리눅스 서버 sshd 무작위 로그인 시도 차단하기 – fail2ban

 

fail2ban 설치 및 간단 설정

리눅스 서버의 특정 서비스에 과도한 패스워드 공격이 가해지면 자동으로 해당 IP를

iptables 혹은 filrewalld 에서 차단하는 기능이다.

1. 설치

# yum install -y fail2ban fail2ban-systemd whois 

iptables 로 차단 관리를 할 경우 firewalld 설정 제거

# rm -f /etc/fail2ban/jail.d/00-firewalld.conf

기본 서비스 시작

# systemctl enable fail2ban
# systemctl start fail2ban 

2. 설정

# cd /etc/fail2ban/

jail.conf 파일에 바로 설정도 가능하지만, 패키지 업데이트등이 이루어지면 설정이 초기화되는 상황이

발생한다. 기본 설정은 그대로 두고, 개별 설정을 부가적으로 적용하는 방법으로 설정한다.

# vi jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.201.0/24 192.168.123.0/24  ## 허가 IP 대역 
bantime = 10800 ## findtime 시간동안 maxretry 시도가 탐지된 경우 해당 IP 차단 시간 
findtime = 600  
maxretry = 5
backend = pooling
destemail = alang@clunx.com   
sender = admin@clunix.com
mta = sendmail
action = %(action_mwl)s

[sshd]
enabled = true
port = ssh,22

[dovecot]
enabled = true

[postfix]
enabled = true

[postfix-sasl]
enabled = true

dovecot 이나 postfix 처럼 기본 제공되는 filter 에서 해당되는 서비스를 활성화 시켜준다.

sshd 는 필수적으로 적용해 주고..

filter 로 제공되는 기본 서비스는 아래와 같다.

# ls /etc/fail2ban/filter.d/

3proxy.conf                counter-strike.conf  haproxy-http-auth.conf  pam-generic.conf        sogo-auth.conf
apache-auth.conf           courier-auth.conf    horde.conf              perdition.conf          solid-pop3d.conf
apache-badbots.conf        courier-smtp.conf    ignorecommands          php-url-fopen.conf      squid.conf
apache-botsearch.conf      cyrus-imap.conf      kerio.conf              phpmyadmin-syslog.conf  squirrelmail.conf
apache-common.conf         directadmin.conf     lighttpd-auth.conf      portsentry.conf         sshd.conf
apache-fakegooglebot.conf  domino-smtp.conf     mongodb-auth.conf       postfix.conf            stunnel.conf
apache-modsecurity.conf    dovecot.conf         monit.conf              proftpd.conf            suhosin.conf
apache-nohome.conf         dropbear.conf        murmur.conf             pure-ftpd.conf          tine20.conf
apache-noscript.conf       drupal-auth.conf     mysqld-auth.conf        qmail.conf              traefik-auth.conf
apache-overflows.conf      ejabberd-auth.conf   nagios.conf             recidive.conf           uwimap-auth.conf
apache-pass.conf           exim-common.conf     named-refused.conf      roundcube-auth.conf     vsftpd.conf
apache-shellshock.conf     exim-spam.conf       nginx-botsearch.conf    screensharingd.conf     webmin-auth.conf
assp.conf                  exim.conf            nginx-http-auth.conf    selinux-common.conf     wuftpd.conf
asterisk.conf              freeswitch.conf      nginx-limit-req.conf    selinux-ssh.conf        xinetd-fail.conf
bitwarden.conf             froxlor-auth.conf    nsd.conf                sendmail-auth.conf      znc-adminlog.conf
botsearch-common.conf      groupoffice.conf     openhab.conf            sendmail-reject.conf    zoneminder.conf
centreon.conf              gssftpd.conf         openwebmail.conf        sieve.conf
common.conf                guacamole.conf       oracleims.conf          slapd.conf

설정이 완료되면 fail2ban 서비스를 재시작한다.

# systemctl restart fail2ban

동작 상태를 확인한다.

# fail2ban-client status

Status
|- Number of jail:	4
`- Jail list:	dovecot, postfix, postfix-sasl, sshd

현재 등록된 서비스가 4개 있다는 것을 알수 있다. 이중 sshd 상태를 확인한다.

# fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:	15
|  |- Total failed:	125
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	8
   |- Total banned:	8
   `- Banned IP list:	111.61.241.100 165.22.69.147 37.187.12.126 139.59.40.240 139.59.68.15 27.191.237.67 217.182.79.176 119.29.16.190

여러 IP 들이 sshd 로 무작위 접근 했고, 차단된 것을 확인할 수 있다.

실제 iptables 에 차단된 rule 이 등록되었는지 확인한다.

# iptables -nL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22,22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  182.151.41.208       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  45.131.108.196       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  140.143.136.41       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  1.194.238.226        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  54.38.139.210        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  104.248.205.24       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  46.101.245.176       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  217.182.79.176       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  139.59.40.240        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.187.12.126        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  27.191.237.67        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  165.22.69.147        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  139.59.68.15         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  119.29.16.190        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  111.61.241.100       0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0      

혹 fail2ban 에 정상적인 IP 가 차단 된 경우 아래와 같은 방법으로 차단을 해제할 수 있다.

# fail2ban-client set sshd unbanip x.x.x.x

 

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

41 Responses

  1. REDINFO 말해보세요:

    정말 감사합니다 ^^
    최근 서버로그들이 너무 금방 차서 봤더니 무작위 공격들이 여기저기서 들어오고 있더군요
    fail2ban 을 이용하니 수월하게 해결됬습니다.

    특히 postfix sasl 로그에서 찍히는 아이피는 iptables 에서 차단해도 계속 쌓였는데
    그것도 없어졌네요

    좋은 정보 감사드립니다.

  2. Mazda Brakes 말해보세요:

    Volvo Brakes

  3. vanescorts.com 말해보세요:

    I like the efforts you have put in this, regards for all the great content.

  4. mahmutlar escort 말해보세요:

    Good post! We will be linking to this particularly great post on our site. Keep up the great writing

  5. alanya escort 말해보세요:

    I’m often to blogging and i really appreciate your content. The article has actually peaks my interest. I’m going to bookmark your web site and maintain checking for brand spanking new information.

  6. alanya escort 말해보세요:

    I do not even understand how I ended up here, but I assumed this publish used to be great

  7. Yorum Satın Al 말해보세요:

    Hmm nice post bro.

  8. Buy Google Reviews 말해보세요:

    Best nice post bro.

  9. google yorum 말해보세요:

    Amazing post bro, thank you.

  10. purchase google reviews 말해보세요:

    Besting.. Great post.

  11. yorum satın al google 말해보세요:

    Thank u, best p0st..

  12. google yorum satın al 말해보세요:

    Thank u, best p0st..

  13. yorum satın al 말해보세요:

    Thank you sir..

  14. gateio güvenilir mi 말해보세요:

    This article opened my eyes, I can feel your mood, your thoughts, it seems very wonderful. I hope to see more articles like this. thanks for sharing.

  15. driscoplex 6500 fittings 말해보세요:

    Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post

  16. I like the efforts you have put in this, regards for all the great content.

  17. hdpe pipe catalog 말해보세요:

    Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post

  18. poly bag factory near me 말해보세요:

    Pretty! This has been a really wonderful post. Many thanks for providing these details.

  19. 깊은 잠을 위한 수면 음악

  20. Tm Mail 말해보세요:

    I appreciate you sharing this blog post. Thanks Again. Cool.

  21. Temp Mail 말해보세요:

    It was great seeing how much work you put into it. The picture is nice, and your writing style is stylish, but you seem to be worrying that you should be presenting the next article. I’ll almost certainly be back to read more of your work if you take care of this hike.

  22. gmail account generator 말해보세요:

    I wanted to express how wonderful your post is. I could tell you are an authority on this subject because of how obvious it is. If everything is up to you, I would want to follow your feed so I can be informed when you publish new content. Many thanks, and keep up the fantastic work.

  23. yotmail 말해보세요:

    It seems like you have a great deal of knowledge about this—almost like you wrote the book on it. Aside from that, I think you might add a few graphics to assist illustrate the concept a bit better. Still, this is a fantastic post that is well worth reading, and I will surely be back.

  24. maillog 말해보세요:

    I would argue that someone played a significant role in producing a thoughtful post. Having just visited your website for the first time, I’m astonished at the sheer volume of research you performed to create this specific piece. Excellent effort.

  25. iptv uk best 말해보세요:

    I just could not depart your web site prior to suggesting that I really loved the usual info an individual supply in your visitors Is gonna be back regularly to check up on new posts

  26. pura vive 말해보세요:

    For the last couple of days, I’ve been a huge fan of this amazing site with superb content for their audience. The site owner has a talent for providing value. I’m delighted and hope they continue their wonderful service.

  27. iptv provider in 말해보세요:

    I was suggested this web site by my cousin Im not sure whether this post is written by him as no one else know such detailed about my trouble You are incredible Thanks

  28. temp mail 말해보세요:

    Usually I do not read article on blogs, however I would like to say that this write-up very compelled me to take a look at and do it! Your writing style has been amazed me. Thank you, very nice article.

  29. tempmail 말해보세요:

    I do not even know how I ended up here but I thought this post was great I dont know who you are but definitely youre going to a famous blogger if you arent already Cheers.

  1. 2022년 6월 19일

    3landscapes

  2. 2023년 12월 9일

    … [Trackback]

    […] Read More to that Topic: nblog.syszone.co.kr/archives/10148 […]

  3. 2023년 12월 9일

    … [Trackback]

    […] Read More to that Topic: nblog.syszone.co.kr/archives/10148 […]

  4. 2023년 12월 10일

    … [Trackback]

    […] Find More on to that Topic: nblog.syszone.co.kr/archives/10148 […]

  5. 2023년 12월 23일

    … [Trackback]

    […] Find More Information here on that Topic: nblog.syszone.co.kr/archives/10148 […]

  6. 2024년 1월 18일

    … [Trackback]

    […] Info on that Topic: nblog.syszone.co.kr/archives/10148 […]

  7. 2024년 2월 6일

    … [Trackback]

    […] Find More to that Topic: nblog.syszone.co.kr/archives/10148 […]

  8. 2024년 2월 8일

    … [Trackback]

    […] Information on that Topic: nblog.syszone.co.kr/archives/10148 […]

  9. 2024년 2월 11일

    … [Trackback]

    […] Information on that Topic: nblog.syszone.co.kr/archives/10148 […]

  10. 2024년 3월 6일

    … [Trackback]

    […] Read More on to that Topic: nblog.syszone.co.kr/archives/10148 […]

페이스북/트위트/구글 계정으로 댓글 가능합니다.