fail2ban

commands

  • statusをみる
    • fail2ban-client status <name(optional)>
  • unban
    • fail2ban-client set <jail_name> unbanip <ip_addr>

fail2ban battle on ubuntu 18.04

$ sudo apt install fail2ban

$ sudo ls /etc/fail2ban
action.d       fail2ban.d  jail.conf  paths-arch.conf  paths-debian.conf
fail2ban.conf  filter.d    jail.d     paths-common.conf  paths-opensuse.conf

## fail2ban.confはdaemon自体の全般設定系.基本いじらなくてもよさそう.
## jail系はjailにいれる条件等を記載する.filterはsyslogやdarmonをベースのフィルタし,条件にマッチするか否かを判定するロジックを構成する.actionはjailに入った場合のaction等を設定する.
## つまりjailのconfigで書かれたfilter, actionがあり,filterに存在する条件に(logが)マッチし,jailに書かれたしきい値等の条件を超えたらactionを実施する.というのがが大まかな流れ.

# common-configをする
# jail.confは直接編集せず,jail.local等をjail.confからcpして編集する

$ sudo cp /etc/fail2ban/jail.conf  /etc/fail2ban/jail.local

下記は設定例

  • /etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignorecommand =
bantime  = 10m
findtime  = 10m
maxretry = 5
backend = auto
usedns = no
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]

destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail

# Default protocol
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
  • /etc/fail2ban/fail.d/sshd.conf
# SSH servers

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry= 3
  • ちなみに /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true

もとからsshdはenabledになっているっぽい.

  • banされると(ex. 192.168.0.10のクライアントがsshのパスワード認証で3回失敗した場合)
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  `- File list:  /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list: 192.168.0.10

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 5778 packets, 2444K bytes)
 pkts bytes target     prot opt in     out     source               destination
   51  4892 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5814 packets, 2321K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   31  3504 REJECT     all  --  *      *       192.168.0.10          0.0.0.0/0            reject-with icmp-port-unreachable
   20  1388 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  • f2b-<name> というchainでbanされている.これは /etc/fail2ban/action.d/iptables-multiport.conf に記載されている通りだ.

再犯者への刑

  • /etc/fail2ban/filter.d/recidive.conf このようなfilterがあるので
# Fail2Ban filter for repeat bans
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = fail2ban\.actions\s*

# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive

failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

# Author: Tom Hendrikx, modifications by Amir Caspi

これを適用すればよい.

# /etc/fail2ban/fail.d/recidive.local
[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

この場合たとえば1日5回fail2banされたら1week banが継続することになる.

unbanする

typo等でbanされてしまった場合など.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:  /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list: 192.168.0.10
$ sudo fail2ban-client unban 192.168.0.10
1
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:  /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 2
   `- Banned IP list: