fail2ban
fail : 시스템 접근시 로그인 실패.
일정 횟수 시스템 접근 인증 실패시 해당 IP를 특정 기간동안 접근 금지시키는 툴.
Install
dnf --enablerepo=epel -y install fail2ban
Setting
참조 파일, 소켓 , 이메일 등 설정
vim /etc/fail2ban/fail2ban.conf
차단 시간, 적용할 서비스, 차단 조건, 차단 해제 조건 등 설정
vim /etc/fail2ban/jail.conf
[sshd]
enabled = true
bantime = 10m
findtime = 10m
maxretry = 5
[DEFAULT]
# iptables 사용
banaction = iptables-multiport
Starting
[root@rocky-9 fail2ban]# systemctl start fail2ban.service
[root@rocky-9 fail2ban]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; preset: disabled)
Active: active (running) since Thu 2024-11-21 13:56:48 KST; 12s ago
Docs: man:fail2ban(1)
Process: 270058 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 270059 (fail2ban-server)
Tasks: 5 (limit: 10754)
Memory: 13.9M
CPU: 111ms
CGroup: /system.slice/fail2ban.service
└─270059 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start
11월 21 13:56:48 rocky-9 systemd[1]: Starting Fail2Ban Service...
11월 21 13:56:48 rocky-9 systemd[1]: Started Fail2Ban Service.
11월 21 13:56:48 rocky-9 fail2ban-server[270059]: Server ready
작동 확인
1. /var/log/fail2ban.log 파일 ban 확인
2024-11-21 14:32:39,255 fail2ban.filter [270906]: INFO [sshd] Found 172.16.20.7 - 2024-11-21 14:32:38
2024-11-21 14:32:39,256 fail2ban.filter [270906]: INFO [sshd] Found 172.16.20.7 - 2024-11-21 14:32:39
2024-11-21 14:32:39,769 fail2ban.actions [270906]: NOTICE [sshd] Ban 172.16.20.7ban log 확인 가능
2. firewalld 차단 확인
[root@rocky-9 fail2ban]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160 ens192
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.20.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"ipv4 family로 172.16.20.7에서 22 포트에 tcp로 접근시 reject하며 icmp-port-unreachable패킷 전송
3. fail2ban status 확인
[root@rocky-9 fail2ban]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
fail2ban 명령어
1. IP Unban
fail2ban-client set sshd unbanip 172.16.20.7
2. IP ban
fail2ban-client set sshd unbanip 172.16.20.0/24
3. jail 파일에서 서비스 확인
grep '^\[' /etc/fail2ban/jail.conf |tail -n +3--> 대괄호로 묶인 항목 출력.
'모의해킹 및 보안' 카테고리의 다른 글
| Window Defender 해제(CMD) (0) | 2024.11.26 |
|---|---|
| MSF_venom (0) | 2024.11.25 |
| Portsentry (0) | 2024.11.21 |
| rkhunter (0) | 2024.11.21 |
| Infromation Gattering Tool - SMTP Analysis (0) | 2024.11.15 |
