安爺ニュース/newsリンク/ ニュース拾い読み/PC備忘録

/var/log/secure authentication failureに対処

fail2ban　
10分間にCentOSでは5回、Ubuntuでは6回現れたら攻撃を受けていると判定し、iptables で攻撃元からの接続をブロックします。
ブロックは 10分後、解除します

Ubuntu
# apt-get install fail2ba

CentOS7
[root@falcon21 ~]# yum --enablerepo=epel install fail2ban
インストール:
fail2ban.noarch 0:0.9.7-1.el7

依存性関連をインストールしました:
fail2ban-firewalld.noarch 0:0.9.7-1.el7
fail2ban-sendmail.noarch 0:0.9.7-1.el7
fail2ban-server.noarch 0:0.9.7-1.el7

完了しました!

********************************

CentOS での fail2ban の出力先を /var/log/messages に変更
/etc/fail2ban/jail.local を作成　
[root@falcon21 ~]# vi /etc/fail2ban/fail2ban.local
[Definition]

logtarget = /var/log/fail2ban.log

・・・/etc/fail2ban/fail2ban.local は、/etc/fail2ban/fail2ban.conf の設定を上書き

fail2ban を起動
[root@falcon21 ~]# systemctl start fail2ban
[root@falcon21 ~]# systemctl enable fail2ban
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.

[root@falcon21 ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since 火 2018-05-01 19:56:51 JST; 49s ago

Main PID: 4628 (fail2ban-server)
CGroup: /system.slice/fail2ban.service

5月 01 19:56:51 falcon21.space systemd[1]: Starting Fail2Ban Service...
5月 01 19:56:51 falcon21.space fail2ban-client[4625]: 2018-05-01 19:56:51,5...
5月 01 19:56:51 falcon21.space fail2ban-client[4625]: 2018-05-01 19:56:51,5...
5月 01 19:56:51 falcon21.space systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.

・・・次回システム起動時からは、fail2ban は自動起動

******************************************************

チェックは、/var/log/fail2ban.log
[root@falcon21 ~]# tail -10 /var/log/fail2ban.log
2018-05-01 19:56:51,626 fail2ban.server [4628]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2018-05-01 19:56:51,627 fail2ban.database [4628]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-05-01 19:56:51,629 fail2ban.database [4628]: WARNING New database created. Version '2'

通知先メールアドレスにメール送信する
[root@falcon21 ~]# vi /etc/fail2ban/jail.conf
130 destemail = root@falcon21.space
133 sender = root@falcon21.space
139 mta = postfix

[root@falcon21 ~]# systemctl reload fail2ban

***********************************************************
メール受信時のID/パスワードの認証エラーにも対処
（auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=XXXXX rhost=YY.YY.YY.YY）

/etc/fail2ban/fail2ban.local に以下を追加
[root@falcon21 ~]# vi /etc/fail2ban/fail2ban.local

[Definition]
logtarget = /var/log/fail2ban.log

[sasl-iptables]
enabled = true

[dovecot-auth]
enabled = true

・・・・・jail.conf の設定を上書き

[root@falcon21 ~]# systemctl reload fail2ban

**********************************************************