如何用Fail2ban安全加固HAProxy?

Fail2Ban

1 前言

一个问题,一篇文章,一出故事。
我们生产环境有使用HAProxy代理sftp服务,详细环境你可以参考如下章节,

如何用HAProxy代理sftp?


笔者今天使用如下命令检查HAProxy的日志,

less /var/log/haproxy/haproxy.log

发现某个IP产生以下大量登录日志,

#...
Jun 14 11:07:53 localhost haproxy[1497]: 94.156.64.165:56082 [14/Jun/2024:11:07:48.940] sftp_115 sftp_115/sftp01 1/0/4127 1829 -- 1/1/0/0/0 0/0
Jun 14 11:07:59 localhost haproxy[1497]: 94.156.64.165:33678 [14/Jun/2024:11:07:54.749] sftp_115 sftp_115/sftp01 1/0/5135 1829 -- 1/1/0/0/0 0/0
Jun 14 11:08:04 localhost haproxy[1497]: 94.156.64.165:39510 [14/Jun/2024:11:08:01.097] sftp_115 sftp_115/sftp01 1/0/3551 1829 -- 1/1/0/0/0 0/0
Jun 14 11:08:11 localhost haproxy[1497]: 94.156.64.165:45352 [14/Jun/2024:11:08:07.062] sftp_115 sftp_115/sftp01 1/0/4014 1829 -- 1/1/0/0/0 0/0
Jun 14 11:08:16 localhost haproxy[1497]: 94.156.64.165:51188 [14/Jun/2024:11:08:13.182] sftp_115 sftp_115/sftp01 1/0/3737 1829 -- 1/1/0/0/0 0/0

尝试使用如下wc命令统计尝试次数,

grep 94.156.64.165 /var/log/haproxy/haproxy.log | wc -l

可见该IP尝试的次数非常巨量,详细如下,

29716

如果使用如下命令搜索错误密码的日志,

grep "Failed password for invalid user" /var/log/secure

发现sftp服务器上有大量的密码尝试日志,

#...
Jun 14 11:16:44 sftp01 sftpd[1219373]: Failed password for invalid user lsy from 10.168.0.169 port 37310 ssh2
Jun 14 11:19:48 sftp01 sftpd[1241473]: Failed password for invalid user csh from 10.168.0.169 port 39034 ssh2
Jun 14 11:19:55 sftp01 sftpd[1242184]: Failed password for invalid user muqingdian from 10.168.0.169 port 51466 ssh2
Jun 14 11:21:16 sftp01 sftpd[1248039]: Failed password for invalid user pmy from 10.168.0.169 port 60956 ssh2
Jun 14 11:22:08 sftp01 sftpd[1253900]: Failed password for invalid user wangyinuo from 10.168.0.169 port 39026 ssh2

2 最佳实践

2.1 实践环境

请参阅如下章节安装Fail2Ban

如何安装配置Fail2ban?

2.2 配置Fail2Ban

2.2.1 创建日志过滤正则表达式

vim /etc/fail2ban/filter.d/sftp.conf

加入如下配置,

[Definition]

failregex = ^.*haproxy\[[0-9]+]\: <HOST>:.* .*sftp.*$
ignoreregex =

2.2.2 定义服务监视配置

vim /etc/fail2ban/jail.local 

加入如下配置,

[DEFAULT]
ignoreself = true
ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
bantime = 1h
findtime  = 1m
maxretry = 5

[sftp]
enabled  = true
bantime  = 1200
findtime = 120
maxretry = 6
filter   = sftp
logpath  = /var/log/haproxy/haproxy.log
port     = 115,990

配置修改后,你需要重启服务使配置生效,

systemctl restart fail2ban.service
systemctl status fail2ban.service

2.2.3 查看服务状态

fail2ban-client status sftp

可见如下显示,

Status for the jail: sftp
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     6
|  `- File list:        /var/log/haproxy/haproxy.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   94.156.64.165

2.2.4 查看防火墙状态

firewall-cmd --list-all

可见如下显示,

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 115/tcp 989/tcp 990/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="94.156.64.165" port port="115" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="94.156.64.165" port port="990" protocol="tcp" reject type="icmp-port-unreachable"

参阅文档
==================
https://serverfault.com/questions/853806/blocking-ips-in-haproxy

没有评论

发表回复

Fail2Ban
如何安装配置Fail2ban?

1 基础知识 1.1 Fail2Ban介绍 – Fail2Ban根据扫描日志(如/var …

Fail2Ban
如何部署防攻击服务Fail2Ban?

1 理论部分 1.1 环境概述 笔者实战阿里云发现,阿里云提供的centos 6.5版本的镜像是经过 …