Boa tarde Amigo,
Uso no CentOS e Ubuntu. Esse foi um que instalei fazem algumas semanas. O servidor tem qual função na sua rede?
Existe também um pequeno programa que uso que se chama DNSFlood, se for um DNS recursivo, vc pode criar métricas para que vírus ou usuários (aprendizes de feiticeiros) não façam que a qualidade do serviço prestado pelo seu DNS caia em detrimento à essas péssimas práticas.
Mas vamos lá!!
sudo apt-get update && sudo apt-get install fail2ban
vi /etc/jail.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 187.120.155.1 177.154.33.33 177.154.33.66 177.154.35.2 177.154.35.3 177.154.35.30 170.233.137.0/27 170.233.136.0/27 177.154.36.0/24
ignorecommand =
bantime = 10800
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail =
[email protected]
sendername = Fail2Ban
sender =
[email protected]
banaction = iptables-multiport
mta = mail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_)s
[sshd]
enabled = true
port = 5322
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 5
bantime = 10800
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 5
findtime = 5
bantime = 10800
[ssh-route]
enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset4]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset6]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/sshd.log
maxretry = 6
[ssh-blocklist]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
logpath = /var/log/sshd.log
maxretry = 20
[unbound]
enabled = true
filter = unbound
protocol = udp
action = iptables-multiport[name=unbound, port=53, protocol=udp]
%(mta)s[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
logpath = /var/log/daemon.log
maxretry = 1
bantime = 43200
findtime = 5
vi /etc/fail2ban.conf
O principal é:
logtarget = /var/log/fail2ban.log
Sobre a verificação dos logs para o fail2ban tomar uma ação, segue:
dns-flood-detector -v -v -v -d -t20 - deve ser inciado no boot, seu log é criado no /var/daemon.log
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.80.254.83] - 0 tcp qps : 7 udp qps [7 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.92.46.94] - 0 tcp qps : 8 udp qps [8 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [10.7.31.28] - 0 tcp qps : 7 udp qps [5 qps A] [2 qps AAAA]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.88.74.29] - 0 tcp qps : 6 udp qps [6 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.80.242.142] - 0 tcp qps : 9 udp qps [9 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.88.11.9] - 0 tcp qps : 17 udp qps [17 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.89.154.229] - 0 tcp qps : 7 udp qps [7 qps A]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [10.7.31.211] - 0 tcp qps : 6 udp qps [4 qps A] [2 qps AAAA]
Nov 8 16:41:36 xxx dns_flood_detector[2009]: source [100.80.42.27] - 0 tcp qps : 6 udp qps [2 qps A] [4 qps AAAA]
# Fail2Ban configuration file
#
# Author: Thabet Amer
#
#
Agora edita o arquivo:
/etc/fail2ban/filter.d/unbound.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}
?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{3,9}\sqps\sA\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{3,9}\sqps\sAAAA\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{2,9}\sqps\sMX\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{2,9}\sqps\sNS\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{2,9}\sqps\sPTR\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{2,9}\sqps\sSRV\](.*)$
^(.*)\ssource\s\[<HOST>\](.*)\[[0-9]{2,9}\sqps\sTXT\](.*)$
# example:
# Feb 29 03:26:03 server.example.com unbound: [24726:2] info: 10.1.1.2 isc.org. ANY IN
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =