■導入がまだなら。。。
Squeezeにfail2banを導入する
http://d.hatena.ne.jp/labunix/20130323
■fail2banのステータスを一覧する。
$ sudo grep "^\[\|= false\|= true" /etc/fail2ban/jail.conf | \
grep -v "^#\|DEFAULT" | \
xargs echo -n | \
sed s/"enabled = "//g | \
sed s/" "/","/g | \
sed s/",\["/"\n\["/g | \
sed s/"\[\|\]"//g | \
awk -F\, '{printf "%20s %20s\n",$1,$2}'
ssh true
pam-generic true
xinetd-fail true
ssh-ddos true
apache false
apache-multiport false
apache-noscript false
apache-overflows false
vsftpd false
proftpd false
wuftpd false
postfix true
couriersmtp false
courierauth false
sasl false
named-refused-tcp false
■え?左寄せがいい?
$ sudo grep "^\[\|= false\|= true" /etc/fail2ban/jail.conf | \
grep -v "^#\|DEFAULT" | xargs echo -n | \
sed s/"enabled = "//g | sed s/" "/","/g | sed s/",\["/"\n\["/g | sed s/"\[\|\]"//g | \
awk -F\, '{printf "%-20s %-20s\n",$1,$2}'
ssh true
pam-generic true
xinetd-fail true
ssh-ddos true
apache false
apache-multiport false
apache-noscript false
apache-overflows false
vsftpd false
proftpd false
wuftpd false
postfix true
couriersmtp false
courierauth false
sasl false
named-refused-tcp false
■スクリプト化。
$ cat fail2ban-status.sh
if [ `id -u` -ne "0" ];then
echo "Sorry,Not Permit User!" >&2
exit 1
fi
grep "^\[\|= false\|= true" /etc/fail2ban/jail.conf | \
grep -v "^#\|DEFAULT" | xargs echo -n | \
sed s/"enabled = "//g | sed s/" "/","/g | sed s/",\["/"\n\["/g | \
sed s/"\[\|\]"//g | awk -F\, '{printf "%-20s %-20s\n",$1,$2}'
exit 0
$ chmod +x fail2ban-status.sh
■有効なルールは。。。
$ sudo ./fail2ban-status.sh | grep true
ssh true
pam-generic true
xinetd-fail true
ssh-ddos true
postfix true
$ sudo iptables -L -n | grep "^Chain fail2ban"
Chain fail2ban-pam-generic (1 references)
Chain fail2ban-postfix (1 references)
Chain fail2ban-ssh (1 references)
Chain fail2ban-ssh-ddos (1 references)
Chain fail2ban-xinetd-fail (0 references)
Chain fail2ban-xinetd-fail-log (0 references)
■細かい事は良いとして。。。
$ sudo iptables -L -n | grep "fail2ban" | sed s/" *"/"_"/g | awk -F\_ '{printf "%-20s %-20s %-5s %-5s %10s %10s %50s\n",$1,$2,$3,$4,$5,$6,$7 }'
fail2ban-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-ssh-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-pam-generic tcp -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pam-generic (1 references)
Chain fail2ban-postfix (1 references)
Chain fail2ban-ssh (1 references)
Chain fail2ban-ssh-ddos (1 references)
Chain fail2ban-xinetd-fail (0 references)
Chain fail2ban-xinetd-fail-log (0 references)
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 6/min burst 2 LOG flags 0 level 4 prefix 'fail2ban-xinetd-fail:DROP '
■無効なルールは。。。
$ sudo ./fail2ban-status.sh | grep false
apache false
apache-multiport false
apache-noscript false
apache-overflows false
vsftpd false
proftpd false
wuftpd false
couriersmtp false
courierauth false
sasl false
named-refused-tcp false
■確認
$ sudo nmap -sT `hostname -s` 2>&1 | grep ^[P0-9]
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
6000/tcp open X11
$ sudo nmap -sU `hostname -s` 2>&1 | grep ^[P0-9]
PORT STATE SERVICE
68/udp open|filtered dhcpc
177/udp open|filtered xdmcp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
■IPsec(500/UDP)は止めよう。gdmは良しとする。
$ sudo /etc/init.d/ipsec stop
$ sudo chkconfig ipsec off
$ sudo chkconfig --list ipsec
ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off
$ sudo nmap -sU `hostname -s` 2>&1 | grep ^[P0-9]
PORT STATE SERVICE
177/udp open|filtered xdmcp
■X11(6000/TCP)というかXDMCPをどうしようか。。。
$ sudo grep "600[0-9]/" /etc/services
x11 6000/tcp x11-0
x11 6000/udp x11-0
x11-1 6001/tcp
x11-1 6001/udp
x11-2 6002/tcp
x11-2 6002/udp
x11-3 6003/tcp
x11-3 6003/udp
x11-4 6004/tcp
x11-4 6004/udp
x11-5 6005/tcp
x11-5 6005/udp
x11-6 6006/tcp
x11-6 6006/udp
x11-7 6007/tcp
x11-7 6007/udp
■multiportなので。
$ sudo grep -A 5 "^\[ssh" /etc/fail2ban/jail.conf | grep "^\[\|^port"
[ssh]
port = ssh,6000:6007
[ssh-ddos]
port = ssh,6000:6007
$ sudo iptables -L -n | grep "^fail2ban-ssh" | sed s/".*multiport dports "//g
22,6000:6007
22,6000:6007
■リトライが6、デフォルト動作の停止時間は10分。
$ sudo grep -A 10 "\[ssh" /etc/fail2ban/jail.conf | grep "^\[\|retry"
[ssh]
maxretry = 6
[pam-generic]
[ssh-ddos]
maxretry = 6
$ sudo grep -A 10 "^\[DEFAULT" /etc/fail2ban/jail.conf | grep -v "^#\|^\$"
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
■以下だけでbanされる。
$ ssh labunix@192.168.0.1
labunix@192.168.0.1's password:
Access denied
labunix@192.168.0.1's password:
Access denied
labunix@192.168.0.1's password:
Access denied
labunix@192.168.0.1's password:
Access denied
labunix@192.168.0.1's password:
Access denied
labunix@192.168.0.1's password:
■もちろんログに載る。
$ sudo grep -v INFO /var/log/fail2ban.log
2013-04-04 00:07:38,104 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-04-04 00:17:38,846 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1