Benutzer-Werkzeuge

Webseiten-Werkzeuge


fail2ban

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
fail2ban [31.01.2024]
hochrath
fail2ban [31.01.2024] (aktuell)
hochrath [Quellen]
Zeile 48: Zeile 48:
 Jan 31 13:19:50 raspberrypi3 systemd[1]: Started Fail2Ban Service. Jan 31 13:19:50 raspberrypi3 systemd[1]: Started Fail2Ban Service.
 Jan 31 13:19:52 raspberrypi3 fail2ban-server[20878]: Server ready Jan 31 13:19:52 raspberrypi3 fail2ban-server[20878]: Server ready
 +
 +</code>
 +
 +\\
 +==== Log-File ====
 +
 +
 +<code>
 +tail- f /var/log/fail2ban.log
 +bash: tail-: command not found
 +root@raspberrypi3:/home/pi# tail -f /var/log/fail2ban.log
 +2024-01-31 13:19:52,130 fail2ban.jail           [20878]: INFO    Creating new jail 'sshd'
 +2024-01-31 13:19:52,318 fail2ban.jail           [20878]: INFO    Jail 'sshd' uses pyinotify {}
 +2024-01-31 13:19:52,341 fail2ban.jail           [20878]: INFO    Initiated 'pyinotify' backend
 +2024-01-31 13:19:52,360 fail2ban.filter         [20878]: INFO      maxLines: 1
 +2024-01-31 13:19:52,643 fail2ban.filter         [20878]: INFO      maxRetry: 5
 +2024-01-31 13:19:52,645 fail2ban.filter         [20878]: INFO      findtime: 600
 +2024-01-31 13:19:52,646 fail2ban.actions        [20878]: INFO      banTime: 600
 +2024-01-31 13:19:52,647 fail2ban.filter         [20878]: INFO      encoding: UTF-8
 +2024-01-31 13:19:52,651 fail2ban.filter         [20878]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = 6ab07ffed84cb62c8dcb4600d0b0630ab9c821f5)
 +2024-01-31 13:19:52,671 fail2ban.jail           [20878]: INFO    Jail 'sshd' started
 +
 +</code>
 +
 +\\
 +Wird 6x hintereinander versucht eine ssh-Verbindung herzustellen, sperrt fail2ban den Zugang:
 +<code>
 +2024-01-31 13:41:52,082 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:52
 +2024-01-31 13:41:59,197 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:58
 +2024-01-31 13:42:02,555 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:02
 +2024-01-31 13:42:07,367 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:07
 +2024-01-31 13:42:11,476 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:11
 +2024-01-31 13:42:12,249 fail2ban.actions        [20878]: NOTICE  [sshd] Ban 192.168.178.36
 +
 +</code>
 +
 +\\
 +Nach 10 Minuten ist er wieder freigegeben:
 +<code>
 +2024-01-31 13:52:11,321 fail2ban.actions        [20878]: NOTICE  [sshd] Unban 192.168.178.36
  
 </code> </code>
Zeile 68: Zeile 108:
  
 </code> </code>
 +
 +\\
 +==== Ausgangskonfiguration ====
 +In der Datei ///etc/fail2ban/jail.conf// steht im Abschnitt\\
 +[DEFAULT]
 +<code>
 +# "bantime" is the number of seconds that a host is banned.
 +bantime  = 10m
 +
 +# A host is banned if it has generated "maxretry" during the last "findtime"
 +# seconds.
 +findtime  = 10m
 +
 +# "maxretry" is the number of failures before a host get banned.
 +maxretry = 5
 +
 +</code>
 +Die habe ich zu Testzwecken auf 2 Minuten und 2 Einträgen reduziert.\\
 +\\
 +\\
 +In der Datei  ///etc/fail2ban/jail.conf// stehen im Abschnitt\\
 +<code>
 +#
 +# JAILS
 +#
 +
 +</code>
 +alle zu überwachenden Dienste.\\
 +Sie werden mit dem Zusatz: enabled = true und einem Dienstneustart aktiviert.\\
 +
 +
 +
 +\\
 +Jails anzeigen lassen:
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status
 +Status
 +|- Number of jail:      1
 +`- Jail list:   sshd
 +</code>
 +
 +bzw. dann später:
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status
 +Status
 +|- Number of jail:      2
 +`- Jail list:   apache-auth, sshd
 +
 +</code>
 +\\
 +genauer hingesehen:
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status sshd
 +Status for the jail: sshd
 +|- Filter
 +|  |- Currently failed: 0
 +|  |- Total failed:     5
 +|  `- File list:        /var/log/auth.log
 +`- Actions
 +   |- Currently banned: 0
 +   |- Total banned:     1
 +   `- Banned IP list:
 +
 +
 +</code>
 +
 +\\
 +==== Beste Vorgehensweise ====
 +
 +die Ausgangskonfiguration kopieren
 +<code>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>
 +\\
 +Die Kopie anpassen. Also im Abschnitt //DEFAULT// die gwünschte Regel mit //enabeld = true// aktivieren bzw. eine neue hinzufügen.\\
 +\\
 +Im Verzeichnis ///etc/fail2ban/filter.d/// dann die *.conf verändern oder falls noch nicht vorhanden, anlegen und anpassen.\\
 +\\
 +\\
 +Beispiel: Apache 404-Fehler:\\
 +
 +<code>
 +nano  /etc/fail2ban/jail.local
 +
 +
 +#
 +# JAILS
 +#
 +
 +# neu hinzufügen
 +[apache404]
 +enabled = true
 +port     = http,https
 +logpath  = /var/log/apache2/access.log
 +
 +</code>
 +
 +
 +\\
 +dann eine neue Filterdatei anlegen:
 +<code>
 +nano /etc/fail2ban/filter.d/apache404.conf
 +</code>
 +
 +<code>
 +[Definition]
 +
 +failregex = ^<HOST> -.*"(GET|POST).*404*.*$
 +
 +ignoreregex =
 +
 +datepattern = ^[^\[]*\[({DATE})
 +              {^LN-BEG}
 +</code>
 +
 +und fail2ban neustarten:
 +<code>
 +service fail2ban restart
 +</code>
 +
 +\\
 +\\
 +Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten:\\
 +**service fail2ban status**
 +<code>
 +root@raspberrypi3:/home/pi# service fail2ban status
 +● fail2ban.service - Fail2Ban Service
 +     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
 +     Active: active (running) since Wed 2024-01-31 15:32:26 CET; 1h 1min ago
 +       Docs: man:fail2ban(1)
 +    Process: 23835 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 +   Main PID: 23836 (fail2ban-server)
 +      Tasks: 7 (limit: 1595)
 +        CPU: 5.115s
 +     CGroup: /system.slice/fail2ban.service
 +             └─23836 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
 +
 +Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
 +Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service.
 +Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: Server ready
 +</code>
 +
 +\\
 +**iptables -L**
 +<code>
 +root@raspberrypi3:/home/pi# iptables -L
 +Chain INPUT (policy ACCEPT)
 +target     prot opt source               destination
 +f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https
 +
 +Chain FORWARD (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain OUTPUT (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain f2b-apache404 (1 references)
 +target     prot opt source               destination
 +RETURN     all  --  anywhere             anywhere
 +</code>
 +
 +\\
 +**fail2ban-client status apache404**
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status apache404
 +Status for the jail: apache404
 +|- Filter
 +|  |- Currently failed: 1
 +|  |- Total failed:     3
 +|  `- File list:        /var/log/apache2/access.log
 +`- Actions
 +   |- Currently banned: 0
 +   |- Total banned:     1
 +   `- Banned IP list:
 +
 +</code>
 +
 +\\
 +\\
 +nun die Webseite nach fehlenden Seiten abfragen:
 +\\
 +**tail -f /var/log/fail2ban.log**
 +<code>
 +2024-01-31 16:36:58,105 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:36:58
 +2024-01-31 16:38:13,892 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:38:13
 +2024-01-31 16:38:14,032 fail2ban.actions        [23836]: NOTICE  [apache404] Ban 192.168.178.36**Fetter Text**
 +
 +</code>
 +
 +\\
 +**fail2ban-client status apache404**
 +<code>
 +root@raspberrypi3:/home/pi# fail2ban-client status apache404
 +Status for the jail: apache404
 +|- Filter
 +|  |- Currently failed: 0
 +|  |- Total failed:     5
 +|  `- File list:        /var/log/apache2/access.log
 +`- Actions
 +   |- Currently banned: 1
 +   |- Total banned:     2
 +   `- Banned IP list:   192.168.178.36
 +
 +</code>
 +
 +\\
 +**iptables -L**
 +<code>
 +root@raspberrypi3:/home/pi# iptables -L
 +Chain INPUT (policy ACCEPT)
 +target     prot opt source               destination
 +f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https
 +
 +Chain FORWARD (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain OUTPUT (policy ACCEPT)
 +target     prot opt source               destination
 +
 +Chain f2b-apache404 (1 references)
 +target     prot opt source               destination
 +REJECT     all  --  DESKTOP-PQ44AIL.fritz.box  anywhere             reject-with icmp-port-unreachable
 +RETURN     all  --  anywhere             anywhere
 +
 +</code>
 +
 +
  
  
  
 + 
  
 +\\
 \\ \\
 ==== Quellen ==== ==== Quellen ====
fail2ban.1706704124.txt.gz · Zuletzt geändert: 31.01.2024 von hochrath