今更fail2ban

centos7で確認

$ sudo yum install -y epel-release
$ sudo yum install -y fail2ban

ディレクトリ構成

$ tree /etc/fail2ban/
/etc/fail2ban/
├── action.d
│   ├── abuseipdb.conf
│   ├── apf.conf
│   ├── badips.conf
│   ├── badips.py
│   ├── badips.pyc
│   ├── badips.pyo
│   ├── blocklist_de.conf
│   ├── cloudflare.conf
│   ├── dshield.conf
│   ├── dummy.conf
│   ├── firewallcmd-allports.conf
│   ├── firewallcmd-common.conf
│   ├── firewallcmd-ipset.conf
│   ├── firewallcmd-multiport.conf
│   ├── firewallcmd-new.conf
│   ├── firewallcmd-rich-logging.conf
│   ├── firewallcmd-rich-rules.conf
│   ├── helpers-common.conf
│   ├── iptables-allports.conf
│   ├── iptables-common.conf
│   ├── iptables-ipset-proto4.conf
│   ├── iptables-ipset-proto6-allports.conf
│   ├── iptables-ipset-proto6.conf
│   ├── iptables-multiport-log.conf
│   ├── iptables-multiport.conf
│   ├── iptables-new.conf
│   ├── iptables-xt_recent-echo.conf
│   ├── iptables.conf
│   ├── mail-whois-common.conf
│   ├── mynetwatchman.conf
│   ├── netscaler.conf
│   ├── nftables-allports.conf
│   ├── nftables-multiport.conf
│   ├── nftables.conf
│   ├── nginx-block-map.conf
│   ├── npf.conf
│   ├── nsupdate.conf
│   ├── route.conf
│   ├── sendmail-buffered.conf
│   ├── sendmail-common.conf
│   ├── sendmail-geoip-lines.conf
│   ├── sendmail-whois-ipjailmatches.conf
│   ├── sendmail-whois-ipmatches.conf
│   ├── sendmail-whois-lines.conf
│   ├── sendmail-whois-matches.conf
│   ├── sendmail-whois.conf
│   ├── sendmail.conf
│   ├── shorewall-ipset-proto6.conf
│   ├── smtp.py
│   ├── smtp.pyc
│   ├── smtp.pyo
│   ├── symbiosis-blacklist-allports.conf
│   └── xarf-login-attack.conf
├── fail2ban.conf
├── fail2ban.d
├── filter.d
│   ├── 3proxy.conf
│   ├── apache-auth.conf
│   ├── apache-badbots.conf
│   ├── apache-botsearch.conf
│   ├── apache-common.conf
│   ├── apache-fakegooglebot.conf
│   ├── apache-modsecurity.conf
│   ├── apache-nohome.conf
│   ├── apache-noscript.conf
│   ├── apache-overflows.conf
│   ├── apache-pass.conf
│   ├── apache-shellshock.conf
│   ├── assp.conf
│   ├── asterisk.conf
│   ├── bitwarden.conf
│   ├── botsearch-common.conf
│   ├── centreon.conf
│   ├── common.conf
│   ├── counter-strike.conf
│   ├── courier-auth.conf
│   ├── courier-smtp.conf
│   ├── cyrus-imap.conf
│   ├── directadmin.conf
│   ├── domino-smtp.conf
│   ├── dovecot.conf
│   ├── dropbear.conf
│   ├── drupal-auth.conf
│   ├── ejabberd-auth.conf
│   ├── exim-common.conf
│   ├── exim-spam.conf
│   ├── exim.conf
│   ├── freeswitch.conf
│   ├── froxlor-auth.conf
│   ├── gitlab.conf
│   ├── grafana.conf
│   ├── groupoffice.conf
│   ├── gssftpd.conf
│   ├── guacamole.conf
│   ├── haproxy-http-auth.conf
│   ├── horde.conf
│   ├── ignorecommands
│   │   └── apache-fakegooglebot
│   ├── kerio.conf
│   ├── lighttpd-auth.conf
│   ├── mongodb-auth.conf
│   ├── monit.conf
│   ├── murmur.conf
│   ├── mysqld-auth.conf
│   ├── nagios.conf
│   ├── named-refused.conf
│   ├── nginx-botsearch.conf
│   ├── nginx-http-auth.conf
│   ├── nginx-limit-req.conf
│   ├── nsd.conf
│   ├── openhab.conf
│   ├── openwebmail.conf
│   ├── oracleims.conf
│   ├── pam-generic.conf
│   ├── perdition.conf
│   ├── php-url-fopen.conf
│   ├── phpmyadmin-syslog.conf
│   ├── portsentry.conf
│   ├── postfix.conf
│   ├── proftpd.conf
│   ├── pure-ftpd.conf
│   ├── qmail.conf
│   ├── recidive.conf
│   ├── roundcube-auth.conf
│   ├── screensharingd.conf
│   ├── selinux-common.conf
│   ├── selinux-ssh.conf
│   ├── sendmail-auth.conf
│   ├── sendmail-reject.conf
│   ├── sieve.conf
│   ├── slapd.conf
│   ├── softethervpn.conf
│   ├── sogo-auth.conf
│   ├── solid-pop3d.conf
│   ├── squid.conf
│   ├── squirrelmail.conf
│   ├── sshd.conf
│   ├── stunnel.conf
│   ├── suhosin.conf
│   ├── tine20.conf
│   ├── traefik-auth.conf
│   ├── uwimap-auth.conf
│   ├── vsftpd.conf
│   ├── webmin-auth.conf
│   ├── wuftpd.conf
│   ├── xinetd-fail.conf
│   ├── znc-adminlog.conf
│   └── zoneminder.conf
├── jail.conf
├── jail.d
│   └── 00-firewalld.conf
├── paths-common.conf
└── paths-fedora.conf

5 directories, 149 files

いろいろあるけど/etc/fail2ban以下はこんな感じみたい

fail2ban.conf
- メインの設定ファイル。ログとか。
filter.d/*.conf
- アクセス違反のルールを定義する
actions.d/*.conf
- アクセス違反時の動作を定義する
jail.conf
- 実際のブロックする場合の定義らしい

とりあえず起動,firewalldもあげておくこと

$ sudo systemctl start fail2ban.service
$ sudo systemctl start firewalld.service

設定ファイルは直接書くのではなく/etc/fail2ban/jail.dにファイルをおく。すでに00-fireawalld.confというのがある。

$ pwd
/etc/fail2ban/jail.d
$ ls
00-firewalld.conf

中身はこんな感じ。

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

fail2banインストール時にいろいろパッケージが追加されるが、上記はfail2ban-firewalldのものみたい。

Installing:
 fail2ban                         noarch               0.11.2-3.el7                  epel                   16 k
Installing for dependencies:
 fail2ban-firewalld               noarch               0.11.2-3.el7                  epel                   16 k
 fail2ban-sendmail                noarch               0.11.2-3.el7                  epel                   19 k
 fail2ban-server                  noarch               0.11.2-3.el7                  epel                  464 k
 systemd-python                   x86_64               219-78.el7_9.3                updates               145 k
Updating for dependencies:
 systemd                          x86_64               219-78.el7_9.3                updates               5.1 M
 systemd-libs                     x86_64               219-78.el7_9.3                updates               418 k
 systemd-sysv                     x86_64               219-78.el7_9.3                updates                97 k

設定はこんな漢字で。

[sshd]
enabled = true
bantime  = 60
findtime  = 10
maxretry = 2

findtimeの間に攻撃が2回あれば60秒間遮断する感じその他の設定（どのログを見るか？とか）はjail.confやpath-commons.confあたりで設定されているみたい。

反映

$ sudo systemctl restart fail2ban

fail2ban-clientコマンドでも再起動はできるし、fail2ban-clientコマンドを使うと現在の状況が見れる。

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

とりあえずこれだけでまずは試してみる。別サーバから。

[vagrant@node-2 ~]$ ssh [email protected]
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[vagrant@node-2 ~]$ ssh [email protected]
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[vagrant@node-2 ~]$ ssh [email protected]
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

何も変わらない。

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

hydraをbluteforceをかけてみる

$ sudo yum install epel-release
$ sudo yum install hydra

hydraだとこんな漢字。

$ wget https://download.openwall.net/pub/wordlists/passwords/password.gz
$ gunzip password.gz
$ hydra -l vagrant -P ./password ssh://192.168.240.21:22 -t 4
Hydra (http://www.thc.org/thc-hydra) starting at 2021-10-31 14:40:26
[DATA] max 4 tasks per 1 server, overall 64 tasks, 3557 login tries (l:1/p:3557), ~13 tries per task
[DATA] attacking service ssh on port 22
[ERROR] target ssh://192.168.240.21:22/ does not support password authentication.

password認証が有効でなければそもそも動かないみたい。PasswordAuthentication yesに変更してやってみた。

速攻で止められた

$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

$ ssh [email protected]
ssh: connect to host 192.168.240.21 port 22: Connection refused

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	4
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	192.168.240.22

ホワイトリストを追加してみる

[sshd]
enabled = true
bantime  = 60
findtime  = 10
maxretry = 2
ignoreip = 127.0.0.1/8 192.168.240.0/24

別のインタフェースをもたせてアクセスしてみる

$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

$ ssh [email protected]
ssh: connect to host 10.10.0.21 port 22: Connection refused

ちゃんとホワイトリストが動作している

kun432/index.md

kun432 commented Jan 19, 2022

Uh oh!