Инструменты пользователя

Инструменты сайта


сервис_fail2ban

Сервис Fail2ban

Установка

Debian/Ubuntu

# apt install fail2ban

# cd /etc/fail2ban/

FreeBSD

# pkg install py27-fail2ban

# cat /etc/rc.conf
...
fail2ban_enable="YES"
# cd /usr/local/etc/fail2ban/

Настройка

Debian/Ubuntu/FreeBSD

# cat jail.conf

# ls jail.d/

# cat filter.d/sshd.conf

# cat filter.d/asterisk.conf

Debian/Ubuntu

# cat jail.local
[sshd]
maxretry = 6

[asterisk]
enabled = true
maxretry    = 3

FreeBSD

# cat jail.local
[sshd]
enabled     = true
filter      = sshd
action      = pf
maxretry    = 6
logpath     = /var/log/auth.log

[asterisk]
# ignoreip    = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
enabled     = true
action      = pf
maxretry    = 3

Запуск и отладка

Debian/Ubuntu

# service fail2ban reload

FreeBSD

# service fail2ban start

Debian/Ubuntu/FreeBSD

# tail -f /var/log/fail2ban.log

Мониторинг и управление

# fail2ban-client status

# fail2ban-client status asterisk

# fail2ban-client set asterisk unbanip 172.16.1.21

# tail -f /var/log/fail2ban.log

Интеграция fail2ban и snort

# cat jail.d/snort_jail.conf
[snort]
enabled     = true
bantime     = 30
filter      = snort_filter
maxretry    = 3
logpath     = /var/log/auth.log
#action      = tmp_file_action
#action      = iptables-allports
# cat filter.d/snort_filter.conf
[INCLUDES]

[Definition]

failregex = .*Directory traversal attempt.*} <HOST>.*
        .*WEB-IIS CodeRed v2 root.exe access.*} <HOST>.*

ignoreregex =
# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/snort_filter.conf
# cat action.d/tmp_file_action.conf
[Definition]

actionban = printf %%b "`date` f2ban detect ip: <ip>\n" >> /tmp/file_action.log
# iptables -A FORWARD -j f2b-default

Дополнительные материалы

Asterisk logs only the local IP

Аsterisk failregex от Владимира Блинова

# less filter.d/asterisk.conf
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
        NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
        NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
        NOTICE.* .*: Failed to authenticate device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\)
            NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\)
            NOTICE.* .*: Sending fake auth rejection for device .*\;tag=.* \(<HOST>:.*\)


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Аsterisk failregex от Стрельникова Романа

failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
сервис_fail2ban.txt · Последние изменения: 2019/03/07 13:25 — val