fail2ban

fail2ban

fail : 시스템 접근시 로그인 실패.

 

일정 횟수 시스템 접근 인증 실패시 해당 IP를 특정 기간동안 접근 금지시키는 툴.

 

Install

dnf --enablerepo=epel -y install fail2ban

 

Setting

참조 파일, 소켓 , 이메일 등 설정

vim /etc/fail2ban/fail2ban.conf

 

차단 시간, 적용할 서비스, 차단 조건, 차단 해제 조건 등 설정

vim /etc/fail2ban/jail.conf

 

[sshd]
enabled = true
bantime = 10m
findtime = 10m
maxretry = 5
[DEFAULT]
# iptables 사용
banaction = iptables-multiport

 

 

Starting

[root@rocky-9 fail2ban]# systemctl start fail2ban.service
[root@rocky-9 fail2ban]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-11-21 13:56:48 KST; 12s ago
       Docs: man:fail2ban(1)
    Process: 270058 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 270059 (fail2ban-server)
      Tasks: 5 (limit: 10754)
     Memory: 13.9M
        CPU: 111ms
     CGroup: /system.slice/fail2ban.service
             └─270059 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start

11월 21 13:56:48 rocky-9 systemd[1]: Starting Fail2Ban Service...
11월 21 13:56:48 rocky-9 systemd[1]: Started Fail2Ban Service.
11월 21 13:56:48 rocky-9 fail2ban-server[270059]: Server ready

 

작동 확인

1. /var/log/fail2ban.log 파일 ban 확인

2024-11-21 14:32:39,255 fail2ban.filter         [270906]: INFO    [sshd] Found 172.16.20.7 - 2024-11-21 14:32:38
2024-11-21 14:32:39,256 fail2ban.filter         [270906]: INFO    [sshd] Found 172.16.20.7 - 2024-11-21 14:32:39
2024-11-21 14:32:39,769 fail2ban.actions        [270906]: NOTICE  [sshd] Ban 172.16.20.7

ban log 확인 가능

 

2. firewalld 차단 확인

[root@rocky-9 fail2ban]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160 ens192
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="172.16.20.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

ipv4 family로 172.16.20.7에서 22 포트에 tcp로 접근시 reject하며 icmp-port-unreachable패킷 전송

 

3. fail2ban status 확인

[root@rocky-9 fail2ban]# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

 

 

 

fail2ban 명령어

1. IP Unban

fail2ban-client set sshd unbanip 172.16.20.7

 

2. IP ban

fail2ban-client set sshd unbanip 172.16.20.0/24

 

3. jail 파일에서 서비스 확인

grep '^\[' /etc/fail2ban/jail.conf |tail -n +3

--> 대괄호로 묶인 항목 출력.