- 追加された行はこの色です。
- 削除された行はこの色です。
#author("2017-01-11T01:24:09+09:00","Group2","Group2")
[[hidekiwiki]]
#html{{
<meta name="description" content="http://fukumoto-tech.serveblog.net/wiki/" />
<meta name="keywords" content="普通人間製作所,world,fail2ban,yum install,インストール,fail2ban-0.8.14-1.el5,CentOS,自動起動,設定,フィルタ,phpmyadmin,myadmin,ブルートフォース,対策,設定,WARNING,判定,findtime,Ban,ログパターン,遮断,bantime,centos,action,同一のIPアドレス,Wordpres,管理画面,不正ログイン,Definition,fail2ban,PHPmyadmin,Wordpres,ログイン,fail2ban-server,負荷" />
<link rel="canonical" href="http://fukumoto-tech.serveblog.net/wiki/" />
<br>
<a href="http://it.blogmura.com/linux/"><img src="http://it.blogmura.com/linux/img/linux80_15_darkgray_1.gif" width="80" height="15" border="0" alt="にほんブログ村 IT技術ブログ Linuxへ" /></a><br /><a href="http://it.blogmura.com/linux/">にほんブログ村</a>
<!-- admax -->
<script src="http://adm.shinobi.jp/s/1a0429ab1f292195e9a461469817a0ca"></script>
<!-- admax -->
</html>
}}
**インストールする環境 [#a95c6967]
CentOS release 5.11
fail2banをインストールするバージョン
fail2ban-0.8.14-1.el5
** yum install fail2banコマンドでインストール [#w16c56c4]
[root@XXXXXXXXXXXX ~]# yum install fail2ban
Loaded plugins: downloadonly, fastestmirror, priorities
Loading mirror speeds from cached hostfile
* base: ftp.nara.wide.ad.jp
* epel: ftp.jaist.ac.jp
* extras: ftp.nara.wide.ad.jp
* rpmforge: ftp.riken.jp
* updates: ftp.nara.wide.ad.jp
base | 1.1 kB 00:00
epel | 3.7 kB 00:00
extras | 2.1 kB 00:00
pgdg92 | 2.1 kB 00:00
rpmforge | 1.9 kB 00:00
updates | 1.9 kB 00:00
295 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.14-1.el5 set to be updated
--> Processing Dependency: python-inotify for package: fail2ban
--> Running transaction check
---> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
--> Processing Dependency: python-ctypes for package: python-inotify
--> Running transaction check
---> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================
Installing:
fail2ban noarch 0.8.14-1.el5 epel 266 k
Installing for dependencies:
python-ctypes i386 1.0.2-3.el5 base 207 k
python-inotify noarch 0.9.1-1.el5 epel 86 k
Transaction Summary
==========================================================================================================================================================================================================
Install 3 Package(s)
Upgrade 0 Package(s)
Total download size: 560 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00
(2/3): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00
(3/3): fail2ban-0.8.14-1.el5.noarch.rpm | 266 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 980 kB/s | 560 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : python-ctypes 1/3
Installing : python-inotify 2/3
Installing : fail2ban 3/3
Installed:
fail2ban.noarch 0:0.8.14-1.el5
Dependency Installed:
python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5
Complete!
**自動起動設定 [#bff52b45]
chkconfig fail2ban on
**自動起動設定確認 [#b40399cf]
chkconfig --list | grep "fail2ban"
実行結果
fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off
**サーバのルーティングテーブルで定義したフィルタにマッチした際に、パケットを遮断します。 [#n1df08c0]
**☆sshのアタックがきた場合の対策 [#y0d1a610]
[ssh-route]
enabled = true
filter = sshd
action = route
logpath = /var/log/secure
maxretry = 5
** フィルタ内容 [#g8708c65]
/etc/fail2ban/filter.d/sshd.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
ignoreregex
**☆Wordpresの管理画面の不正ログイン対策 [#p263ec17]
[wplogin-route]
enabled = true
filter = apache-wplogin
action = route
logpath = /var/log/httpd/access_log
maxretry = 5
findtime = 60
bantime = 1800
** フィルタ内容 [#a6397140]
/etc/fail2ban/filter.d/apache-wplogin.confファイル
[Definition]
failregex = ^<HOST> -.*"POST /wordpress/wp-login.php HTTP.*$
^<HOST> -.*"POST /blog/wp-login.php HTTP.*$
ignoreregex =
**☆phpmyadminに対するアタック対策 [#g6d26180]
[apache-phpmyadmin]
enabled = true
filter = apache-phpmyadmin
action = route
logpath = /var/log/httpd/error_log
maxretry = 5
findtime = 60
bantime = 1800
**フィルタ内容 [#rc5ccd9e]
/etc/fail2ban/filter.d/apache-phpmyadmin.confファイル
[Definition]
failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
[[]client <HOST>[]] File does not exist: /\S*PMA*
[[]client <HOST>[]] File does not exist: /\S*pma*
[[]client <HOST>[]] File does not exist: /\S*admin*
[[]client <HOST>[]] File does not exist: /\S*dbadmin*
[[]client <HOST>[]] File does not exist: /\S*sql*
[[]client <HOST>[]] File does not exist: /\S*mysql*
[[]client <HOST>[]] File does not exist: /\S*myadmin*
[[]client <HOST>[]] File does not exist: /\S*MyAdmin*
[[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
[[]client <HOST>[]] File does not exist: /\S*php-my-admin*
[[]client <HOST>[]] File does not exist: /\S*sqlmanager*
[[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
[[]client <HOST>[]] File does not exist: /\S*PMA2005*
[[]client <HOST>[]] File does not exist: /\S*pma2005*
[[]client <HOST>[]] File does not exist: /\S*phpmanager*
[[]client <HOST>[]] File does not exist: /\S*php-myadmin*
[[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
[[]client <HOST>[]] File does not exist: /\S*webadmin*
[[]client <HOST>[]] File does not exist: /\S*sqlweb*
[[]client <HOST>[]] File does not exist: /\S*websql*
[[]client <HOST>[]] File does not exist: /\S*webdb*
[[]client <HOST>[]] File does not exist: /\S*mysqladmin*
[[]client <HOST>[]] File does not exist: /\S*mysql-admin*
ignoreregex =
**記載した上記フィルタがログ上にマッチするかコマンドで確認 [#zc4de286]
fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-wplogin.conf
**fail2ban再起動時に下記、WARNINGメッセージが出力された場合 [#nb2db48e]
/etc/init.d/fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban: WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
WARNING 'actionstart' not defined in 'Definition'. Using default one: ''
WARNING 'actionstop' not defined in 'Definition'. Using default one: ''
WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
**/etc/fail2ban/action.d/route.confファイルの[Definition]の中に、下記を追加したところ上のWARNINGメッセージの出力がとまった。 [#z104b781]
actionstart =
actioncheck =
actionstop =