在前一篇測試中我已安裝並啟用入侵偵測軟體 Fail2ban, 但目前的自訂設定檔 jail.local 僅監控 sshd 存取而已. 我的 Mapleboard 主機主要是作為 Python 網站伺服器之用, 採用 Nginx + Gunicorn 架構, 作為面向客戶端的 Nginx 伺服器而言須面對許多來自 Internet 的攻擊, 因此必須對 Fail2ban 做進一步設定.
我詢問 AI 一個網站伺服器主機需要監控那些可能攻擊, 它建議的監控對象如下表 :
| Jail 名稱 | 原因與保護內容 |
|---|---|
| sshd | 保護 SSH(即使改用非 22 port 例如 2222,仍須設定) |
| nginx-404 | 封鎖短時間內大量造訪不存在 URL 的 bot,例如掃 WordPress、admin.php 等 |
| nginx-badbots | 偵測常見漏洞掃描器(sqlmap, acunetix, curl, wget, etc) |
| nginx-noscript | 封鎖造訪 .php, .asp, .jsp 的請求(Python 網頁伺服器不該有這些請求) |
| recidive | 若一個 IP 重複被多個 jail 封鎖則長期封鎖它(例如封 24 小時) |
其中 sshd 已在前一篇測試的自訂定義檔中進行監控, 我們只要增加後面四項的監控規則即可.
1. 更新自訂設定檔 jail.local :
用 nano 編輯 /etc/fail2ban/jail.local 輸入如下五個監控規則的設定資料 :
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
bantime = 1h
findtime = 10m
[nginx-404]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 10m
bantime = 1h
[nginx-badbots]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 1
findtime = 1d
bantime = 1d
[nginx-noscript]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3
findtime = 10m
bantime = 1h
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
bantime = 86400 ; 1 天
findtime = 1d
maxretry = 5
按 Ctrl+O 存檔後按 Ctrl+X 跳出 nano 即可.
2. 建立監控規則的過濾器 (filter) :
上面的五個監控規則中, sshd 與 recidive 已經有內建的過濾規則了, 可以用 ls 查詢 :
tony1966@LX2438:~$ ls -ls /etc/fail2ban/filter.d/sshd.conf
8 -rw-r--r-- 1 root root 7518 Nov 24 2020 /etc/fail2ban/filter.d/sshd.conf
tony1966@LX2438:~$ ls -ls /etc/fail2ban/filter.d/recidive.conf
4 -rw-r--r-- 1 root root 1374 Nov 24 2020 /etc/fail2ban/filter.d/recidive.conf
另外三個與 Nginx 有關的監控規則需自行建立, 可用 nano 分別編輯 :
首先建立 nginx-404.conf 過濾規則 :
tony1966@LX2438:~$ sudo nano /etc/fail2ban/filter.d/nginx-404.conf
[sudo] tony1966 的密碼:
輸入如下資料 :
[Definition]
failregex = <HOST> -.*"(GET|POST).+" 404
ignoreregex =
按 Ctrl+O 存檔後按 Ctrl+X 跳出 nano 即可.
其次建立 nginx-badbots.conf 過濾規則 :
tony1966@LX2438:~$ sudo nano /etc/fail2ban/filter.d/nginx-badbots.conf
[sudo] tony1966 的密碼:
輸入如下資料 :
[Definition]
failregex = <HOST> -.*"(GET|POST).*(wget|curl|nikto|acunetix|sqlmap|nessus|libwww|httprint|nmap|python-requests|masscan).*"
ignoreregex =
按 Ctrl+O 存檔後按 Ctrl+X 跳出 nano 即可.
最後建立 nginx-noscript.conf 過濾規則 :
tony1966@LX2438:~$ sudo nano /etc/fail2ban/filter.d/nginx-noscript.conf
[sudo] tony1966 的密碼:
輸入如下資料 :
[Definition]
failregex = <HOST> -.*"(GET|POST).*\.(php|asp|aspx|jsp|exe|sh).*" 404
ignoreregex =
按 Ctrl+O 存檔後按 Ctrl+X 跳出 nano 即可.
完成後重新啟動 Fail2ban :
tony1966@LX2438:~$ sudo systemctl restart fail2ban
用下列指令確認 fail2ban 運作狀態 :
tony1966@LX2438:~$ sudo fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: nginx-404, nginx-badbots, nginx-noscript, recidive, sshd
可見這五個監控規則都在執行中.
檢視各規則的執行狀態 :
tony1966@LX2438:~$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 8
|- Total banned: 8
`- Banned IP list: 103.246.240.30 112.219.151.50 190.181.25.210 195.178.110.108 198.46.249.175 36.255.220.141 43.251.16.252 51.161.153.48
tony1966@LX2438:~$ sudo fail2ban-client status nginx-404
Status for the jail: nginx-404
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
tony1966@LX2438:~$ sudo fail2ban-client status nginx-badbots
Status for the jail: nginx-badbots
|- Filter
| |- Currently failed: 0
| |- Total failed: 14
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 9
|- Total banned: 9
`- Banned IP list: 45.135.194.11 91.208.197.21 34.140.118.106 87.121.84.34 8.211.48.8 35.189.229.15 170.64.164.209 8.222.163.149 197.17.13.7
tony1966@LX2438:~$ sudo fail2ban-client status nginx-noscript
Status for the jail: nginx-noscript
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
tony1966@LX2438:~$ sudo fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 9
| |- Total failed: 9
| `- File list: /var/log/fail2ban.log
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 114.220.238.224 195.178.110.160 196.251.71.131
可見目前除了 nginx-noscript 外, 其餘 4 個監控規則都已封鎖不少 IP 了.
沒有留言 :
張貼留言