以 fail2ban 偵測 ftp 連線攻擊 – ProFTPD 篇

修改 /etc/proftpd.conf 讓 ProFTPD FTP Server 產生單獨的 log 檔
# vim /etc/proftpd.conf
# 產生 log 檔
SystemLog                       /var/log/proftpd/proftpd.log
TransferLog                     /var/log/proftpd/xferlog

重新啟動 ProFTPD Server
# service proftpd restart
Shutting down proftpd:                                     [  OK  ]
Starting proftpd:                                          [  OK  ]

在 /var/log/proftpd 目錄之下可以看到 Log 檔
# ls -l /var/log/proftpd/proftpd.log
-rw-r—–. 1 root root 129 Jan  1 14:24 /var/log/proftpd/proftpd.log[@more@]
修改 /etc/fail2ban/jail.conf 設定檔
# vim /etc/fail2ban/jail.conf
[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
#           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3
bantime  = 86400

重新啟動 fail2ban
# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban:                                         [  OK  ]

# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           proftpd-iptables, ssh-iptables

嘗試連線錯誤幾次之後
# fail2ban-client status proftpd-iptables
Status for the jail: proftpd-iptables
|- filter
|  |- File list:        /var/log/proftpd/proftpd.log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

在防火牆中的規則
# iptables -t filter -L fail2ban-ProFTPD -n
Chain fail2ban-ProFTPD (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

以 fail2ban 偵測 ftp 連線攻擊 – vsFTPd 篇

修改 vsFTPd FTP Server 設定
# vim /etc/vsftpd/vsftpd.conf
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING – changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
#xferlog_std_format=YES

重新啟動 vsFTPd FTP Server
# service vsftpd restart
[@more@]修改 fail2ban 設定
# vim /etc/fail2ban/jail.conf
[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
#           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 86400

重新啟動 fail2ban
# service fail2ban restart

目前已經有二個阻擋的規則 ssh-iptables, vsftpd-iptables
# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           ssh-iptables, vsftpd-iptables

以 Client IP 192.168.1.1 連線 Server IP 192.168.1.9 做錯誤連線

可以在 vsftpd-iptables 列出有偵測到的連線攻擊
# fail2ban-client status vsftpd-iptables
Status for the jail: vsftpd-iptables
|- filter
|  |- File list:        /var/log/vsftpd.log
|  |- Currently failed: 0
|  `- Total failed:     5
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

在防火牆規則上的規則
# iptables -t filter -L fail2ban-VSFTPD -n
Chain fail2ban-VSFTPD (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

利用 fail2ban 阻擋來自網路的 SSH 連線攻擊

在 /var/log/secure 中嘗試以 root 帳號登入的錯誤記錄
# grep Failed /var/log/secure | grep -v invalid | tail -5
Jan  1 01:39:54  sshd[6417]: Failed password for root from 192.168.1.1 port 53355 ssh2
Jan  1 01:39:57  sshd[6417]: Failed password for root from 192.168.1.1 port 53355 ssh2
Jan  1 12:18:38  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2
Jan  1 12:18:41  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2
Jan  1 12:18:44  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2

設定方式:
# vim /etc/fail2ban/jail.conf
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 3
bantime  = 86400[@more@]啟用 ssh-iptables
enabled = true

filter 是指使用 sshd 的 filter 來檢查 log 檔中是否有符合判斷規則的樣式(在 /etc/fail2ban/filter.d 目錄之下)
filter   = sshd

action 是指偵測到之後要採取的行動,這裡有二種方式,iptables 是使用 iptables 來阻擋,sendmail-whois 是寄信給管理者,這二種行動的設定,可以在 /etc/fail2ban/action.d 目錄下找到相關的設定
action   = iptables[name=SSH, port=ssh, protocol=tcp]
這裡只使用 iptables 來阻擋,不寄信給管理者

SSH Server 登錄錯誤的 Log 檔
logpath  = /var/log/secure

maxretry 是指嘗試錯誤 3 次,就阻擋,bantime = 86400 是指阻擋的時間,86400 是指秒,所以是阻擋 1 天
maxretry = 3
bantime  = 86400

重新啟動 fail2ban 服務
# server fail2ban restart

檢查 fail2ban 的狀態
# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           ssh-iptables

列出目前的防火牆規則
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-VSFTPD  tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
fail2ban-SSH  tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp —  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  —  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

以 Client  IP 192.168.1.1 嘗試對 Server IP 192.168.1.9 嘗試連線錯誤幾次之後
列出 fail2ban 偵測到的 SSH 攻擊
# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
|  |- File list:        /var/log/secure
|  |- Currently failed: 0
|  `- Total failed:     4
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

列出 fail2ban-SSH 的規則
# iptables -t filter -L fail2ban-SSH -n
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

解除方式:
# iptables -D fail2ban-SSH  -s 192.168.1.1 -j DROP

安裝 fail2ban 阻擋來自網路上的嘗試攻擊

Server 安裝完成提供對外的服務,如果沒有設定防火牆,或是限定連線來源,隨時隨地都會受到來自網路上的各種嘗試攻擊,所以必須耤助相關的工具,來協助解決這樣的問題。
底下是來自 SSH 的嘗試攻擊
# grep Failed /var/log/secure
sshd[7935]: Failed password for invalid user cacti from 66.197.211.18 port 39463 ssh2
sshd[7937]: Failed password for invalid user test1 from 66.197.211.18 port 40185 ssh2
sshd[7939]: Failed password for root from 66.197.211.18 port 40773 ssh2
sshd[7966]: Failed password for invalid user git from 66.197.211.18 port 41463 ssh2
sshd[7968]: Failed password for invalid user git from 66.197.211.18 port 42190 ssh2
sshd[7970]: Failed password for mysql from 66.197.211.18 port 42754 ssh2
sshd[7972]: Failed password for mysql from 66.197.211.18 port 43388 ssh2[@more@]來自網頁上的攻擊
# grep admin /var/log/httpd/error_log
[error] [client 70.87.15.74] File does not exist: /var/www/html/admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/dbadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/myadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/mysqladmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/php-my-admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin1
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin2

這一類的工具非常的多,如:SSHBlock / DenyHosts / Fail2ban 等等,這些工具都很不錯,但這裡我選用的是 fail2ban,因為它支援多種常見的服務,如:SSH / FTP / Apache 等等。


Fail2ban 官方網站:http://www.fail2ban.org/wiki/index.php/Main_Page
底下是它的安裝方式:
以 CentOS 6.x 為例,因為 fail2ban 不是官方套件庫中的套件,所以必須先安裝第三方套件庫 epel 或 rpmforge
安裝 epel 第三方套件庫
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

更新套件庫來源
# yum update

安裝 fail2ban
# yum install fail2ban

fail2ban 預設開機就會啟動
# chkconfig –list fail2ban
fail2ban        0:off   1:off   2:off   3:on    4:on    5:on    6:off

設定 Linux 上的防火牆

之前都是先把 Firewall 的規則寫在單一 Script 中,然後在開機時執行,現在改用在 /etc/sysconfig/iptables 中設定,然後只要在開機時執行 iptables 服務即可。

查看目前的 iptables Firewall 規則
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

由上可以看出,目前是門戶洞開,完成沒有任何防備[@more@]修改 iptables Firewall 規則
1. 修改預設進入 INPUT 的預設規則為 DROP
# vim /etc/sysconig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 15 11:01:16 2013
*filter
:INPUT DROP [74:5300]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:5360]

重新啟動 Firewall
# service iptables restart

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

2. 開啟本機所提供的一些服務(SSH / Web / DNS / FTP)
# vim /etc/sysconig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 15 11:01:16 2013
*filter
:INPUT DROP [74:5300]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:5360]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state –state NEW -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -m state –state NEW -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m multiport –dports 20,21,34500:34600 -j ACCEPT
COMMIT
# Completed on Fri Nov 15 11:01:16 2013

重新啟動 Firewall
# service iptables restart
# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  —  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           multiport dports 20,21,34500:34600

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

3. 設定開機時啟動 iptables
# chkconfig –level 3 iptables on

載入相關模組
# grep MOD /etc/sysconfig/iptables-config
IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack_ftp”
IPTABLES_MODULES_UNLOAD=”yes”

# service iptables restart
iptables:正在清除防火牆規則:                             [  確定  ]
iptables:正在設定 chains 為 ACCEPT 政策:filter           [  確定  ]
iptables:正在卸載模組:                                   [  確定  ]
iptables:正在套用防火牆規則:                             [  確定  ]
iptables:正在載入額外的模組:ip_conntrack_netbios_ns ip_co[  確定  ]p

# lsmod | grep ftp
nf_conntrack_ftp       12913  0
nf_conntrack           79645  5 nf_conntrack_ftp,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_ipv4,xt_state