Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
fail2ban [31.01.2024] hochrath |
fail2ban [31.01.2024] (aktuell) hochrath [Quellen] |
||
---|---|---|---|
Zeile 90: | Zeile 90: | ||
</ | </ | ||
+ | |||
\\ | \\ | ||
==== Dateiübersicht ==== | ==== Dateiübersicht ==== | ||
Zeile 110: | Zeile 111: | ||
\\ | \\ | ||
==== Ausgangskonfiguration ==== | ==== Ausgangskonfiguration ==== | ||
- | In der Datei / | + | In der Datei /// |
[DEFAULT] | [DEFAULT] | ||
< | < | ||
Zeile 124: | Zeile 125: | ||
</ | </ | ||
+ | Die habe ich zu Testzwecken auf 2 Minuten und 2 Einträgen reduziert.\\ | ||
+ | \\ | ||
+ | \\ | ||
+ | In der Datei /// | ||
+ | < | ||
+ | # | ||
+ | # JAILS | ||
+ | # | ||
+ | </ | ||
+ | alle zu überwachenden Dienste.\\ | ||
+ | Sie werden mit dem Zusatz: enabled = true und einem Dienstneustart aktiviert.\\ | ||
+ | |||
+ | |||
+ | \\ | ||
+ | Jails anzeigen lassen: | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Status | ||
+ | |- Number of jail: 1 | ||
+ | `- Jail list: sshd | ||
+ | </ | ||
+ | |||
+ | bzw. dann später: | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Status | ||
+ | |- Number of jail: 2 | ||
+ | `- Jail list: | ||
+ | |||
+ | </ | ||
+ | \\ | ||
+ | genauer hingesehen: | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Status for the jail: sshd | ||
+ | |- Filter | ||
+ | | |- Currently failed: 0 | ||
+ | | |- Total failed: | ||
+ | | `- File list: / | ||
+ | `- Actions | ||
+ | |- Currently banned: 0 | ||
+ | |- Total banned: | ||
+ | `- Banned IP list: | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | ==== Beste Vorgehensweise ==== | ||
+ | |||
+ | die Ausgangskonfiguration kopieren | ||
+ | < | ||
+ | \\ | ||
+ | Die Kopie anpassen. Also im Abschnitt //DEFAULT// die gwünschte Regel mit //enabeld = true// aktivieren bzw. eine neue hinzufügen.\\ | ||
+ | \\ | ||
+ | Im Verzeichnis /// | ||
+ | \\ | ||
+ | \\ | ||
+ | Beispiel: Apache 404-Fehler: | ||
+ | |||
+ | < | ||
+ | nano / | ||
+ | |||
+ | |||
+ | # | ||
+ | # JAILS | ||
+ | # | ||
+ | |||
+ | # neu hinzufügen | ||
+ | [apache404] | ||
+ | enabled = true | ||
+ | port = http,https | ||
+ | logpath | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | \\ | ||
+ | dann eine neue Filterdatei anlegen: | ||
+ | < | ||
+ | nano / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [Definition] | ||
+ | |||
+ | failregex = ^< | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | datepattern = ^[^\[]*\[({DATE}) | ||
+ | {^LN-BEG} | ||
+ | </ | ||
+ | |||
+ | und fail2ban neustarten: | ||
+ | < | ||
+ | service fail2ban restart | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | \\ | ||
+ | Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten: | ||
+ | **service fail2ban status** | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | ● fail2ban.service - Fail2Ban Service | ||
+ | | ||
+ | | ||
+ | Docs: man: | ||
+ | Process: 23835 ExecStartPre=/ | ||
+ | Main PID: 23836 (fail2ban-server) | ||
+ | Tasks: 7 (limit: 1595) | ||
+ | CPU: 5.115s | ||
+ | | ||
+ | | ||
+ | |||
+ | Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service... | ||
+ | Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service. | ||
+ | Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **iptables -L** | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target | ||
+ | f2b-apache404 | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target | ||
+ | |||
+ | Chain f2b-apache404 (1 references) | ||
+ | target | ||
+ | RETURN | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **fail2ban-client status apache404** | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Status for the jail: apache404 | ||
+ | |- Filter | ||
+ | | |- Currently failed: 1 | ||
+ | | |- Total failed: | ||
+ | | `- File list: / | ||
+ | `- Actions | ||
+ | |- Currently banned: 0 | ||
+ | |- Total banned: | ||
+ | `- Banned IP list: | ||
+ | |||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | \\ | ||
+ | nun die Webseite nach fehlenden Seiten abfragen: | ||
+ | \\ | ||
+ | **tail -f / | ||
+ | < | ||
+ | 2024-01-31 16: | ||
+ | 2024-01-31 16: | ||
+ | 2024-01-31 16: | ||
+ | |||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **fail2ban-client status apache404** | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Status for the jail: apache404 | ||
+ | |- Filter | ||
+ | | |- Currently failed: 0 | ||
+ | | |- Total failed: | ||
+ | | `- File list: / | ||
+ | `- Actions | ||
+ | |- Currently banned: 1 | ||
+ | |- Total banned: | ||
+ | `- Banned IP list: | ||
+ | |||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **iptables -L** | ||
+ | < | ||
+ | root@raspberrypi3:/ | ||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target | ||
+ | f2b-apache404 | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target | ||
+ | |||
+ | Chain f2b-apache404 (1 references) | ||
+ | target | ||
+ | REJECT | ||
+ | RETURN | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | \\ | ||
\\ | \\ | ||
==== Quellen ==== | ==== Quellen ==== |