/var/log/secure authentication failureに対処
fail2ban 10分間にCentOSでは5回、Ubuntuでは6回現れたら攻撃を受けていると判定し、iptables で攻撃元からの接続をブロックします。 ブロックは 10分後、解除します [root@falcon21 ~]# yum --enablerepo=epel install fail2ban インストール: fail2ban.noarch 0:0.9.7-1.el7 依存性関連をインストールしました: fail2ban-firewalld.noarch 0:0.9.7-1.el7 fail2ban-sendmail.noarch 0:0.9.7-1.el7 fail2ban-server.noarch 0:0.9.7-1.el7 ******************************** CentOS での fail2ban の出力先を /var/log/messages に変更 /etc/fail2ban/jail.local を作成 [root@falcon21 ~]# vi /etc/fail2ban/fail2ban.local [Definition] logtarget = /var/log/fail2ban.log ・・・/etc/fail2ban/fail2ban.local は、/etc/fail2ban/fail2ban.conf の設定を上書き fail2ban を起動 [root@falcon21 ~]# systemctl start fail2ban [root@falcon21 ~]# systemctl enable fail2ban Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service. [root@falcon21 ~]# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since 月 2019-02-18 22:38:51 JST; 23s ago Docs: man:fail2ban(1) Main PID: 15224 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─15224 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var... 2月 18 22:38:51 falcon21.space systemd[1]: Starting Fail2Ban Service... 2月 18 22:38:51 falcon21.space fail2ban-client[15219]: 2019-02-18 22:38:51,300 fail2ban.server ...9.7 2月 18 22:38:51 falcon21.space fail2ban-client[15219]: 2019-02-18 22:38:51,300 fail2ban.server ...ode 2月 18 22:38:51 falcon21.space systemd[1]: Started Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full. ・・・次回システム起動時からは、fail2ban は自動起動 ****************************************************** チェックは、/var/log/fail2ban.log [root@falcon21 ~]# tail -10 /var/log/fail2ban.log 2019-02-18 22:38:51,335 fail2ban.server [15224]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7 2019-02-18 22:38:51,335 fail2ban.database [15224]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2019-02-18 22:38:51,338 fail2ban.database [15224]: WARNING New database created. Version '2' 通知先メールアドレスにメール送信する [root@falcon21 ~]# vi /etc/fail2ban/jail.conf 130 destemail = root@falcon21.space 133 sender = root@falcon21.space 139 mta = postfix [root@falcon21 ~]# systemctl reload fail2ban *********************************************************** メール受信時のID/パスワードの認証エラーにも対処 (auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=XXXXX rhost=YY.YY.YY.YY) /etc/fail2ban/fail2ban.local に以下を追加 [root@falcon21 ~]# vi /etc/fail2ban/fail2ban.local [Definition] logtarget = /var/log/fail2ban.log [sasl-iptables] enabled = true [dovecot-auth] enabled = true ・・・・・jail.conf の設定を上書き [root@falcon21 ~]# systemctl reload fail2ban
投票数:1
平均点:10.00