cszer

使用fail2ban防止暴力破解

分类: 技术, 安全   标签: , ,    评论: 1   阅读:4,378 views

简介:

fail2ban是linux下一款安全工具。通过监视系统日志,匹配日志的错误信息(正则式匹配),然后执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽)。如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!

安装fail2ban:
1
2
3
4
wget --no-check-certificate https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.8.10 -O fail2ban-0.8.10.tar.gz
tar fail2ban-0.8.10.tar.gz
cd fail2ban-0.8.10
python setup.py install
fail2ban的配置说明:

两个配置文件fail2ban.conf和jail.conf,两个配置文件夹action.d和filter.d:

1
2
3
4
5
6
7
[root@localhost ~]# cd /etc/fail2ban/
[root@localhost fail2ban]# ll
总计 24
drwxr-xr-x 2 root root  4096 10-28 17:00 action.d
-rw-rw-r-- 1 root root  1537 06-13 01:21 fail2ban.conf
drwxr-xr-x 2 root root  4096 10-28 17:00 filter.d
-rw-rw-r-- 1 root root 11514 06-13 01:21 jail.conf

fail2ban.conf
定义了fai2ban日志位置及日志级别, 此配置文件保持默认即可,一般不做修改。
默认fail2ban.conf里面就三个参数,而且都有注释。

1
2
3
loglevel = 3     #默认日志的级别
logtarget = /var/log/fail2ban.log     #日志的目的
socket = /tmp/fail2ban.sock     #socket的位置

jail.conf
jail.conf是fail2ban主要的配置文件,在jail.conf里有一个[DEFAULT]段,这个段下的参数是全局参数.

1
2
3
4
5
ignoreip = 127.0.0.1       #忽略IP,在这个清单里的IP不会被屏蔽
bantime = 600      #屏蔽时间,该bantime将被[ssh-iptables]中bantime覆盖;
findtime = 600      #发现时间,在此期间内重试超过规定次数,会激活fail2ban
maxretry = 3      #默认尝试次数
backend = auto      #日志修改检测机制

[ssh-iptables] #该段为sshd服务小节,段内配置优先全局配置。

1
2
3
4
5
6
7
8
enabled = true      #激活,默认是未激活;
filter = sshd       # 过滤规则filter的名字,对应filter.d目录下的sshd.conf
#所采用的工作,按照名字可在action.d目录下找到
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
logpath = /var/log/secure  #sshd log,根据linux发行版本不同而不同,注意修改;
maxretry = 4 #覆盖全局重试次数
bantime = 3600  #覆盖全局屏蔽时间

filter.d和action.d
这个两个文件夹分别放着日志的过滤规则及所用采取的动作。
如filter.d/sshd.conf有可对sshd日志/var/log/secure进行分析。

我们可以通过命令fail2ban-regex [logfile] [filter.conf]来验证过滤规则是否有效

1
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

注意:如果你的日志启用了压缩,默认的过滤规则无法正确解析类似 last message repeated 3 times。请根据自身情况调整findtime参数。

action.d文件夹为根据过滤情况要执行的动作。默认是iptable+mail-whois。执行何动作在jail.conf文件中定义。
ssh-iptables中配置如下:

1
2
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
fail2ban相关操作命令

启动fail2ban

1
fail2ban-client start

关闭fail2ban

1
fail2ban-client stop

观察fail2ban运行情况,有3种方式:
1、fail2ban-client status,会看到有个Jail list名称为sshd-iptables

1
2
3
4
[root@localhost ~]# fail2ban-client status
Status
|- Number of jail:     2
`- Jail list:          ssh-iptables, sasl-iptables

2、iptables –nL 正常的话会看到多出来一个chain 名为fail2ban-SSH

1
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

3、通过日志/var/log/fail2ban.log,可以查看fail2ban是否启动正常,被禁用的IP也会在这里看到;

设置fail2ban开机自动启动

1
2
3
cp ./redhat-initd /etc/init.d/fail2ban #redhat-initd在解压到目录下
chkconfig --add fail2ban
service fail2ban start
fail2ban实战

使用failban防止ssh和sasl暴力破解。单个ip10分钟内ssh认证错误8次即调用iptables将该ip屏蔽;单个ip10分钟内sasl认证错误6次即调用iptables将该ip屏蔽。屏蔽时间均为10个小时,10个小时后自动解除屏蔽。

编辑jail.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[ssh-iptables]
 
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@test.com]
logpath  = /var/log/secure
maxretry = 8
bantime = 36000
 
[sasl-iptables]
 
enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=root]
logpath  = /var/log/maillog
maxretry = 6
bantime = 36000

启动fail2ban:

1
fail2ban-client start
验证fail2ban

这里使用medusa去验证下fail2ban是否正常工作。
Medusa是Linux下的一款暴力破解工具,支持 FTP, HTTP, IMAP, MS-SQL, MySQL,POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY)等服务的破解。

安装medusa:

1
2
3
4
wget http://www.foofus.net/jmk/tools/medusa-2.1.1.tar.gz
tar zxvf medusa-2.1.1.tar.gz
cd medusa-2.1.1
./configure;make;make install

安装完成后,分别使用ssh模块和smtp-vrfy模块暴力破解:
medusa所在主机ip为 218.15.31.214,mail服务器ip为221.143.61.34

root@web: # medusa -h 221.143.61.34 -uroot -P /tmp/passwd.txt -M ssh
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 
ACCOUNT CHECK: [ssh] Host: 221.143.61.34 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1 (1 of 100 complete)
ACCOUNT CHECK: [ssh] Host: 221.143.61.34 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 2 (2 of 100 complete)
ACCOUNT CHECK: [ssh] Host: 221.143.61.34 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 3 (3 of 100 complete)
ACCOUNT CHECK: [ssh] Host: 221.143.61.34 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 4 (4 of 100 complete)
......

root@web:~# medusa -h 221.143.61.34 -utest@test.com -P /tmp/passwd.txt -M smtp
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 1 (1 of 100 complete)
ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 2 (2 of 100 complete)
ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 3 (3 of 100 complete)
ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 4 (4 of 100 complete)
ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 5 (5 of 100 complete)
ACCOUNT CHECK: [smtp] Host: 221.123.161.34 (1 of 1, 0 complete) User: test@test.com (1 of 1, 0 complete) Password: 6 (6 of 100 complete)
......

参数说明:
-h 要暴力破解的ip
-u 用户名
-P 口令字典
-M ssh 使用ssh模块
-M smtp 使用smtp模块

检查fail2ban日志,medusa所在主机ip已被iptabes屏蔽:

[root@localhost ~]# tail -f /var/log/fail2ban.log
2013-10-29 10:50:05,703 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2013-10-29 10:50:05,704 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2013-10-29 10:50:05,705 fail2ban.jail   : INFO   Initiated 'polling' backend
2013-10-29 10:50:05,706 fail2ban.filter : INFO   Added logfile = /var/log/secure
2013-10-29 10:50:05,706 fail2ban.filter : INFO   Set maxRetry = 3
2013-10-29 10:50:05,707 fail2ban.filter : INFO   Set findtime = 600
2013-10-29 10:50:05,708 fail2ban.actions: INFO   Set banTime = 600
2013-10-29 10:50:05,744 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2013-10-29 12:37:16,842 fail2ban.actions: WARNING [ssh-iptables] Ban 218.15.31.214
2013-10-29 12:37:58,262 fail2ban.actions: WARNING [sasl-iptables] Ban 218.15.31.214

可以看出fail2ban已经正常工作。
10个小时后自动解除对218.15.31.214的屏蔽,日志如下:

2013-10-30 22:37:16,132 fail2ban.actions: WARNING [ssh-iptables] Unban 218.15.31.214
2013-10-30 22:37:58,242 fail2ban.actions: WARNING [sasl-iptables] Unban 218.15.31.214

其实使用shell脚本也可以防止暴力破解,但在知道原理的情况的下,有更方便的工具,我们何乐而不为呢。毕竟“懒”是我们运维的一个传统美德^_^

参考:

http://www.fail2ban.org
http://foofus.net/goons/jmk/medusa/medusa.html
http://wenxin1234114.blog.51cto.com/139929/391104
http://scanty.blog.51cto.com/242145/348059

除非注明,文章皆由( csz )原创,转载请标明本文地址
本文地址: http://www.cszhi.com/20131101/fail2ban.html

11-01
2013

1 Comments for 使用fail2ban防止暴力破解

发表评论