閱讀更多文章:
系統環境
需求套件
for SuSE)
yast > Software > Software Management >
Search Phrase = fail2ban <Enter>
Actions = Install <項目會出現+號>
Accept <Enter>
for CentOS)
# yum install fail2ban
for CentOS 5.5)
此版本無法從 yum 安裝,改以手動安裝如下
檔案下載:http://sourceforge.net/projects/fail2ban/files/
wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download tar xf fail2ban-0.8.4.tar.bz2 cd fail2ban-0.8.4
vi /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
vi /etc/fail2ban/jail.conf
# Important: exclude your local network in the ban IPs list
ignoreip = 127.0.0.1 192.168.0.0/16
## This is for SSH on OpenSUSE only.
## If enable, change 'false' as 'true'
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/messages
maxretry = 5
##
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 259200
NOTES:
* logpath 路徑必須與下述的 logger.conf 的設定相同。
* 若有開啟 ssh-iptables,並且在啟動 fail2ban 服務後,檢查 fail2ban.log 若出現錯誤訊息如下,可忽略它。
fail2ban.actions.action: ERROR iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
* 別忘了要將 LAN 的網段加入 ignoreip,免得不小心自己都無法登入。
vi /etc/asterisk/logger.conf
[general] dateformat=%F %T [logfiles] console => notice,warning,error messages => notice,warning,error,debug,verbose fail2ban => notice
NOTES:
增加 dateformat 與 fail2ban logfile
// 載入 Asterisk 的 logger 設定
# asterisk -rx "module reload logger" # asterisk -rx "logger show channels" Channel Type Status Configuration ------- ---- ------ ------------- /var/log/asterisk/fail2ban File Enabled - Notice /var/log/asterisk/messages File Enabled - Debug Verbose Warning Notice Error Console Enabled - Warning Notice Error
// 設定開機自動啟動 Fail2ban
yast > System
// 手動立即啟動 Fail2ban
/etc/init.d/fail2ban start
// 檢查 iptables 規則過濾狀況
# iptables -L -nv Chain INPUT (policy ACCEPT 5561K packets, 966M bytes) pkts bytes target prot opt in out source destination 216 16120 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 23182 1973K fail2ban-ASTERISK all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5091K packets, 884M bytes) pkts bytes target prot opt in out source destination Chain fail2ban-ASTERISK (1 references) pkts bytes target prot opt in out source destination 23182 1973K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination 18 1788 DROP all -- * * 123.123.123.123 0.0.0.0/0 198 14332 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
NOTES:
fail2ban-SSH 的有關項目,只會在 jail.conf 啟用 SSH-iptables 後才會出現。
說明:fail2ban 在偵測到異常 IPs 時,只能在指定時間內進行阻擋,這個時間若設定太長,有可能會影響到某些合法操作下被封鎖的情況,所以可以增加黑白名單的控制,方法如下:
編輯 /etc/fail2ban/action.d/iptables.conf
增加最後一行
actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> for IP in `cat /etc/fail2ban/ip.deny`; do iptables -I fail2ban-SSH 1 -s $IP -j DROP;done ... ... actionban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP;fi if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.deny;fi ... ... actionunban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ]; then iptables -D fail2ban-<name> -s <ip> -j DROP;fi if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.allow;fi
新增兩個檔案:
註:若有變更黑名單內容時,需重啟 fail2ban 才能被套用。
Ans: 檢查 /etc/fail2ban/fail2ban.conf
#logtarget = SYSLOG logtarget = /var/log/fail2ban.log
重啟 fail2ban 服務
Ans: 請注意:在 fail2ban 服務啟動後,只會對新的非法行為所產生的 IP 進行過濾,而對舊紀錄的非法 IP,fail2ban 不會對它們重新檢查。
使用 fail2ban-client 檢查,明明 log 內有異常連線,但卻無法 ban IP
# fail2ban-client status Status |- Number of jail: 1 `- Jail list: asterisk-iptables # fail2ban-client status asterisk-iptables |- filter | |- File list: /var/log/asterisk/fail2ban | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
解決方法:
編輯 /etc/asterisk/logger.conf
;syslog keyword : This special keyword logs to syslog facility ;將下行註解拿掉 syslog.local0 => notice,warning,error
Reload Asterisk
# iptables -D fail2ban-ASTERISK -s 123.123.123.123 -j DROP
Ans: 編輯 /etc/asterisk/extensions.conf
[from-sip-external] ; 註解原有內容,加上以下內容 exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN}) exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})}) exten => _.,n,Set(foo=${SIPCHANINFO(recvip)}) exten => _.,n,NoOp(Incoming SIP connection from unknown peer failed for ${foo} - Unknown connection from peer) exten => _.,n,Hangup exten => h,1,Hangup exten => i,1,Hangup exten => t,1,Hangup
編輯 /etc/fail2ban/filter.d/asterisk.conf
... failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password ... ... NOTICE.* .*: Incoming SIP connection from unknown peer failed for '<HOST>' - Unknown connection from peer