Diegiame fail2ban į CentOS 6
SSH apsaugai diegiame fail2ban į CentOS 6.
1.fail2ban paketo nėra CentOS rep., pridedame EPEL diegimo šaltinį:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
yum install fail2ban
3. kopijuojame nuostatymus:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
4. keičiame standartines nuostatas:
kaičiame kažkas panašaus:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
5. (Papildomai, neprivaloma): galime susikonfigūruoti, kad gautume pranešimą el.p. (tame pačiame faile /etc/fail2ban/jail.local):
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, [email protected]] logpath = /var/log/secure maxretry = 5
Paaiškinimai Anglų kalba:
„Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word „false“.
The filter, set by default to sshd, refers to the config file containing the rules that fail2banuses to find matches. The name is a shortened version of the file extension. For example, sshd refers to the /etc/fail2ban/filter.d/sshd.conf.
Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action, „iptables“ can be found at /etc/fail2ban/action.d/iptables.conf .
In the „iptables“ details, you can customize fail2ban further. For example, if you are using a non-standard port, you can change the port number within the brackets to match, making the line look more like this:
eg. iptables[name=SSH, port=30000, protocol=tcp]
You can change the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor.
If you have a mail server set up on your virtual private server, Fail2Ban can email you when it bans an IP address. In the default case, the sendmail-whois refers to the actions located at /etc/fail2ban/action.d/sendmail-whois.conf.
log path refers to the log location that fail2ban will track.
The max retry line within the SSH section has the same definition as the default option. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here.“
Patikriname ar randa pagal aprašytą filtravimą, pvz:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
6. Pabaigai restartuojame:
sudo service fail2ban restart
chkconfig fail2ban on
kas užblokuota peržiūrėti galime: