![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2017-01-11T01:24:09+09:00","Group2","Group2") #author("2019-04-15T03:25:02+00:00","Group2","Group2") [[hidekiwiki]] #html{{ <meta name="description" content="http://fukumoto-tech.serveblog.net/wiki/" /> <meta name="description" content="https://fukumoto-tech.serveblog.net/wiki/" /> <meta name="keywords" content="普通人間製作所,world,fail2ban,yum install,インストール,fail2ban-0.8.14-1.el5,CentOS,自動起動,設定,フィルタ,phpmyadmin,myadmin,ブルートフォース,対策,設定,WARNING,判定,findtime,Ban,ログパターン,遮断,bantime,centos,action,同一のIPアドレス,Wordpres,管理画面,不正ログイン,Definition,fail2ban,PHPmyadmin,Wordpres,ログイン,fail2ban-server,負荷" /> <link rel="canonical" href="http://fukumoto-tech.serveblog.net/wiki/" /> <link rel="canonical" href="https://fukumoto-tech.serveblog.net/wiki/" /> <br> <a href="http://it.blogmura.com/linux/"><img src="http://it.blogmura.com/linux/img/linux80_15_darkgray_1.gif" width="80" height="15" border="0" alt="にほんブログ村 IT技術ブログ Linuxへ" /></a><br /><a href="http://it.blogmura.com/linux/">にほんブログ村</a> <a href="https://it.blogmura.com/linux/"><img src="https://it.blogmura.com/linux/img/linux80_15_darkgray_1.gif" width="80" height="15" border="0" alt="にほんブログ村 IT技術ブログ Linuxへ" /></a><br /><a href="https://it.blogmura.com/linux/">にほんブログ村</a> <!-- admax --> <script src="http://adm.shinobi.jp/s/1a0429ab1f292195e9a461469817a0ca"></script> <script src="https://adm.shinobi.jp/s/1a0429ab1f292195e9a461469817a0ca"></script> <!-- admax --> </html> }} **インストールする環境 [#a95c6967] CentOS release 5.11 fail2banをインストールするバージョン fail2ban-0.8.14-1.el5 ** yum install fail2banコマンドでインストール [#w16c56c4] [root@XXXXXXXXXXXX ~]# yum install fail2ban Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile * base: ftp.nara.wide.ad.jp * epel: ftp.jaist.ac.jp * extras: ftp.nara.wide.ad.jp * rpmforge: ftp.riken.jp * updates: ftp.nara.wide.ad.jp base | 1.1 kB 00:00 epel | 3.7 kB 00:00 extras | 2.1 kB 00:00 pgdg92 | 2.1 kB 00:00 rpmforge | 1.9 kB 00:00 updates | 1.9 kB 00:00 295 packages excluded due to repository priority protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.14-1.el5 set to be updated --> Processing Dependency: python-inotify for package: fail2ban --> Running transaction check ---> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated --> Processing Dependency: python-ctypes for package: python-inotify --> Running transaction check ---> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================================================================================== Installing: fail2ban noarch 0.8.14-1.el5 epel 266 k Installing for dependencies: python-ctypes i386 1.0.2-3.el5 base 207 k python-inotify noarch 0.9.1-1.el5 epel 86 k Transaction Summary ========================================================================================================================================================================================================== Install 3 Package(s) Upgrade 0 Package(s) Total download size: 560 k Is this ok [y/N]: y Downloading Packages: (1/3): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00 (2/3): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00 (3/3): fail2ban-0.8.14-1.el5.noarch.rpm | 266 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 980 kB/s | 560 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : python-ctypes 1/3 Installing : python-inotify 2/3 Installing : fail2ban 3/3 Installed: fail2ban.noarch 0:0.8.14-1.el5 Dependency Installed: python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 Complete! **自動起動設定 [#bff52b45] chkconfig fail2ban on **自動起動設定確認 [#b40399cf] chkconfig --list | grep "fail2ban" 実行結果 fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off **サーバのルーティングテーブルで定義したフィルタにマッチした際に、パケットを遮断します。 [#n1df08c0] **☆sshのアタックがきた場合の対策 [#y0d1a610] [ssh-route] enabled = true filter = sshd action = route logpath = /var/log/secure maxretry = 5 ** フィルタ内容 [#g8708c65] /etc/fail2ban/filter.d/sshd.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ignoreregex **☆Wordpresの管理画面の不正ログイン対策 [#p263ec17] [wplogin-route] enabled = true filter = apache-wplogin action = route logpath = /var/log/httpd/access_log maxretry = 5 findtime = 60 bantime = 1800 ** フィルタ内容 [#a6397140] /etc/fail2ban/filter.d/apache-wplogin.confファイル [Definition] failregex = ^<HOST> -.*"POST /wordpress/wp-login.php HTTP.*$ ^<HOST> -.*"POST /blog/wp-login.php HTTP.*$ ignoreregex = **☆phpmyadminに対するアタック対策 [#g6d26180] [apache-phpmyadmin] enabled = true filter = apache-phpmyadmin action = route logpath = /var/log/httpd/error_log maxretry = 5 findtime = 60 bantime = 1800 **フィルタ内容 [#rc5ccd9e] /etc/fail2ban/filter.d/apache-phpmyadmin.confファイル [Definition] failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin* [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin* [[]client <HOST>[]] File does not exist: /\S*PMA* [[]client <HOST>[]] File does not exist: /\S*pma* [[]client <HOST>[]] File does not exist: /\S*admin* [[]client <HOST>[]] File does not exist: /\S*dbadmin* [[]client <HOST>[]] File does not exist: /\S*sql* [[]client <HOST>[]] File does not exist: /\S*mysql* [[]client <HOST>[]] File does not exist: /\S*myadmin* [[]client <HOST>[]] File does not exist: /\S*MyAdmin* [[]client <HOST>[]] File does not exist: /\S*phpmyadmin2* [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2* [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2* [[]client <HOST>[]] File does not exist: /\S*php-my-admin* [[]client <HOST>[]] File does not exist: /\S*sqlmanager* [[]client <HOST>[]] File does not exist: /\S*mysqlmanager* [[]client <HOST>[]] File does not exist: /\S*PMA2005* [[]client <HOST>[]] File does not exist: /\S*pma2005* [[]client <HOST>[]] File does not exist: /\S*phpmanager* [[]client <HOST>[]] File does not exist: /\S*php-myadmin* [[]client <HOST>[]] File does not exist: /\S*phpmy-admin* [[]client <HOST>[]] File does not exist: /\S*webadmin* [[]client <HOST>[]] File does not exist: /\S*sqlweb* [[]client <HOST>[]] File does not exist: /\S*websql* [[]client <HOST>[]] File does not exist: /\S*webdb* [[]client <HOST>[]] File does not exist: /\S*mysqladmin* [[]client <HOST>[]] File does not exist: /\S*mysql-admin* ignoreregex = **記載した上記フィルタがログ上にマッチするかコマンドで確認 [#zc4de286] fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-wplogin.conf **fail2ban再起動時に下記、WARNINGメッセージが出力された場合 [#nb2db48e] /etc/init.d/fail2ban restart Stopping fail2ban: [ OK ] Starting fail2ban: WARNING 'actionstart' not defined in 'Definition'. Using default one: '' WARNING 'actionstop' not defined in 'Definition'. Using default one: '' WARNING 'actioncheck' not defined in 'Definition'. Using default one: '' WARNING 'actionstart' not defined in 'Definition'. Using default one: '' WARNING 'actionstop' not defined in 'Definition'. Using default one: '' WARNING 'actioncheck' not defined in 'Definition'. Using default one: '' WARNING 'actionstart' not defined in 'Definition'. Using default one: '' WARNING 'actionstop' not defined in 'Definition'. Using default one: '' WARNING 'actioncheck' not defined in 'Definition'. Using default one: '' **/etc/fail2ban/action.d/route.confファイルの[Definition]の中に、下記を追加したところ上のWARNINGメッセージの出力がとまった。 [#z104b781] actionstart = actioncheck = actionstop =
