Fail2ban을 이용한 Brute Force 공격 막기

Fail2ban을 이용한 Brute Force 공격 막기

 

 

1. yum으로 패키지 설치

yum install fail2ban

 

2. 설정 파일 구성

vi /etc/fail2ban/jail.conf

 

----------//---------

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 <----------- 여기에 지정된 주소는 fail2ban의해 밴당하지 않는다

 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600 <-------- 해당 호스트가 밴되는 시간

 

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

 

# "maxretry" is the number of failures before a host get banned.
maxretry = 6  <------- 위의 faindtime 시간안에 maxretry 횟수만큼 로그인 실패시 밴

......

[ssh-iptables]

enabled  = true <------- ssh 에 사용됨
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
logpath  = /var/log/secure
maxretry = 6  <-------- 여기에 있는 값이 위의 default 'maxretry' 값보다 우선시 된다

----------//---------

 

3. 서비스 시작

service fail2ban start

 

4. 시스템 시작시 자동으로 시작

chkconfig --levels 235 fail2ban on

 

5. (Option) 확인

iptables -L

 

=================================================

How to unblock user from fail2ban

Log onto the server and “su –“ to root

To see what IPs are blocked type the following:

iptables –L –n

This will output the iptables list and at the bottom you will see the Chain fail2ban-SSH

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

To remove the customer’s IP from the block list type the following:

iptables -D fail2ban-SSH -s IP -j DROP

Switch the IP with the customer’s public IP address.

This will remove the user from the block list and they should be able to access the dedicated server.