การติดตั้ง fail2ban

[brid.surapol]

วิธีดู attempt attack หรือ login เข้า sshd

Code: Select all

tail -f /var/log/auth.log | grep 'sshd'

Code: Select all

sudo apt install fail2ban

ใน /etc/fail2ban
แก้ไขfile jail.conf

Code: Select all

bantime = 10m
เป็น
bantime = 2h

findtime = 60m
เป็น
findtime = 30m

maxretry = 5
เป็น
maxretry = 3

port = ssh
เป็น
port = 0:65535

เพิ่ม file jail.local

Code: Select all

[DEFAULT]
ignoreip = 172.16.0.0/16 171.97.16.133 183.88.230.98

[sshd]
enabled = true
port = 0:65535
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
action = iptables-allports

[sshd-invaliduser]
enabled = true
maxretry = 1
port    = 0:65535
filter = sshd-invaliduser
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[sshd-root]
enabled = true
maxretry = 1
port    = 0:65535
filter = sshd-root
logpath = %(sshd_log)s
backend = %(sshd_backend)s

ใน /etc/fail2ban/filter.d
เพิ่ม file sshd-invaliduser.conf

Code: Select all

[INCLUDES]
before = common.conf

[Definition]
_daemon = sshd

failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

เพิ่ม file sshd-root.conf

Code: Select all

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$

ignoreregex =

restart fail2ban

Code: Select all

sudo systemctl restart fail2ban

วิธีดู status ของ fail2ban

Code: Select all

sudo fail2ban-client status sshd

หรือ แต่ละ filter เช่น
sudo fail2ban-client status ssh-invaliduser  

วิธีดู banned ip

Code: Select all

sudo zgrep 'Ban' /var/log/fail2ban.log

[brid.surapol]

/etc/ssh/sshd_conf

Code: Select all

PermitRootLogin no
MaxAuthTries 4

restart sshd

Code: Select all

sudo service ssh restart