fail2ban

Настройка блокировки /etc/fail2ban/jail.conf

[sshd]
mode = extra

Использовать extra фильтры поиск из /etc/fail2ban/filter.d

Команды

Показать заблокированные ip в iptables:

sudo iptables-save | grep f2b

Показать статус jail правила (sshd):

sudo fail2ban-client status sshd

Разблокировать IP:

sudo fail2ban-client unban IP

Инкрементальная блокировка

Раскомментировать в /etc/fail2ban/jail.conf:

bantime.increment = true
bantime.rndtime = 10m

sudo sed '/bantime.increment =/s/.*/bantime.increment = true/' -i /etc/fail2ban/jail.conf
sudo sed '/bantime.rndtime =/s/.*/bantime.rndtime = 10m/' -i /etc/fail2ban/jail.conf

Прогрессивная блокировка

Добавить /etc/fail2ban/jail.d/recidive.conf:

recidive.conf

[recidive1]
enabled = true
filter = recidive
bantime = 10800 ; 3 hours
findtime = 86400 ; 1 day
logpath = /var/log/fail2ban.log
maxretry = 4
 
[recidive2]
enabled = true
filter = recidive
bantime = 86400 ;1 day
findtime = 604800 ;1 week
logpath = /var/log/fail2ban.log
maxretry = 7
 
[recidive3]
enabled = true
filter = recidive
bantime = 604800 ;1 week
findtime = 2592000 ;1 month
logpath = /var/log/fail2ban.log
maxretry = 10
 
[recidive4]
enabled = true
filter =recidive
bantime = 2592000 ;1 month
findtime = 15552000 ;6 months
logpath = /var/log/fail2ban.log
maxretry = 20

и для исключения «конфликтов» между правилами изменить в /etc/fail2ban/filter.d/recidive.conf:

ignoreregex =

на

ignoreregex = \[recidive.*\]\s+Ban\s+<HOST>

https://www.burlutsky.su/ru/security-ru/fail2ban-%D0%BF%D0%BE%D0%B2%D1%82%D0%BE%D1%80%D0%BD%D1%8B%D0%B9-%D0%B1%D0%B0%D0%BD/

Логирование

Перенаправляем логирование через rsyslog:

sudo sed -i 's/logtarget = .*/logtarget = SYSLOG/' /etc/fail2ban/fail2ban.conf
echo :syslogtag, contains, \"fail2ban\" /var/log/fail2ban.log | sudo tee /etc/rsyslog.d/49-fail2ban.conf
echo "& stop" | sudo tee -a /etc/rsyslog.d/49-fail2ban.conf
sudo service rsyslog restart
sudo service fail2ban restart

FreePBX

Создаём свой фильтр /etc/fail2ban/filter.d/freepbx.conf:

/etc/fail2ban/filter.d/freepbx.conf

# Fail2Ban filter for freepbx/asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (\[?[\d\s\-\:]+\]?\s+)?(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '.*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =

Добавляем правило /etc/fail2ban/jail.d/freepbx.conf:

/etc/fail2ban/jail.d/freepbx.conf

[freepbx]

port     = 5060,5061,5160
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/full
maxretry = 5