저는 데비안 리눅스를 사용하고 있습니다. uname --all
보여주다:
Linux xxx.xx 2.6.32-5-686 #1 SMP Tue May 13 16:33:32 UTC 2014 i686 GNU/Linux
내가 실행 중인 포트 sshd
는 22가 아닙니다. /etc/fail2ban/jail.local
새 포트를 가리키도록 업데이트했습니다 sshd
. 좋은 결과. SSH 클라이언트를 사용하여 포트에 로그인을 시도하고 잘못된 비밀번호를 여러 번 입력하면 iptables를 통해 IP 주소가 잠길 수 있습니다.
그러나 나는 Apache 웹 서버도 실행하고 있으며 항상 다음과 같은 시도의 영향을 받습니다( /var/log/apache2/error.log
).
[Sun Nov 02 08:03:13 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/muieblackcat
[Sun Nov 02 08:03:14 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpMyAdmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpmyadmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/pma
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/myadmin
[Sun Nov 02 08:03:17 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/MyAdmin
error.log를 읽고 iptables를 통해 문제가 되는 IP 주소를 금지하도록 Fail2ban을 설정하려고 하는데 제대로 작동하지 않습니다.
내가 말했듯이 SSH에서는 잘 작동하지만 Apache에서는 작동하지 않습니다. 이곳은 내 지역 감옥입니다.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 67.159.128.0/19
# bantime = 21600 == 6 hours
bantime = 21600
#findtime, in seconds. 300 = 5 minutes, 10800 = 3 hours
findtime = 10800
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=
%(logpath)s]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in
jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
# we are banning port xxxxx instead of ssh because I use port xxxxx instead
[ssh]
enabled = true
port = xxxxx
filter = sshd
logpath = /var/log/auth.log
findtime = 300
maxretry = 4
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 3
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 4
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 2
[apache-misc]
enabled = true
port = http,https
filter = apache-misc
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 2
이것은 내 /etc/fail2ban/apache-misc 파일입니다:
[Definition]
failregex = <HOST>.*"[A-Z]* /(cms|user|muieblackcat|db|cpcommerce|wp-login|joomla| awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin| mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*"
<HOST>.*\" (502|500|417|416|415|414|413|412|404|405|403|401|400)
ignoreregex = .*\"GET \/(press|mailto|domestic|word).*
누구든지 조언을 해줄 수 있나요?
답변1
다음과 같은 권장 구문을 사용하여 정규식 조건의 작은 하위 집합으로 시작하는 것이 좋습니다.
failregex = [[]client (?P<host>\S*)[]] File does not exist: .*/(muieblackcat|phpmyadmin)
언제든지 이를 기반으로 구축하고 정규식을 쉽게 테스트할 수 있습니다. 변경 후에는 pass2ban을 다시 로드하는 것을 잊지 마세요.