WAF IP 세트에서 IP를 추가 및 제거하여 AWS 인스턴스의 웹 사이트에 대한 악의적인 요청을 필터링하려고 합니다. 이 문제를 해결하기 위해 Fail2ban을 설정하려고 합니다.
다음은 파일입니다 -
지역 감옥
[my-jail]
enabled = true
filter = my-filter
action = my-action
sendmail-whois[name=Fail2Ban Test, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/apache2/frontend-app-my-org-com-access.log
maxretry = 4
findtime = 60
bantime = 300
journalmatch = _SYSTEMD_UNIT=httpd.service
myactions.conf
[Definition]
actionstart = touch /var/log/fail2ban_debug.log
actionstop = rm -f /var/log/fail2ban_debug.log
actionban = /opt/scripts/ban.sh Ban <ip>
actionunban = /opt/scripts/ban.sh Unban <ip>
참고: /opt/scripts/ban.sh실행 가능하며 /opt/scripts/ban.sh Ban 10.10.10.10수동으로 테스트할 때 예상된 결과를 얻습니다. 모든 파일은 사용자가 소유하고 관리합니다 root. Fail2ban 서비스는 루트 사용자에 의해서도 시작됩니다.
myfilter.conf
[Definition]
failregex = ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
정규식 검사
로그를 기반으로 필터를 수동으로 확인하면 작동합니다.
[root@ip-172-31-89-74 action.d]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log /etc/fail2ban/filter.d/my-filter.conf | grep matched
Lines: 2325 lines, 0 ignored, 2325 matched, 0 missed
통나무
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO --------------------------------------------------
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO Starting Fail2ban v0.11.2
2023-10-16 15:03:08,737 fail2ban.server [9162]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2023-10-16 15:03:08,738 fail2ban.observer [9162]: INFO Observer start...
2023-10-16 15:03:08,738 fail2ban.server [9162]: DEBUG Starting communication
2023-10-16 15:03:08,742 fail2ban.database [9162]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-10-16 15:03:08,742 fail2ban.jail [9162]: INFO Creating new jail 'my-jail'
2023-10-16 15:03:08,748 fail2ban.jail [9162]: INFO Jail 'my-jail' uses systemd {}
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Created FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.filtersystemd [9162]: DEBUG Created FilterSystemd
2023-10-16 15:03:08,749 fail2ban.jail [9162]: INFO Initiated 'systemd' backend
2023-10-16 15:03:08,749 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.server [9162]: DEBUG failregex: '^<HOST> - - \\[.*\\] \\".*.my-org.*\\" \\".*\\" [4-5][0-9][0-9]'
2023-10-16 15:03:08,750 fail2ban.filtersystemd [9162]: INFO [my-jail] Added journal match for: '_SYSTEMD_UNIT=httpd.service'
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO maxRetry: 4
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO encoding: UTF-8
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO findtime: 60
2023-10-16 15:03:08,750 fail2ban.actions [9162]: INFO banTime: 300
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionunban = '/opt/scripts/ban.sh Unban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstop = 'rm -f /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionban = '/opt/scripts/ban.sh Ban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstart = 'touch /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set actname = 'my-action'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set name = 'my-jail'
2023-10-16 15:03:08,751 fail2ban.jail [9162]: DEBUG Starting jail 'my-jail'
2023-10-16 15:03:08,753 fail2ban.jail [9162]: INFO Jail 'my-jail' started
2023-10-16 15:03:08,754 fail2ban.transmitter [9162]: DEBUG Status: ready
2023-10-16 15:03:08,756 fail2ban.utils [9162]: DEBUG 7f36b00f7490 -- returned successfully 0
[root@ip-172-31-89-74 action.d]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-16 15:03:08 CEST; 35min ago
Docs: man:fail2ban(1)
Process: 8983 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 9160 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 9162 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─9162 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Starting Fail2Ban Service...
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Started Fail2Ban Service.
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal fail2ban-server[9162]: Server ready
특정 IP 주소의 bash에서 테스트
i=0;while true; do echo -e"\n---------------------------------$i-----------------------------\n"; curl -s -L testing.my-org.de/tests
; i=$(($i+1));
그러면 감옥에서 예상되는 로그에 줄이 생성됩니다. 현지의
로그 파일이 있어서 actionstart가 동작하는 것을 확인했습니다. 서비스를 다시 시작할 때마다 이메일도 받습니다. 내가 뭔가를 놓친 걸까요, 아니면 뭔가 잘못한 걸까요?
더 많은 데이터:
222.222.222.222 - - [16/Oct/2023:22:10:51 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61680 "-" "curl/7.88.1" "" "ea4uh580h9dl7tat34q2d5cjo7"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61976 "-" "curl/7.88.1" "" "uou7bo5pj4tgp2m9t5kulkmvn2"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 68577 "-" "curl/7.88.1" "" "m3u0g2s41fa6igphsfecrdbg41"
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.17 sec]
[root@ip-172-31-89-74 apache2]# vim /etc/fail2ban/filter.d/my-filter.conf
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.18 sec]
답변1
이미 답변했듯이https://superuser.com/a/1813168/1131979:
fail2ban-regex필터/실패 정규 표현식만 테스트합니다. 다른 사람은 없습니다.Jail 'my-jail' uses systemdfall2ban은 로그 파일이 아닌 시스템 로그(아마도 기본 백엔드)를 모니터링한다는 의미입니다/var/log/...-access.log. 을 모니터링하려면 감옥logpath과 같은 일부 파일 관련 백엔드로 전환pyinotify하거나 간단히 지정해야 합니다.pollingbackend = auto
또한 여러 가지 포괄 항목으로 인해 정규 표현식이 약간 취약하다는 점에 유의하세요.
마지막으로 중요한 것은 - 참고failure2ban :: wiki :: 모범 사례(기생 로그 트래픽 감소).