■Squeezeにfail2banを導入する
$ apt-cache show fail2ban | grep -A 12 ^Desc
Description: bans IPs that cause multiple authentication errors
Monitors log files (e.g. /var/log/auth.log,
/var/log/apache/access.log) and temporarily or persistently bans
failure-prone addresses by updating existing firewall rules. The
software was completely rewritten at version 0.7.0 and now allows
easy specification of different actions to be taken such as to ban an
IP using iptables or hostsdeny rules, or simply to send a
notification email. Currently, by default, supports ssh/apache/vsftpd
but configuration can be easily extended for monitoring any other ASCII
file. All filters and actions are given in the config files, thus
fail2ban can be adopted to be used with a variety of files and
firewalls.
Homepage: http://www.fail2ban.org
■sshの待ち受けポートは22番で無い場合
デフォルトでは22番ポートを監視する。
$ sudo iptables -L -v -n | grep fail2ban
0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain fail2ban-ssh (1 references)
■i修正するなら、「/etc/services」か「jail.conf」の「port」。
$ sudo grep -A 6 "\[ssh" /etc/fail2ban/jail.conf
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
--
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
■「jail.conf」を修正。ついでに「ssh-ddos」も有効にする。
$ sudo grep -A 6 "\[ssh" /etc/fail2ban/jail.conf
[ssh]
enabled = true
port = 8022
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
--
[ssh-ddos]
enabled = true
port = 8022
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
■設定の反映と確認。
$ sudo /etc/init.d/fail2ban restart
Restarting authentication failure monitor: fail2ban.
$ sudo iptables -L -v -n | grep ssh
68 5120 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8022
68 5120 fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8022
Chain fail2ban-ssh (1 references)
Chain fail2ban-ssh-ddos (1 references)
■ifail2banで監視可能だが無効になっているルールの一覧。
$ sudo grep -B 2 false /etc/fail2ban/jail.conf | grep "^\["
[pam-generic]
[xinetd-fail]
[apache]
[apache-multiport]
[apache-noscript]
[apache-overflows]
[vsftpd]
[proftpd]
[wuftpd]
[postfix]
[couriersmtp]
[courierauth]
[sasl]
[named-refused-tcp]
■fail2banで監視可能で有効になっているルールの一覧
$ sudo grep -B 2 true /etc/fail2ban/jail.conf | grep "^\["
[ssh]
[ssh-ddos]
■ssh-serverに関してfail2banに頼るだけの設定はしていないと思うが、
例えば、xinetdでも制御しているなら、フィルタが用意されている。
$ sudo ls /etc/fail2ban/filter.d/
apache-auth.conf exim.conf qmail.conf
apache-badbots.conf gssftpd.conf sasl.conf
apache-nohome.conf lighttpd-fastcgi.conf sieve.conf
apache-noscript.conf named-refused.conf sshd-ddos.conf
apache-overflows.conf pam-generic.conf sshd.conf
common.conf php-url-fopen.conf vsftpd.conf
courierlogin.conf postfix.conf webmin-auth.conf
couriersmtp.conf proftpd.conf wuftpd.conf
cyrus-imap.conf pure-ftpd.conf xinetd-fail.conf