- 论坛徽章:
- 0
|
|
fail2ban封IP之Http
环境介绍:http是一个tomcat 的js程序 ,设置的路径为/opt/tomcat5/logs/localhost_access_log.txt OS:centos 5.3 fail2ban版本:fail2ban-0.8.2-3.el5.rf.noarch.rpm ,官方网站:http://www.fail2ban.org/wiki/index.php/Main_Page
背景:及时发现别人的恶意请求并禁止
步骤:
1.安装fail2ban
这里我走了弯路,下源码包安装报错,大家可以这个网址下载:http://packages.sw.be/fail2ban/
01.#rpm -ivh fail2ban-0.8.23.el5.rf.noarch.rpm
复制代码
2.配置fail2ban的自定义过滤规则
分析/opt/tomcat5/logs/localhost_access_log.txt 日志的恶意请求如下 :
192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
从攻击行为特征来看, 这是短时间连续导致服务器发送HTTP 404文件未找到错误码, 下面是用于发现上述攻击的fail2ban filter规则, 在/etc/fail2ban/filter.d/目录下建立tomcat.conf文件保存下面的内容:
01.[Definition]
02.failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
03.ignoreregex =
复制代码
3.测试fail2ban的过滤规则
01.# fail2ban-regex /opt/tomcat5/logs/localhost_access_log.txt /etc/fail2ban/filter.d/tomcat.conf
复制代码
结果如下:
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/tomcat.conf
Use log file : /opt/tomcat5/logs/localhost_access_log.txt
Results
=======
Failregex
|- Regular expressions:
| [1] -.*- .*HTTP/1.* 404 .*$
|
`- Number of matches:
[1] 13 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
192.168.32.41 (Fri Sep 10 18:10:59 2010)
192.168.32.41 (Fri Sep 10 18:11:27 2010)
192.168.32.41 (Fri Sep 10 18:11:27 2010)
192.168.32.41 (Fri Sep 10 18:11:29 2010)
192.168.32.41 (Fri Sep 10 18:11:29 2010)
192.168.32.41 (Fri Sep 10 18:11:29 2010)
192.168.32.41 (Fri Sep 10 18:11:29 2010)
192.168.32.41 (Fri Sep 10 18:11:30 2010)
192.168.32.41 (Fri Sep 10 18:11:30 2010)
192.168.32.41 (Fri Sep 10 18:27:44 2010)
192.168.32.41 (Fri Sep 10 18:27:47 2010)
192.168.32.41 (Fri Sep 10 18:27:50 2010)
192.168.32.41 (Fri Sep 10 18:27:53 2010)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
130 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
Success, the total number of match is 13
However, look at the above section 'Running tests' which could contain important
information.
4.激活fail2ban的规则
从测试结果可以看出, 恶意攻击节点的IP地址和攻击时间都能够正确发现, 因此可以进一步修改fail2ban的配置文件激活上述规则. 下面是我的/etc/fail2ban/jail.local配置文件内容:
01.[tomcat]
02.enabled = true
03.port = http,https
04.filter = tomcat
05.action = iptables[name=tomcat, port=8080, protocol=tcp]
06. sendmail-whois[name=tomcat, dest=abc@mail.com]
07.maxretry = 2
08.logpath = /opt/tomcat5/logs/localhost_access_log.txt
09.bantime = 1800
复制代码
启用iptalbes.并发邮件给管理员
5.测试效果
生成2个错误的链接,查看fail2ban日志 如下:
2010-09-10 18:33:30,156 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-09-10 18:33:30,157 fail2ban.actions.action: INFO Set actionUnban =
2010-09-10 18:33:30,158 fail2ban.actions.action: INFO Set actionCheck =
2010-09-10 18:33:31,546 fail2ban.actions: WARNING [tomcat] Ban 192.168.32.41
并查看管理员邮箱 ,已经收到邮件了,内容大概如下:
Hi,
The IP 192.168.32.41 has just been banned by Fail2Ban after
4 attempts against tomcat.
Here are more information about 192.168.32.41:
[Querying whois.arin.net]
[whois.arin.net]
#
# Query terms are ambiguous. The query is assumed to be:
# "n 192.168.32.41"
#
# Use "?" to get help.
6.写完收工。
上面只是根据我的需求,写的一点东西,其他很功能大家自己可以去研究 。
PS.第一次在LT发贴,抛砖引玉。另,非常感谢,NETSEEK昨晚对我的帮助。
|
|
免费注册
发表于 2012-01-19 21:32
