Fail2ban: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Wulf (Diskussion | Beiträge) |
Wulf (Diskussion | Beiträge) |
||
| Zeile 51: | Zeile 51: | ||
Since Linux Kernel 2.6 there is an option to use so-called IP sets to hold big amount of IP addresses in the memory. This technique uses hashtables to store and search IP adresses and is therefore much more efficient that parsing sequentially the iptables rules. | Since Linux Kernel 2.6 there is an option to use so-called IP sets to hold big amount of IP addresses in the memory. This technique uses hashtables to store and search IP adresses and is therefore much more efficient that parsing sequentially the iptables rules. | ||
The following shell script moves IP addresses from the iptables rules to an IP set: | |||
<source>#!/bin/bash | |||
# | |||
# Author: Frank Wulf | |||
# Version: 1.0 (2017-10-01) | |||
# | |||
# This program moves iptables entries created by fail2ban to | |||
# an IP set in the Linux Kernel. Advantage is that ipset uses | |||
# a hashtable to store/fetch IP addresses and thus the IP lookup | |||
# is much more efficient and faster than sequentially parsing | |||
# the iptables rules. | |||
# | |||
# Version history: | |||
# 1.0 2017-10-01 Initial release | |||
# | |||
# Temporary output file | |||
out=/tmp/fwfail2ban.out | |||
# Build the ipset if not exist | |||
ipset -exist create fail2ban-ssh hash:ip | |||
# Build the iptables rules to use ipset if not exist | |||
iptables -C INPUT -m set --match-set fail2ban-ssh src -j DROP 1>/dev/null 2>&1 | |||
if [ $? -ne 0 ]; then | |||
iptables -I INPUT -m set --match-set fail2ban-ssh src -j DROP | |||
fi | |||
iptables -C FORWARD -m set --match-set fail2ban-ssh src -j DROP 1>/dev/null 2>&1 | |||
if [ $? -ne 0 ]; then | |||
iptables -I FORWARD -m set --match-set fail2ban-ssh src -j DROP | |||
fi | |||
# Get banned IP addresses from iptables | |||
iptables -L f2b-sshd -v -n | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| awk '{print $8}' | grep -v '0\.0\.0\.0' >$out | |||
while read ipaddr; do | |||
# Add IP address to ipset | |||
ipset add fail2ban-ssh $ipaddr 1>/dev/null 2>&1 | |||
# Remove IP address from iptables and fail2ban database | |||
fail2ban-client unban $ipaddr 1>/dev/null 2>&1 | |||
done <$out | |||
# Save IP set to enable restoring after reboot | |||
ipset save -f /etc/iptables/rules.ipset | |||
# Save iptables to enable restoring after reboot, the entries created | |||
# by fail2ban are filtered because these will be restored by fail2ban | |||
# itself. | |||
iptables-save | grep -v "^\-A.*f2b-sshd" > /etc/iptables/rules.v4 | |||
# Remove output file | |||
rm $out</source> | |||
Version vom 2. Oktober 2017, 18:13 Uhr
Fail2Ban Installation from GitHub (EN)
In case an existing Fail2Ban server is running:
sudo service fail2ban stopDownload version 0.10 from GitHub:
wget https://github.com/fail2ban/fail2ban/archive/0.10.0.tar.gz -O fail2ban-0.10.0.tar.gz
Unpack and install:
<source>sudo tar -zxpvf fail2ban-0.10.0.tar.gzcd fail2ban-0.10.0sudo python setup.py installThis will install Fail2Ban into the python library directory. The executable scripts are placed into /usr/local/bin and configuration under /etc/fail2ban.
Enable fail2ban as an automatic service:
sudo cp files/debian-initd /etc/init.d/fail2bansudo update-rc.d fail2ban defaultssudo service fail2ban startUsing IP sets instead of Iptables chains
By default Fail2Ban uses Iptables chains to block IP addresses.
Example:
root@fwserv1:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -m set --match-set fail2ban-ssh src -j DROP
-A FORWARD -m set --match-set fail2ban-ssh src -j DROP
-A f2b-sshd -s 120.52.56.124/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 116.193.161.242/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 14.215.237.205/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 118.244.238.18/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 155.133.82.12/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 49.4.6.132/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 118.244.206.22/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.132.29.162/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 192.160.102.169/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 162.247.72.213/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 149.56.223.241/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 27.255.79.82/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 211.104.171.220/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 187.252.208.82/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 116.6.49.126/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
root@fwserv1:~#_Since Linux Kernel 2.6 there is an option to use so-called IP sets to hold big amount of IP addresses in the memory. This technique uses hashtables to store and search IP adresses and is therefore much more efficient that parsing sequentially the iptables rules.
The following shell script moves IP addresses from the iptables rules to an IP set:
#!/bin/bash
#
# Author: Frank Wulf
# Version: 1.0 (2017-10-01)
#
# This program moves iptables entries created by fail2ban to
# an IP set in the Linux Kernel. Advantage is that ipset uses
# a hashtable to store/fetch IP addresses and thus the IP lookup
# is much more efficient and faster than sequentially parsing
# the iptables rules.
#
# Version history:
# 1.0 2017-10-01 Initial release
#
# Temporary output file
out=/tmp/fwfail2ban.out
# Build the ipset if not exist
ipset -exist create fail2ban-ssh hash:ip
# Build the iptables rules to use ipset if not exist
iptables -C INPUT -m set --match-set fail2ban-ssh src -j DROP 1>/dev/null 2>&1
if [ $? -ne 0 ]; then
iptables -I INPUT -m set --match-set fail2ban-ssh src -j DROP
fi
iptables -C FORWARD -m set --match-set fail2ban-ssh src -j DROP 1>/dev/null 2>&1
if [ $? -ne 0 ]; then
iptables -I FORWARD -m set --match-set fail2ban-ssh src -j DROP
fi
# Get banned IP addresses from iptables
iptables -L f2b-sshd -v -n | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| awk '{print $8}' | grep -v '0\.0\.0\.0' >$out
while read ipaddr; do
# Add IP address to ipset
ipset add fail2ban-ssh $ipaddr 1>/dev/null 2>&1
# Remove IP address from iptables and fail2ban database
fail2ban-client unban $ipaddr 1>/dev/null 2>&1
done <$out
# Save IP set to enable restoring after reboot
ipset save -f /etc/iptables/rules.ipset
# Save iptables to enable restoring after reboot, the entries created
# by fail2ban are filtered because these will be restored by fail2ban
# itself.
iptables-save | grep -v "^\-A.*f2b-sshd" > /etc/iptables/rules.v4
# Remove output file
rm $out