


サーバ攻撃の不正なアクセスを検知してブロックするFail2banをインストールしてみました。
一番の目的は外部からのwp-login.phpへアクセスしたIPのブロックです
Fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page
参考サイト
アタック対策fail2ban
http://kuragane.jp/fail2ban.htm
- Fail2banをインストール
- 設定ファイル /etc/fail2ban/fail2ban.conf
- 設定ファイル /etc/fail2ban/jail.conf
- Fail2banの開始
- 自動起動の設定
- 動作テスト
いつものようにyumでインストールします。私の環境ではdagとepelのレポジトリにFail2banがありましたのでepel repoを使ってインストールしました
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
[root@host1 ~]# yum info fail2ban Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: ftp.riken.jp * base: ftp.riken.jp * centosplus: ftp.riken.jp * epel: ftp.riken.jp * extras: ftp.riken.jp * remi: mirrors.mediatemple.net * updates: ftp.riken.jp addons | 1.9 kB 00:00 base | 1.1 kB 00:00 centosplus | 1.9 kB 00:00 dag | 1.9 kB 00:00 epel | 3.6 kB 00:00 extras | 2.1 kB 00:00 remi | 2.5 kB 00:00 updates | 1.9 kB 00:00 Available Packages Name : fail2ban Arch : i386 Version : 0.6.0 Release : 1.el5.rf Size : 45 k Repo : dag Summary : Scan logfiles and ban ip addresses with too many password failures URL : http://fail2ban.sourceforge.net/ License : GPL Description: Fail2Ban monitors log files like /var/log/pwdfail or : /var/log/apache/error_log and bans failure-prone addresses. It updates : firewall rules to reject the IP address or executes user defined commands. Name : fail2ban Arch : noarch Version : 0.8.7.1 Release : 1.el5.rf Size : 153 k Repo : dag Summary : Scan logfiles and ban ip addresses with too many password failures URL : http://fail2ban.sourceforge.net/ License : GPL Description: Fail2Ban monitors log files like /var/log/pwdfail or : /var/log/apache/error_log and bans failure-prone addresses. It updates : firewall rules to reject the IP address or executes user defined commands. [root@host1 ~]# yum --disablerepo=dag info fail2ban Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: ftp.riken.jp * base: ftp.riken.jp * centosplus: ftp.riken.jp * epel: ftp.riken.jp * extras: ftp.riken.jp * remi: mirrors.mediatemple.net * updates: ftp.riken.jp Available Packages Name : fail2ban Arch : noarch Version : 0.8.4 Release : 29.el5 Size : 136 k Repo : epel Summary : Ban IPs that make too many password failures URL : http://fail2ban.sourceforge.net/ License : GPLv2+ Description: Fail2ban scans log files like /var/log/pwdfail or : /var/log/apache/error_log and bans IP that makes too many password : failures. It updates firewall rules to reject the IP address. [root@host1 ~]# yum --disablerepo=dag install fail2ban Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: ftp.riken.jp * base: ftp.riken.jp * centosplus: ftp.riken.jp * epel: ftp.riken.jp * extras: ftp.riken.jp * remi: mirrors.mediatemple.net * updates: ftp.riken.jp Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.4-29.el5 set to be updated --> Processing Dependency: shorewall for package: fail2ban --> Processing Dependency: python-inotify for package: fail2ban --> Running transaction check ---> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated --> Processing Dependency: python-ctypes for package: python-inotify ---> Package shorewall.noarch 0:4.0.15-1.el5 set to be updated --> Processing Dependency: shorewall-shell = 4.0.15-1.el5 for package: shorewall --> Processing Dependency: shorewall-perl = 4.0.15-1.el5 for package: shorewall --> Processing Dependency: shorewall-common = 4.0.15-1.el5 for package: shorewall --> Running transaction check ---> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated ---> Package shorewall-common.noarch 0:4.0.15-1.el5 set to be updated ---> Package shorewall-perl.noarch 0:4.0.15-1.el5 set to be updated ---> Package shorewall-shell.noarch 0:4.0.15-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ======================================================================================= Package Arch Version Repository Size ======================================================================================= Installing: fail2ban noarch 0.8.4-29.el5 epel 136 k Installing for dependencies: python-ctypes i386 1.0.2-3.el5 base 207 k python-inotify noarch 0.9.1-1.el5 epel 86 k shorewall noarch 4.0.15-1.el5 epel 9.2 k shorewall-common noarch 4.0.15-1.el5 epel 232 k shorewall-perl noarch 4.0.15-1.el5 epel 137 k shorewall-shell noarch 4.0.15-1.el5 epel 76 k Transaction Summary ======================================================================================= Install 7 Package(s) Upgrade 0 Package(s) Total download size: 883 k Is this ok [y/N]: y Downloading Packages: (1/7): shorewall-4.0.15-1.el5.noarch.rpm | 9.2 kB 00:00 (2/7): shorewall-shell-4.0.15-1.el5.noarch.rpm | 76 kB 00:00 (3/7): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00 (4/7): fail2ban-0.8.4-29.el5.noarch.rpm | 136 kB 00:00 (5/7): shorewall-perl-4.0.15-1.el5.noarch.rpm | 137 kB 00:00 (6/7): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00 (7/7): shorewall-common-4.0.15-1.el5.noarch.rpm | 232 kB 00:00 --------------------------------------------------------------------------------------- Total 536 kB/s | 883 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : shorewall-common 1/7 Installing : python-ctypes 2/7 Installing : python-inotify 3/7 Installing : shorewall-shell 4/7 Installing : shorewall-perl 5/7 Installing : shorewall 6/7 Installing : fail2ban 7/7 Installed: fail2ban.noarch 0:0.8.4-29.el5 Dependency Installed: python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 shorewall.noarch 0:4.0.15-1.el5 shorewall-common.noarch 0:4.0.15-1.el5 shorewall-perl.noarch 0:4.0.15-1.el5 shorewall-shell.noarch 0:4.0.15-1.el5 Complete! |
/etc/fail2ban/fail2ban.confは変更しなくても取り敢えず大丈夫
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
[root@host1 ~]# cat /etc/fail2ban/fail2ban.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 629 $ # [Definition] # Option: loglevel # Notes.: Set the log level output. # 1 = ERROR # 2 = WARN # 3 = INFO # 4 = DEBUG # Values: NUM Default: 3 # loglevel = 3 # Option: logtarget # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. # Only one log target can be specified. # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log # logtarget = SYSLOG # Option: socket # Notes.: Set the socket file. This is used to communicate with the daemon. Do # not remove this file when Fail2ban runs. It will not be possible to # communicate with the server afterwards. # Values: FILE Default: /var/run/fail2ban/fail2ban.sock # socket = /var/run/fail2ban/fail2ban.sock |
/etc/fail2ban/jail.confは必要に応じて変更します。今回は外部からwp-admin.phpにアクセスしたら即ブロックにしました
下記のサイトを参考にフィルターを作成
fail2ban-filters / apache-wplogin.conf
https://github.com/dword1511/fail2ban-filters/blob/master/apache-wplogin.conf
Securing WordPress using fail2ban
http://23x.net/908/securing-wordpress-using-fail2ban.html
本当に助かります。Thanks!
httpdはtcpwrapperに対応していないのでiptableでのブロックにして管理者へのメール通知は膨大になりそうなので取り敢えず止めました
[Default]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 |
[root@host1 ~]# cat /etc/fail2ban/jail.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 747 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 # This jail forces the backend to "polling". [sasl-iptables] enabled = false filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=you@example.com] ignoreregex = for myuser from logpath = /var/log/sshd.log # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line. [apache-tcpwrapper] enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. [postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/postfix.log bantime = 300 # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Same as above but with banning the IP address. [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 # Use shorewall instead of iptables. [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT ? tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') # This jail would block the IP 1.2.3.4. [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too. [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. [named-refused-udp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] sendmail-whois[name=Named, dest=you@example.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@example.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 |
1 2 3 4 5 6 7 8 |
[root@host1 fail2ban]# /etc/init.d/fail2ban start Starting fail2ban: [ OK ] [root@host1 fail2ban]# /etc/init.d/fail2ban status Fail2ban (pid xxxxx) is running... Status |- Number of jail: 1 `- Jail list: apache-wplogin |
1 2 3 4 5 |
[root@host1 fail2ban]# chkconfig --list | grep fail2ban fail2ban 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@host1 fail2ban]# chkconfig fail2ban on [root@host1 fail2ban]# chkconfig --list | grep fail2ban fail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
暫く観察しているとwp-login.phpにアクセスしたIPがiptableにブロックが追加されました
1 2 3 4 5 6 |
[root@host1 fail2ban]# iptables -L (snip) Chain fail2ban-WP (1 references) target prot opt source destination DROP all -- xxxxx-xxx-xx-xxx-xxx.mol.net.ua anywhere RETURN all -- anywhere anywhere |
Fai2banは高機能で慣れればとても便利なツールになりそうです
しかし、このような素晴らしいソフトウェアをオープンソースで提供してくれる人々に本当に感謝、感謝です
However, to really appreciate the people who provide us with an open source a great software like this, I thank!