¡m¤À¨É¡nUbuntu¦w¸Ëfail2ban

«e°}¤l¦bYoutube¤W¬Ý¤FÀb«È¤u¨ãªºdemo¼v¤ù¡A
¹ï©óÀb«È¤u¨ã±½port¥H¤Î¯}¸Ñ±K½Xªº³t«×µÛ¹êÀ~¤F¤@¸õ¡C

§Ú·Q¡A¹ï©ó¥ô¦ó¤@­ÓIT¤H­û¡A¼É¤O¯}¸Ñ±K½XÁ`¬OÅý¤H¾á¤ßªº¡A
¤£½×¬OWindowsªºRDP©Î¬OLinuxªºSSH¡A¤@¥¹³Q¼É¤O¯}¸Ñ¤F¡A¦A¦hªº¦w¥þ¨¾Å@¡A¤]¬O§Î¦Pµê³]¡C

¨º»ò¦bUbuntu¤W¡A¦³¨S¦³¨¾¨î¼É¤O¯}¸Ñªº®M¥ó¡H
µo²{¬YIP¦b±K½X´ú¸Õ¿ù¤F´X¦¸¤§«á¡A´N±j¨î«ÊïH¸ÓIP¨Ï¥Î¦¹ªA°È¤@¬q®É¶¡¡H
¬Æ¦Ü¬O¸Ó±N´c·NIP¥Ã¤[«ÊÂê¡A¤£±o¦A¨Ï¥Î¦¹ªA°È¡H

¹³³o¼Ë­«­n¥B´¶¹Mªº»Ý¨D¡A¦ÛµM¬O¦³ªº¡C
¨º´N¬O fail2ban ®M¥ó¡C

¥H¤U¶¶¤l¥HUbuntu 14.04¬°Àô¹Ò¡A¶i¦æfail2banªº¦w¸Ë¡C

1. ¦w¸Ëfail2ban®M¥ó¡C
   
   apt-get install fail2ban
   
   
   
2. ¦w¸Ë§¹fail2ban®M¥ó«á¡A¨ä¦w¸Ë¸ô®|¬O¦b /etc/fail2ban¡C
   ¸Ó¥Ø¿ý¤U¡A¦³¨â­Ó­«­nªº³]©wÀÉ fail2ban.conf »P jail.conf¡A
   ¨ä¤¤ jail.conf ·|¦]®M¥óªº§ó·s¦Ó³QÂмg¡A©Ò¥Hfail2ban­n¨D¨Ï¥ÎªÌ¥ý«Ø¥ß¤@­Ó°Æ¥» jail.local¡A
   ©Ò¦³ªº³]©w§¡©ó jail.local ¶i¦æ½s¿è¡C
   
   cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
   
   
   ³]©wÀÉ fail2ban.conf ùØ¡A¥D­n¬O¹ïlogªº¼h¯Å¶i¦æ©w¸q¡Aºû«ù¹w³]§Y¥i¡A
   ùØ­±¦³¤@­Ó­«­n°Ñ¼Æ logtarget ©w¸q¤Ffail2banªºlogÀÉ¡A¹w³]¸ô®|¦p¤U¡A
   ·ífail2ban¦b°õ¦æ¤W¦³°ÝÃD®É¡A¥i©ólogÀɤ¤´M§ä°ÝÃD½u¯Á¡C
   
   logtarget = /var/log/fail2ban.log
   
   
   ¦Ó jail.conf ªº [DEFAULT] °Ï¬qùØ¡A«h¥i¹ï¥Õ¦W³æ¡B«ÊÂê®É¶¡¡B¤¹³\±K½X²q´ú¦¸¼Æ¡B«ÊÂê°Ê§@¡Aµ¥¶i¦æ©w¸q¡C
   ¨ä¤¤ ignoreip °Ñ¼Æ¬O¥Î¨Ó©w¸q¥Õ¦W³æ¡A¹w³]¥u¦³ 127.0.0.1/8 ¥»¾÷ºô¬q¡A¦³»Ý­n¼W¥[ºô¬q®É¡A¥HªÅ¥Õ¦r¤¸¤À¹j§Y¥i¡C
   
   ignoreip = 127.0.0.1/8 192.168.0.1/32
   
   
   bantime °Ñ¼Æ¡A«h¬O©w¸q«ÊÂê®É¶¡¡A¹w³]¬O600¬í¡A­Y·Q¥Ã¤[«ÊÂê¡A¥i§ï¬°-1¡C
   
   bantime = -1
   
   
   findtime °Ñ¼Æ¡A«h¬O©w¸q¶ZÂ÷¤W¤@¦¸¿ù»~±K½Xªº®É¶¡¡A¹w³]¬O600¬í¡C
   maxretry °Ñ¼Æ¡A«h¬O¤¹³\±K½X²q´úªº³Ì¦h¦¸¼Æ¡A¹w³]¬°3¦¸¡C
   ¥H¤W¥H¹w³]±ø¥óºî¦X°_¨Ó»¡¡A´N¬O600¬í¤º¡A­Y¸ÓIP¹Á¸Õ3¦¸¿ù»~ªº²q´ú¡A²Ä4¦¸´N·|³Qfail2ban¶i¦æ«ÊÂê¡A¹w³]«ÊÂê®É¶¡¬°600¬í¡C
   
   ±µ¤U¨Ó¤T­Ó°Ñ¼Æ destemail¡Asendername¡Amta «h¬O¸òµo°e³qª¾¶l¥ó¦³Ãöªº°Ñ¼Æ¡C
   destemail °Ñ¼Æ¡A¬O¦¬¥ó¤Hªºemail¡C
   sendername °Ñ¼Æ¡A¬O±H¥ó¤HªºÅã¥Ü¦WºÙ¡C
   mta °Ñ¼Æ¡A«hµo°e¶l¥óªºagent¡A¹w³]¬Osendmail¡C
   
   ­Y§A¸ò¶¶¤l¤@¼Ë¡A¸Ë¤Fexim4®M¥ó¡A·Q³z¹LGmail¨Óµo«H¡A¨º»ò³o¤T­Ó°Ñ¼Æ¥i¥H­×§ï¦p¤U¡C
   
   destemail = §Aªº±b¸¹@gmail.com
   sendername = Fail2Ban
   mta = mail
   
   
   ±µ¨Ó¤@­Ó­«­nªº°Ñ¼Æ¬O action¡A¦¹°Ñ¼Æ¨M©w¤F«ÊÂêIP®Éªº°µªk¡A¹w³]¦³¦p¤U¤TºØ¡C
   
   # The simplest action to take: ban only
   action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
   
   # ban & send an e-mail with whois report to the destemail.
   action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
   
   # ban & send an e-mail with whois report and relevant log lines
   # to the destemail.
   action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
   %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
   
   action ¹w³]°Ñ¼Æ¬O action_¡A¦¹¹w³]°Ñ¼Æ¨Ã¤£·|±Hµo¶l¥ó³qª¾¡F
   ­Y­n§ï¬°±Hµo¶l¥ó³qª¾¡A¥i¥H­×§ï¬° action_mw ©Î action_mwl¡C
   
   action = %(action_mw)s
   
   
   
3. jail.conf ³q¥Î°Ï¬qùتº°Ñ¼Æ³]©w¦n¤F¡A±µµÛ´N¥i¥H¦b³]©wÀɪº«á¥b¬q¨Ó¶i¦æ­Ó§OªA°Èªº³]©w¡C
   fail2ban¹w³]¥u¹ïSSH±Ò¥Î¡A©Ò¥H¦bjail.confªº [ssh] °Ï¬qùØ¡A§Ú­Ì¥i¥H¬Ý¨ì enabled °Ñ¼Æ¬O true ±Ò¥Îªº¡F
   ¦Ó¨ä¥¦ [sasl]¡B[vsftpd]¡B[postfix]¡B[dovecot]¡K°Ï¬qªº enabled °Ñ¼Æ«h¬O false¡A¹w³]ª¬ºA¤U¥¼±Ò¥Î¡C
   ³o³¡¤À½Ð¨Ì¹ê»Ú»Ý¨D¨Ó¶i¦æ±Ò¥Î¡A³o½g¤å³¹ùض¶¤l¥u´ú¸Õ¤FSSHªº«Êªý¥\¯à¡C
   
   ©Ò¦³¤ä´©ªºªA°È¡A¨ä¬ÛÃö°»´ú¹LÂo²Ó¸`¡A«h¬O©ñ¦b /etc/fail2bain/filter.d/ ¥Ø¿ý¤¤¡A
   ¥HSSH¬°¨Ò¡A¨ä³]©wÀÉ´N¬O /etc/fail2bain/filter.d/sshd.conf¡A¦³¿³½ìªºªB¤Í¥i¥H¦Û¦æ¬ã¨s¡C
   
   ­Y­n±Ò¥ÎªA°Èªº°Ñ¼Æ¤£¦P©ó [DEFAULT] ùتº³q¥Î³]©w¡A¨º»ò§Ú­Ì¥i¥H¦bªA°È°Ï¬q¤¤¡A¦A³]©w¤@¦¸°Ñ¼Æ¡F
   ªA°È°Ï¬q¤¤ªº°Ñ¼Æ¡A¨äÀu¥ýÅv¤j©ó [DEFAULT] ùتº³q¥Î³]©w¡C
   
   ³]©w¦n¡A­«±Ò¤@¤Ufail2banªA°È¡AµM«á§Ú­Ì´N¥i¥H¶i¦æ´ú¸Õ¤F¡C
   
   service fail2ban restart
   
   
   
4. ¦bSSHªº´ú¸Õ¤W¡A§Ú­Ì¥i¥H¬G·N¨Ï¥Î¿ù»~ªº±K½X¨Óµn¤JSSH¶i¦æ´ú¸Õ¡C
   ¦b¥¢±Ñ¦¸¼Æ¹F³Ì¤j­È«á¡A²z½×¤W§Ú­Ì·|³Q±j­¢½ð¥X¡A
   µM«á§Ú­Ì¥i¥H³z¹LiptablesªºÀ˵ø«ü¥O¡A¨Ó¬d¬Ý³Q«ÊÂꪺ³W«h¡C
   
   iptables -L
   
   
   
   ­Y°»´úªA°Èªº action °Ñ¼Æ¬O§t¦³mail³qª¾ªº action_mw ©Î action_mwl¡A
   ¨º»ò§Ú­Ìªºemail¤]·|¦¬¨ìFail2Ban±H¨Óªº³qª¾«H¡C
   
   
   
   
5. ¨º³Q«ÊÂꪺIP¦p¦ó¸Ñ°£«ÊÂê©O¡H
   ¥Ñ©ófail2ban¬O³z¹Liptables¨Ó¶i¦æ«ÊÂꪺ¡A
   ©Ò¥H­n¸Ñ°£«ÊÂê¡A¤]­n±qiptables¨Ó¤U¤â¡A¥ý¬d¥X¥¦¬O¹ïÀ³¨ì­þ±ø³W«h¡AµM«á¦A¥h§R°£±¼³o±ø³W«h¡C
   
   iptables -L --line-numbers
   iptables -D <chain-name> <line-number>
   
   
   
   ¥H¶¶¤lªº¨Ò¤l¬°¨Ò¡A³z¹L iptables -L --line-numbers ¬d¥Xªºchain-name¬°fail2ban-ssh¡A
   ¾D«ÊÂêIP 192.168.0.2ªºline-number¬°1¡A
   ¨º§Ú­Ì´N¥i¥H¤U¦p¤Uªº«ü¥O±N³o±ø³W«h§R°£¡A¥H¸Ñ°£192.168.0.2ªº«ÊÂê¡C
   
   iptables -D fail2ban-ssh 1
   
   
   ¥t¥~ÁÙ¦³¤@­Ófail2ban-client«ü¥O¡A¾Ú»¡¥i¥H¥Î¨Ó¸Ñ°£IPªº«ÊÂê¡H
   ¦ý¶¶¤l¸Õ¤F¤@¾ã­Ó±ß¤W¡AÁÙ¬O¸Õ¤£¥X¨Ó¡A³o³¡¤À´N¤£»~¾É¤j®a¤F...
   
   
6. root±b¸¹µLªk°»´ú«ÊÂê¡I¡H
   ³Ì«á¦b´ú¸Õ¤¤¶¶¤lµo²{¡A¥Hroot±b¸¹¶i¦æsshµn¤J´ú¸Õ¡Afail2ban¬O¤£·|¾×ªº¡C
   ºô¸ô¤W¦³¤H¸ò¶¶¤l¤@¼Ë¦³¬Û¦Pµ²ªG¡A¦ý¦³¨Ç¤Hªºª©¥»¤S¥i¥H¾×root±b¸¹¡C
   
   ¦pªG¸ò¶¶¤l¤@¼Ë¾×¤£±¼root±b¸¹¡A
   ¨º´N°Ñ¦Òºô¸ô¤Wªº¤å³¹¡A§âroot±b¸¹©óssh¤¤¡A³]©w¬°¸T¤îµn¤J¡C
   ¤Ï¥¿¹ïubuntu¦Ó¨¥¡Aroot±b¸¹¥»´N¤£´£¨Ñ¨Ï¥Î¡A
   ¦bssh¤¤³]©w¸T¤îrootµn¤J¡H¤]¬O­è¦n¦Ó¤w¡ã
   
   ­×§ï /etc/ssh/sshd_config ¤å¥ó¡A¨Ã±N PermitRootLogin °Ñ¼Æ³]©w¬° no §Y¥i¡C
   
   PermitRootLogin no
   
   
   
7. ¦pªG·Q­n§ó¬½¤@ÂI¡A¤@°»´ú¨ì±K½X²q´úªº¦æ¬°¡A´Nª½±µ«ÊÂê¸ÓIP¡A
   ºÞ¥¦¥Îªº¬OSSHÁÙ¬OFTP¡A§¹¥þ©Úµ´´£¨Ñ¸ÓIP¥ô¦óªA°È¡A¨º­n«ç»ò°µ¡H
   
   ­º¥ý¡A¥ý¦b jail.local ¤¤¬d¬Ý banaction °Ñ¼Æªº¤º®e(¹w³]¬Oiptables-multiport)¡C
   
   banaction = iptables-multiport
   
   ¥H¹w³]ªº iptables-multiport ¬°¨Ò¡A±µµÛ¨ì /etc/fail2ban/action.d/ ¥Ø¿ý¤U¡A­×§ï¹ïÀ³ªº³]©wÀÉ iptables-multiport.conf¡A
   ±N actionban »P actionunban ³o¨â­Óiptablesªº³W«h§ï¬°§¹¥þ«ÊÂꪺ³]©w¡C
   
   #actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
   actionban = iptables -I INPUT -s <ip> -j DROP
   ...
   #actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
   actionunban = iptables -D INPUT -s <ip> -j DROP
   
   
   ³Ì«á¦A­«±Òfail2banªA°È§Y¥i¡ã
   
   service fail2ban restart
   
   
   
8. ­«¶}¾÷«á¡A«ÊÂêÁÙ¦³®Ä¶Ü¡H
   «Ü¿ò¾Ñªº¡A­«¶}¾÷©Î­«±ÒªA°È«á¡A¦]iptables¤¤¹ïÀ³ªºchain­«·s¸ü¤J¡A¤§«e«ÊÂꪺIP´N¤£¨£¤F...
   ¤£¹Lºô¸ô¤W¦³¤@½g¤å³¹¥i¥H¹F¨ì¥Ã¤[«ÊÂꪺ®ÄªG - How to make fail2ban bans persistent
   
   ¥¦ªº¤u§@­ì²z¬O¦b¶i¦æIP«ÊÂê®É¡A¤]¦P®É±N«ÊÂꪺIP¼g¤J¤@­ÓÀɮסA¨Ò¦pip.blacklist¡A
   µM«á¦b±Ò°ÊªA°È®É¡A¦A±N¦¹Àɮפ¤ªºIP¸ü¤Jiptablesªºchain¡A¥H¹F«ùÄò«ÊÂꪺ®ÄªG¡C
   
   actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
       echo <ip> >> /etc/fail2ban/ip.blacklist
   
   actionstart = iptables -N fail2ban-<name>
       iptables -A fail2ban-<name> -j RETURN
       iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
       cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
   
   
   ³o­Ó°µªk¬O¥i¦æªº¡A¤£¹L³z¹Liptables -D fail2ban-XXX¨Ó¸Ñ°£IP«ÊÂê®É¡A
   ¨Ã¥¼¦P¨B§R°£ip.blacklistÀɮפ¤ªºIP¡A©Ò¥HºÞ²z­û¥²»Ý¤â°Ê§R°£¦¹ÀɪºIP¡C
   
   ¥t¥~¦b¦P®ÉºÊ±±¦h­ÓªA°Èªº±¡ªp¤U¡A¤£¦PªA°ÈªºIP¼g¤J¦P¤@­ÓÀÉ®×·|³y¦¨¤@­ÓIP¦³¦hµ§°O¿ý¡F
   ¦P®É­«±ÒªA°È®É¡A¤]·|§â¤£¦PªA°Èªº«ÊÂêIP¡AµL®t§Oªº¸ü¤J©Ò¦³iptablesªºchain¤¤¡A³y¦¨«D¹w´Áªº·N¥~ª¬ªp¡C
   
   ¦b¦P®ÉºÊ±±¦hºØªA°È®É¡A³o­ÓIP¦W³æ°O¿ýÀÉip.blacklist»Ý¹ïÀ³¤£¦PªººÊ±±ªA°È¤â°Ê«Ø¥ß¦hµ§¡A
   ¨Ò¦psshªA°Èªº¡A´N©R¦W¬°ip.ssh.blacklist¡A
   vsftpdªA°Èªº¡A´N©R¦W¬°ip.vsftpd.blacklist¡F
   µM«á¦b actionban »P actionstart ¤¤§âªA°È¦WºÙÅܼÆ<name>¥[¨ì°O¿ýÀɪºÀɦW¤§¤¤¡A³o¼Ë¤~¤£·|¥X¿ù¡C
   
   actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
       echo <ip> >> /etc/fail2ban/ip.<name>.blacklist
   
   actionstart = iptables -N fail2ban-<name>
       iptables -A fail2ban-<name> -j RETURN
       iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
       cat /etc/fail2ban/ip.<name>.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!