies:
 python-ctypes                                        i386                                         1.0.2-3.el5                                           base                                       207 k
 python-inotify                                       noarch                                       0.9.1-1.el5                                           epel                                        86 k

Transaction Summary
==========================================================================================================================================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 560 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): python-inotify-0.9.1-1.el5.noarch.rpm                                                                                                                                       |  86 kB     00:00
(2/3): python-ctypes-1.0.2-3.el5.i386.rpm                                                                                                                                          | 207 kB     00:00
(3/3): fail2ban-0.8.14-1.el5.noarch.rpm                                                                                                                                            | 266 kB     00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                     980 kB/s | 560 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : python-ctypes                                                                                                                                                                      1/3
  Installing     : python-inotify                                                                                                                                                                     2/3
  Installing     : fail2ban                                                                                                                                                                           3/3

Installed:
  fail2ban.noarch 0:0.8.14-1.el5

Dependency Installed:
  python-ctypes.i386 0:1.0.2-3.el5                                                                   python-inotify.noarch 0:0.9.1-1.el5

Complete!

自動起動設定

chkconfig fail2ban on

自動起動設定確認

chkconfig --list | grep "fail2ban"
実行結果
fail2ban        0:off   1:off   2:off   3:on    4:on    5:on    6:off

サーバのルーティングテーブルで定義したフィルタにマッチした際に、パケットを遮断します。

☆sshのアタックがきた場合の対策

[ssh-route]

enabled  = true
filter   = sshd
action   = route
logpath  = /var/log/secure
maxretry = 5

フィルタ内容

/etc/fail2ban/filter.d/sshd.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

ignoreregex

☆Wordpresの管理画面の不正ログイン対策

[wplogin-route]

enabled  = true
filter   = apache-wplogin
action   = route
logpath  = /var/log/httpd/access_log
maxretry = 5
findtime = 60
bantime = 1800

フィルタ内容

/etc/fail2ban/filter.d/apache-wplogin.confファイル
[Definition]

failregex = ^<HOST> -.*"POST /wordpress/wp-login.php HTTP.*$
            ^<HOST> -.*"POST /blog/wp-login.php HTTP.*$
ignoreregex =

☆phpmyadminに対するアタック対策

[apache-phpmyadmin]

enabled  = true
filter   = apache-phpmyadmin
action   = route
logpath  = /var/log/httpd/error_log
maxretry = 5
findtime = 60
bantime = 1800

フィルタ内容

/etc/fail2ban/filter.d/apache-phpmyadmin.confファイル

[Definition]
failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*PMA*
            [[]client <HOST>[]] File does not exist: /\S*pma*
            [[]client <HOST>[]] File does not exist: /\S*admin*
            [[]client <HOST>[]] File does not exist: /\S*dbadmin*
            [[]client <HOST>[]] File does not exist: /\S*sql*
            [[]client <HOST>[]] File does not exist: /\S*mysql*
            [[]client <HOST>[]] File does not exist: /\S*myadmin*
            [[]client <HOST>[]] File does not exist: /\S*MyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
            [[]client <HOST>[]] File does not exist: /\S*php-my-admin*
            [[]client <HOST>[]] File does not exist: /\S*sqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*PMA2005*
            [[]client <HOST>[]] File does not exist: /\S*pma2005*
            [[]client <HOST>[]] File does not exist: /\S*phpmanager*
            [[]client <HOST>[]] File does not exist: /\S*php-myadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
            [[]client <HOST>[]] File does not exist: /\S*webadmin*
            [[]client <HOST>[]] File does not exist: /\S*sqlweb*
            [[]client <HOST>[]] File does not exist: /\S*websql*
            [[]client <HOST>[]] File does not exist: /\S*webdb*
            [[]client <HOST>[]] File does not exist: /\S*mysqladmin*
            [[]client <HOST>[]] File does not exist: /\S*mysql-admin*

ignoreregex =

記載した上記フィルタがログ上にマッチするかコマンドで確認

fail2ban-regex  /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-wplogin.conf

fail2ban再起動時に下記、WARNINGメッセージが出力された場合

/etc/init.d/fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban: WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''

/etc/fail2ban/action.d/route.confファイルの[Definition]の中に、下記を追加したところ上のWARNINGメッセージの出力がとまった。

actionstart =
actioncheck =
actionstop  =

トップ   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS