使用fail2ban防止破解pureftp和ssh

基于Centos 5.8 x86_64的操作系统,fail2ban在RHEL7/CENTOS7有区别了,可查看Fail2ban for RHEL7 or Centos7

Pure-FTPd FTP Server 是一套功能非常強大的 FTP Server,很方便的支持虚拟用户。灵活性也很大

默认情况下pureftp的日志会写入/var/log/message,这样很不方便分析,所以需要将pureftpd的日志写入/var/log/secure以便fail2ban好分析

vim /etc/syslog.conf

ftp.*  /var/log/secure

service syslog restart

剩下的就和正常使用fail2ban差不多了

vim /etc/fail2ban/jail.conf

[ssh-iptables]

enabled  = true
filter  = sshd
action  = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=lijun@domains.com, sender=from-email-address]
logpath  = /var/log/secure
maxretry = 3

[pure-ftpd]
enabled  = true
filter  = pure-ftpd
action  = iptables[name=pure-ftpd, port=ftp, protocol=tcp]

sendmail-whois[name=SSH, dest=lijun@domains.com, sender=from-email-address]

logpath  = /var/log/secure
maxretry = 2
bantime  = 86400

安装完成后默认自带的filter.d/pure-ftpd.conf有问题

pureftp的报错信息:

Apr 11 18:25:22 localhost pure-ftpd: (?@124.207.1.218) [WARNING] Authentication failed for user [lijund]

#####################################################

vim filter.d/pure-ftpd.conf

[Definition]

__errmsg = (?:Authentication failed for user|Erreur d’authentification pour l’utilisateur)

failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =

使用默认的测试有报错

fail2ban-regex /etc/fail2ban/filter.d/pure-ftpd.conf /var/log/secure

Running tests

=============

Use regex file : /etc/fail2ban/filter.d/pure-ftpd.conf
Use log file  : /var/log/secure

Results
=======

Failregex
|- Regular expressions:
|  [1] pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] (?:Authentication failed for user|Erreur d’authentification pour l’utilisateur) \[.+\]$
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section ‘Running tests’ which could contain important
information.

修改默认的规则如下:

[Definition]

__errmsg = (?:Authentication failed for user|Erreur d’authentification pour l’utilisateur)

failregex = pure-ftpd: \(\?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =

测试结果:

#########################################

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/pure-ftpd.conf
Use log file  : /var/log/secure

Results
=======

Failregex
|- Regular expressions:
|  [1] pure-ftpd: \(\?@<HOST>\) \[WARNING\] (?:Authentication failed for user|Erreur d’authentification pour l’utilisateur) \[.+\]$
|
`- Number of matches:
[1] 2 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
124.207.1.218 (Thu Apr 11 18:25:22 2013)
124.207.1.218 (Thu Apr 11 18:25:38 2013)

Date template hits:
6411 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 2

#########################################

重启fail2ban查看iptables

Chain fail2ban-PureFtp (1 references)
pkts bytes target  prot opt in  out  source  destination
3  120 RETURN  all  —  *  *  0.0.0.0/0  0.0.0.0/0 

注意:

如果重启了iptables,需要重启一下fail2ban,不然没效果!

此条目发表在Safe分类目录。将固定链接加入收藏夹。