首页 > 系统运维 > fail2ban封IP之Http
您的足迹
  • 你没有浏览过任何文章或者你没有开启cookies。

fail2ban封IP之Http

环境介绍:http是一个tomcat 的js程序 ,设置的路径为/opt/tomcat5/logs/localhost_access_log.txt
OS:centos 5.3  fail2ban版本:fail2ban-0.8.2-3.el5.rf.noarch.rpm
官方网站:http://www.fail2ban.org/wiki/index.php/Main_Page

背景:及时发现别人的恶意请求并禁止

步骤:

1.安装fail2ban
这里我走了弯路,下源码包安装报错,大家可以这个网址下载:http://packages.sw.be/fail2ban/

#rpm -ivh fail2ban-0.8.23.el5.rf.noarch.rpm

2.配置fail2ban的自定义过滤规则
分析/opt/tomcat5/logs/localhost_access_log.txt  日志的恶意请求如下 :

192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063

从攻击行为特征来看, 这是短时间连续导致服务器发送HTTP 404文件未找到错误码, 下面是用于发现上述攻击的fail2ban filter规则,
在/etc/fail2ban/filter.d/目录下建立tomcat.conf文件保存下面的内容:

[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

3.测试fail2ban的过滤规则

# fail2ban-regex /opt/tomcat5/logs/localhost_access_log.txt /etc/fail2ban/filter.d/tomcat.conf
结果如下:

Running tests
=============  

Use regex file : /etc/fail2ban/filter.d/tomcat.conf
Use log file   : /opt/tomcat5/logs/localhost_access_log.txt  

Results
=======  

Failregex
|- Regular expressions:
|  [1]  -.*- .*HTTP/1.* 404 .*$
|
`- Number of matches:
   [1] 13 match(es)  

Ignoreregex
|- Regular expressions:
|
`- Number of matches:  

Summary
=======  

Addresses found:
[1]
    192.168.32.41 (Fri Sep 10 18:10:59 2010)
    192.168.32.41 (Fri Sep 10 18:11:27 2010)
    192.168.32.41 (Fri Sep 10 18:11:27 2010)
    192.168.32.41 (Fri Sep 10 18:11:29 2010)
    192.168.32.41 (Fri Sep 10 18:11:29 2010)
    192.168.32.41 (Fri Sep 10 18:11:29 2010)
    192.168.32.41 (Fri Sep 10 18:11:29 2010)
    192.168.32.41 (Fri Sep 10 18:11:30 2010)
    192.168.32.41 (Fri Sep 10 18:11:30 2010)
    192.168.32.41 (Fri Sep 10 18:27:44 2010)
    192.168.32.41 (Fri Sep 10 18:27:47 2010)
    192.168.32.41 (Fri Sep 10 18:27:50 2010)
    192.168.32.41 (Fri Sep 10 18:27:53 2010)  

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
130 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch  

Success, the total number of match is 13  

However, look at the above section 'Running tests' which could contain important
information.


4.激活fail2ban的规则
从测试结果可以看出, 恶意攻击节点的IP地址和攻击时间都能够正确发现, 因此可以进一步修改fail2ban的配置文件激活上述规则.
下面是我的/etc/fail2ban/jail.local配置文件内容:
[tomcat]
enabled = true
port = http,https
filter = tomcat
action = iptables[name=tomcat, port=8080, protocol=tcp]
         sendmail-whois[name=tomcat, dest=abc@mail.com]
maxretry = 2
logpath = /opt/tomcat5/logs/localhost_access_log.txt
bantime  = 1800


5.测试效果
生成2个错误的链接,查看fail2ban日志 如下:
2010-09-10 18:33:30,156 fail2ban.actions.action: INFO   Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail  has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-09-10 18:33:30,157 fail2ban.actions.action: INFO   Set actionUnban =
2010-09-10 18:33:30,158 fail2ban.actions.action: INFO   Set actionCheck =
2010-09-10 18:33:31,546 fail2ban.actions: WARNING [tomcat] Ban 192.168.32.41


并查看管理员邮箱 ,已经收到邮件了,内容大概如下:
  1. Hi,
  2. The IP 192.168.32.41 has just been banned by Fail2Ban after
  3. 4 attempts against tomcat.
  4. Here are more information about 192.168.32.41:
  5. [Querying whois.arin.net]
  6. [whois.arin.net]
  7. #
  8. # Query terms are ambiguous.  The query is assumed to be:
  9. #     “n 192.168.32.41″
  10. #
  11. # Use “?” to get help.


6.写完收工。
上面只是根据我的需求,写的一点东西,其他很功能大家自己可以去研究 。

                                        
  1. 还没有评论
评论提交中, 请稍候...

留言

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks
Feed