Устанавливаем fail2ban
deathstar# cd /usr/ports/secuity/py-fail2ban && make install clean
Правим конфиг
deathstar# ee /usr/local/etc/fail2ban/jail.conf
У меня он выглядит так
[DEFAULT]
# Какие IP игнорировать
ignoreip = 127.0.0.1
# Время бана в секундах
bantime = 600
# время проверки,за которое событие успеет повторится, чтоб отловить и забанить
findtime = 600
# кол-во неверных попыток
maxretry = 1
backend = auto
[ssh-ipfw]
enabled = true
# использовать фильтр из примеров
filter = bsd-sshd
# использовать /action.d/bsd-ipfw.conf
action = ssh-ipfw[localhost=78.24.219.97]
# Уведомление в Jabber 
)
jabber-whois[name=»SSH,IPFW», [email protected]]
# Какой лог парсить
logpath = /var/log/auth.log
# Какой Ip игнорировать
ignoreip = 127.0.0.1
[exim-ipfw]
enabled = true
filter = exim
action = exim-ipfw[localhost=78.24.219.97]
jabber-whois[name=»Exim,IPFW», [email protected]]
logpath = /var/log/exim/mainlog
ignoreip = 127.0.0.1
[nginx-ipfw]
enabled = true
filter = nginx
action = nginx-ipfw[localhost=127.0.0.1]
jabber-whois[name="Nginx,IPFW", [email protected]]
logpath = /home/deathstar/www/deathstar.name.access.log
ignoreip = 127.0.0.1
Для уведомления в Jabber должен быть установлен и настроен sendxmpp ( о нем я писал в предыдущих статьях)
Создаем файл /usr/local/etc/fail2ban/action.d/jabber-whois.conf с таким содержимым
[Definition]
actionstart = printf %%b "[Fail2Ban] : started
The jail has been started successfully.\n
" | /usr/local/bin/sendxmpp ""
actionstop = printf %%b «[Fail2Ban] : stopped
The jail has been stopped.\n
» | /usr/local/bin/sendxmpp «»
actioncheck =
actionban = printf %%b «[Fail2Ban] : banned
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
» | /usr/local/bin/sendxmpp «»
actionunban = printf %%b «[Fail2Ban] : unbanned
The IP has just been unbanned » | /usr/local/bin/sendxmpp «»
[Init]
name = default
dest = root
sender = fail2ban
Создаем фильтры для sshd и exim,у меня они выглядят так
Файл /usr/local/etc/fail2ban/filter.d/bsd-sshd.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = (?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$
Did not receive identification string from $
Failed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$
ROOT LOGIN REFUSED.* FROM \s*$
[iI](?:llegal|nvalid) user .* from \s*$
User \S+ from not allowed because not listed in AllowUsers$
authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$
refused connect from \S+ \(\)\s*$
reverse mapping checking getaddrinfo for .* \[\] .* POSSIBLE BREAK-IN ATTEMPT!$
ignoreregex =
Файл /usr/local/etc/fail2ban/filter.d/exim.conf
[Definition]
failregex = \[\] .*(?:rejected by local_scan|Unrouteable address)
ignoreregex =
Ну и в довесок к статье FreeBSD. Боремся с HTTP-флудом на NGINX средствами IPFW написал фильтр для nginx
Файл /usr/local/etc/fail2ban/filter.d/nginx.conf
[Definition]
failregex = .*(?:"-" "-")
ignoreregex =
Теперь создаем действия бана
Файл /usr/local/etc/fail2ban/action.d/bsd-ipfw.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 1 add
actionunban = ipfw table 1 delete
[Init]
localhost = 127.0.0.1
Файл /usr/local/etc/fail2ban/action.d/exim-ipfw.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 2 add
actionunban = ipfw table 1 delete
[Init]
localhost = 127.0.0.1
Файл /usr/local/etc/fail2ban/action.d/nginx-ipfw.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 3 add
actionunban = ipfw table 1 delete
[Init]
localhost = 127.0.0.1
Пишем правила для ipfw,у меня они в файле /etc/firewall
#!/bin/sh
ipfw='/sbin/ipfw -q'
${ipfw} flush
${ipfw} pipe flush
${ipfw} add check-state
${ipfw} table 1 flush
${ipfw} table 2 flush
${ipfw} table 3 flush
# Ban SSH
${ipfw} add deny ip from table\(1\) to me ssh
# Ban Exim
${ipfw} add deny ip from table\(2\) to me 25,110,143
#Ban Nginx
${ipfw} add deny ip from table\(3\) to me 80,443
${ipfw} add allow all from any to any
Добавляем в /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/firewall"
fail2ban_enable="YES"
и запускаем
deathstar# sh /etc/firewall && /usr/local/etc/rc.d/fail2ban start
RSS & RSS to Email
На источник то ссылку бы могли бы и оставить!! =)
http://deathstar.name/zashhita-ot-brutforsa-ssh-sredstvami-fail2ban-na-freebsd-nemnogo-poleznostej
Все мы люди)))