Fail2Ban
1 前言
一个问题,一篇文章,一出故事。
我们生产环境有使用HAProxy代理sftp服务,详细环境你可以参考如下章节,
笔者今天使用如下命令检查HAProxy的日志,
less /var/log/haproxy/haproxy.log
发现某个IP产生以下大量登录日志,
#... Jun 14 11:07:53 localhost haproxy[1497]: 94.156.64.165:56082 [14/Jun/2024:11:07:48.940] sftp_115 sftp_115/sftp01 1/0/4127 1829 -- 1/1/0/0/0 0/0 Jun 14 11:07:59 localhost haproxy[1497]: 94.156.64.165:33678 [14/Jun/2024:11:07:54.749] sftp_115 sftp_115/sftp01 1/0/5135 1829 -- 1/1/0/0/0 0/0 Jun 14 11:08:04 localhost haproxy[1497]: 94.156.64.165:39510 [14/Jun/2024:11:08:01.097] sftp_115 sftp_115/sftp01 1/0/3551 1829 -- 1/1/0/0/0 0/0 Jun 14 11:08:11 localhost haproxy[1497]: 94.156.64.165:45352 [14/Jun/2024:11:08:07.062] sftp_115 sftp_115/sftp01 1/0/4014 1829 -- 1/1/0/0/0 0/0 Jun 14 11:08:16 localhost haproxy[1497]: 94.156.64.165:51188 [14/Jun/2024:11:08:13.182] sftp_115 sftp_115/sftp01 1/0/3737 1829 -- 1/1/0/0/0 0/0
尝试使用如下wc命令统计尝试次数,
grep 94.156.64.165 /var/log/haproxy/haproxy.log | wc -l
可见该IP尝试的次数非常巨量,详细如下,
29716
如果使用如下命令搜索错误密码的日志,
grep "Failed password for invalid user" /var/log/secure
发现sftp服务器上有大量的密码尝试日志,
#... Jun 14 11:16:44 sftp01 sftpd[1219373]: Failed password for invalid user lsy from 10.168.0.169 port 37310 ssh2 Jun 14 11:19:48 sftp01 sftpd[1241473]: Failed password for invalid user csh from 10.168.0.169 port 39034 ssh2 Jun 14 11:19:55 sftp01 sftpd[1242184]: Failed password for invalid user muqingdian from 10.168.0.169 port 51466 ssh2 Jun 14 11:21:16 sftp01 sftpd[1248039]: Failed password for invalid user pmy from 10.168.0.169 port 60956 ssh2 Jun 14 11:22:08 sftp01 sftpd[1253900]: Failed password for invalid user wangyinuo from 10.168.0.169 port 39026 ssh2
2 最佳实践
2.1 实践环境
请参阅如下章节安装Fail2Ban
2.2 配置Fail2Ban
2.2.1 创建日志过滤正则表达式
vim /etc/fail2ban/filter.d/sftp.conf
加入如下配置,
[Definition] failregex = ^.*haproxy\[[0-9]+]\: <HOST>:.* .*sftp.*$ ignoreregex =
2.2.2 定义服务监视配置
vim /etc/fail2ban/jail.local
加入如下配置,
[DEFAULT] ignoreself = true ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 bantime = 1h findtime = 1m maxretry = 5 [sftp] enabled = true bantime = 1200 findtime = 120 maxretry = 6 filter = sftp logpath = /var/log/haproxy/haproxy.log port = 115,990
配置修改后,你需要重启服务使配置生效,
systemctl restart fail2ban.service systemctl status fail2ban.service
2.2.3 查看服务状态
fail2ban-client status sftp
可见如下显示,
Status for the jail: sftp |- Filter | |- Currently failed: 0 | |- Total failed: 6 | `- File list: /var/log/haproxy/haproxy.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 94.156.64.165
2.2.4 查看防火墙状态
firewall-cmd --list-all
可见如下显示,
public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: cockpit dhcpv6-client ssh ports: 115/tcp 989/tcp 990/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="94.156.64.165" port port="115" protocol="tcp" reject type="icmp-port-unreachable" rule family="ipv4" source address="94.156.64.165" port port="990" protocol="tcp" reject type="icmp-port-unreachable"
参阅文档
==================
https://serverfault.com/questions/853806/blocking-ips-in-haproxy
没有评论