for Asterisk 1.6.x)
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*') # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
for Asterisk 1.8.x)
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' (from <HOST>) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: Sending fake auth rejection for device .*@<HOST>.* VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*') # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
更新於 2012-3-14:
fail2ban 於 CentOS 6.x 將無法正常工作,詳細資訊及解決方法請參閱:
列出近日的惡意 IP 、攻擊次數,並作排序。
# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n 1 61.234.104.167 1 70.38.71.19 2 111.73.46.74 2 122.225.97.123 2 122.225.97.82 2 222.186.34.241 2 61.174.51.217 3 91.220.131.33 4 183.110.253.233 5 222.136.71.19 9 37.48.81.34
前十大攻擊次數的惡意 IP,搜尋 fail2ban 現有及歷史所有紀錄。
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -n | tail -10 4 218.2.0.135 4 61.174.51.217 6 134.213.134.172 7 192.198.92.242 7 93.174.95.41 9 37.48.81.34 11 183.110.253.233 17 37.59.31.66 18 222.136.71.19 42 192.126.120.81
前十大攻擊次數的惡意 IP 網段,搜尋 fail2ban 現有及歷史所有紀錄。
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail -10 9 37.48. 11 117.27. 11 183.110. 15 222.186. 16 218.2. 17 37.59. 18 222.136. 26 61.174. 42 192.126. 105 122.225.
搜尋現有及各個歷史紀錄檔,來自網段 122.225 的每階段的攻擊次數。
# zgrep -c 122.225. /var/log/fail2ban.log* /var/log/fail2ban.log:50 /var/log/fail2ban.log-20141017:37 /var/log/fail2ban.log-20141020:14 /var/log/fail2ban.log-20141023:44 /var/log/fail2ban.log-20141028:66
列出攻擊 IP、攻擊次數、被攻擊的服務
grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,$8}' | sort | uniq -c | sort -n
2 111.73.46.74 [ssh-iptables]
2 122.225.97.123 [ssh-iptables]
2 122.225.97.82 [ssh-iptables]
2 222.186.34.241 [ssh-iptables]
2 61.174.51.217 [ssh-iptables]
3 91.220.131.33 [ssh-iptables]
4 183.110.253.233 [ssh-iptables]
5 222.136.71.19 [ssh-iptables]
9 37.48.81.34 [asterisk-iptables]
今日最新攻擊報告
# grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n 1 106.120.170.71 (106.120.170.71) 1 122.225.97.123 (122.225.97.123) 1 221.194.44.197 (221.194.44.197) 1 222.186.34.241 (222.186.34.241) 1 222.60.95.243 (222.60.95.243) 1 hn.kd.ny.adsl (222.136.71.19) 1 usloft1168.serverprofi24.com (209.239.114.179)
依照服務類型,單日的被攻擊次數
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c 1 [asterisk-iptables] /var/log/fail2ban.log-20141028:2014-10-26 2 [asterisk-iptables] /var/log/fail2ban.log-20141028:2014-10-27 3 [asterisk-iptables] /var/log/fail2ban.log:2014-10-29 6 [asterisk-iptables] /var/log/fail2ban.log:2014-10-30 23 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-15 33 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-16 16 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-17 35 [ssh-iptables] /var/log/fail2ban.log-20141020:2014-10-17 22 [ssh-iptables] /var/log/fail2ban.log-20141020:2014-10-18
Images 0 | ||
---|---|---|
No images to display in the gallery. |