Fail2Ban

    版本為 13:57, 20 Nov 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    閱讀更多文章:

    系統環境

    • openSUSE 11.1/CentOS 5
    • VICIbox / Elastix
    • Asterisk 1.4.27.1-vici

    需求套件

    1. iptables
    2. Python
    3. Fail2ban

    開始安裝

    for SuSE)
    yast > Software > Software Management >

    Search Phrase = fail2ban <Enter>

    Actions = Install <項目會出現+號>

    Accept <Enter>

    for CentOS)
    # yum install fail2ban

    for CentOS 5.5)
    此版本無法從 yum 安裝,改以手動安裝如下

    檔案下載:http://sourceforge.net/projects/fail2ban/files/

    wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download
    tar xf fail2ban-0.8.4.tar.bz2
    cd fail2ban-0.8.4
    python setup.py install
    cp files/redhat-initd /etc/init.d/fail2ban 
    

    設定自動啟動

    chkconfig --add fail2ban
    chkconfig fail2ban on 
    

    設定 Fail2ban

    vi /etc/fail2ban/filter.d/asterisk.conf

    # Fail2Ban configuration file
    #
    #
    # $Revision: 250 $
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    #before = common.conf
    
    
    [Definition]
    
    #_daemon = asterisk
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    
    failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
                NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
                NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
                NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
                NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
                NOTICE.* <HOST> failed to authenticate as '.*'$
                NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
                NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
                NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    

    vi /etc/fail2ban/jail.conf

    # Important: exclude your local network in the ban IPs list
    ignoreip = 127.0.0.1 192.168.0.0/16

    ## This is for SSH on OpenSUSE only. ## If enable, change 'false' as 'true' [ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com] logpath = /var/log/messages maxretry = 5 ## [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org] logpath = /var/log/asterisk/fail2ban maxretry = 5 bantime = 259200

    NOTES:

    * logpath  路徑必須與下述的 logger.conf 的設定相同。
    * 若有開啟 ssh-iptables,並且在啟動 fail2ban 服務後,檢查 fail2ban.log 若出現錯誤訊息如下,可忽略它。
         fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
         iptables -A fail2ban-SSH -j RETURN
         iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
    * 別忘了要將 LAN 的網段加入 ignoreip,免得不小心自己都無法登入。

    * 如果是 CentOS 5.x,[ssh-iptables],必須改成
    logpath = /var/log/secure

     

    設定 Asterisk

    適用: 1.6.2.x
    編輯/etc/asterisk/logger.conf

    [general]
    dateformat=%F %T
    
    [logfiles]
    console => notice,warning,error
    messages => notice,warning,error,debug,verbose
    fail2ban => notice
    

    NOTES:

    增加  dateformat 與 fail2ban logfile

    啟動 Fail2ban

    // 載入 Asterisk 的 logger 設定

    # asterisk -rx "module reload logger"
    # asterisk -rx "logger show channels"
    
    Channel                             Type     Status    Configuration
    -------                             ----     ------    -------------
    /var/log/asterisk/fail2ban          File     Enabled    - Notice
    /var/log/asterisk/messages          File     Enabled    - Debug Verbose Warning Notice Error
                                        Console  Enabled    - Warning Notice Error
    

    // 設定開機自動啟動 Fail2ban

    yast > System

    // 手動立即啟動 Fail2ban

    /etc/init.d/fail2ban start
    

    // 檢查 iptables 規則過濾狀況

    # iptables -L -nv
    
    Chain INPUT (policy ACCEPT 5561K packets, 966M bytes)
     pkts bytes target     prot opt in     out     source               destination
      216 16120 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    23182 1973K fail2ban-ASTERISK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 5091K packets, 884M bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain fail2ban-ASTERISK (1 references)
     pkts bytes target     prot opt in     out     source               destination
    23182 1973K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain fail2ban-SSH (1 references)
     pkts bytes target     prot opt in     out     source               destination
       18  1788 DROP       all  --  *      *       123.123.123.123        0.0.0.0/0
      198 14332 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    

    NOTES:

    fail2ban-SSH 的有關項目,只會在 jail.conf 啟用 SSH-iptables 後才會出現。

    增加黑/白名單功能(選用)

    說明:fail2ban 在偵測到異常 IPs 時,只能在指定時間內進行阻擋,這個時間若設定太長,有可能會影響到某些合法操作下被封鎖的情況,所以可以增加黑白名單的控制,方法如下:

    編輯 /etc/fail2ban/action.d/iptables.conf

    找到這三行

    actionstart = iptables -N fail2ban-<name>
                  iptables -A fail2ban-<name> -j RETURN
                  iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
    ...
    actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    ...
    actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP 
    

    分別取代成

    actionstart = iptables -N fail2ban-<name>
                  iptables -A fail2ban-<name> -j RETURN
                  iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
                  for IP in `cat /etc/fail2ban/ip.deny`; do iptables -I fail2ban-SSH 1 -s $IP -j DROP;done
    ...
    ...
    actionban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP;fi
    if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.deny;fi
    ...
    ...
    actionunban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ]; then iptables -D fail2ban-<name> -s <ip> -j DROP;fi
    if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.allow;fi 
    

    新增兩個檔案:

    1. /etc/fail2ban/ip.deny (黑名單)
    2. /etc/fail2ban/ip.allow (白名單)

     註:若有變更黑名單內容時,需重啟 fail2ban 才能被套用。

    F.A.Q

    Q:為何沒有 /var/log/fail2ban.log

    Ans: 檢查 /etc/fail2ban/fail2ban.conf

    #logtarget = SYSLOG
    logtarget = /var/log/fail2ban.log
    

    重啟 fail2ban 服務

    Q:服務啟動後的規則檢查

    Ans: 請注意:在 fail2ban 服務啟動後,只會對新的非法行為所產生的 IP 進行過濾,而對舊紀錄的非法 IP,fail2ban 不會對它們重新檢查。 

    Q:在 Elastix/CentOS 5.3 始終無法 ban IP

    使用 fail2ban-client 檢查,明明 log 內有異常連線,但卻無法 ban IP

    # fail2ban-client status
    Status
    |- Number of jail:      1
    `- Jail list:           asterisk-iptables
    
    # fail2ban-client status asterisk-iptables
    |- filter
    |  |- File list:        /var/log/asterisk/fail2ban
    |  |- Currently failed: 0
    |  `- Total failed:     0
    `- action
       |- Currently banned: 0
       |  `- IP list:       
       `- Total banned:     0
    

    解決方法:

    編輯 /etc/asterisk/logger.conf

    ;syslog keyword : This special keyword logs to syslog facility
    ;將下行註解拿掉
    syslog.local0 => notice,warning,error
    

    Reload Asterisk

    Q:如何將 IP 從阻擋清單移除
    # iptables -D fail2ban-ASTERISK -s 123.123.123.123 -j DROP
    Q:如何阻擋不會紀錄來源 IP 的 DDoS 攻擊 Received incoming SIP connection...

    CLI Log:

    Received incoming SIP connection from unknown peer to 003333002972597886748"

    NOTE:

    • 以上訊息只有在 sip_general.conf 的 allowguest=yes (by default),才會出現。
    • 此篇也適合解決 Sending fake auth rejection for device 100<sip:100@123.123.123.123> ,這類的攻擊手法。方法是先 註解 allowguest=no,然後完成下面的步驟。
      注意:比較安全的做法應該是將 allowguest=no,然後在 Asterisk 11 以後版本,Log 就可以紀錄到惡意的來源 IP,然後就可以用 Fail2ban 來將其阻擋,詳細資訊可以參考本篇其他章節。

    Ans:

    1. 編輯 /etc/asterisk/extensions.conf

    [from-sip-external]
    ; 註解原有內容,加上以下內容
    exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
    exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
    exten => _.,n,Set(foo=${SIPCHANINFO(recvip)})
    exten => _.,n,Log(NOTICE,Incoming SIP connection from unknown peer failed for ${foo} - Unknown connection from peer)
    exten => _.,n,Hangup
    exten => h,1,Hangup
    exten => i,1,Hangup
    exten => t,1,Hangup 
    

    套用新設定

    asterisk -rx "dialplan reload"
    

    2. 編輯 /etc/fail2ban/filter.d/asterisk.conf

    ...
    failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
                ...
                ...
                NOTICE.* .*: Incoming SIP connection from unknown peer failed for '<HOST>' - Unknown connection from peer

    套用新設定

    service fail2ban restart
    
    Q:如何阻擋 Sending fake auth rejection ...

    Sending fake auth rejection for device 100<sip:100@123.123.123.123>;tag=99fdd5d7

    123.123.123.123 is my external IP of PBX

    Ans:不同 Asterisk 版本的解決方法

    Asterisk 11)
    此版新增一個 Security Log Level 的功能,透過啟用這個,可以記錄攻擊者的來源 IP,然後再透過 fail2ban 去阻擋。

    教學連結:http://highsecurity.blogspot.tw/2013...l2ban-088.html

    Asterisk 1.8/1.6)
    舊版的 Asterisk 要阻擋這類行為,只能修改原始檔 channels/chan_sip.c,使系統可以記錄攻擊者的來源 IP,修改後必須重新編譯 Asterisk 才能被套用,再設定 fail2abn 去阻擋。

    教學連結:https://bugs.debian.org/cgi-bin/bugr...cgi?bug=706739

    TIP:

    在舊版的 Asterisk 還有一個方法,不用修改 chan_sip.c 原始檔,詳細資訊請參閱本篇其他章節。

    Powered by MindTouch Core