Настройка сетевого экрана IPTables и пакета Fail2Ban - Зайцев Я - Флудилка
^ В верх

Зайцев.Я

Все самое интересное в разделе "Флудилка"


Войти
x
x

Кто на сайте

Флудилка

Обсуждение Joomla , Virtuemart 2 , Cisco IOS , Asterisk , PHP

  • Категории
    Категории Страница отображения списка категорий системы блогов сайта.
Добавлено : Дата: в разделе: АТС Asterisk

Настройка сетевого экрана IPTables и пакета Fail2Ban

Установка и настройка пакета iptables для Debian/Ubuntu

 

# apt-get install -y iptables-persistent

Настраиваем цепочки iptables и сохраняем в файл /etc/iptables/iptables.v4

# Generated by iptables-save v1.4.14 on Tue Oct 7 22:40:58 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [15:1356]
-A INPUT -p icmp -f -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 2299 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8099 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 4000:4999 -j ACCEPT
-A INPUT -s 10.220.0.0/24 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 10.220.0.0/24 -i eth1 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 10.223.0.0/24 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 10.223.0.0/24 -i eth1 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 77.245.113.157/32 -i eth0 -p udp -m udp --dport 5000:7000 -j ACCEPT
-A INPUT -s 77.245.113.157/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 77.245.112.131/32 -i eth0 -p udp -m udp --dport 5000:7000 -j ACCEPT
-A INPUT -s 77.245.112.131/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 80.75.130.134/32 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 80.75.130.134/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 217.115.80.105/32 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 217.115.80.105/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 217.115.80.105/32 -i eth0 -p udp -m udp --dport 4000:4999 -j ACCEPT
-A INPUT -s 193.201.229.35/32 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 193.201.229.35/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 85.140.81.28/32 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 85.140.81.28/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -s 85.140.87.248/32 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s 85.140.87.248/32 -i eth0 -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2299 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name dmitro --rsource
-A INPUT -p tcp -m tcp --dport 2299 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 30 --hitcount 3 --name dmitro --rsource -j DROP
COMMIT
# Completed on Tue Oct 7 22:40:58 2014

Для сохранения настроек копируем два файла /etc/iptables/iptables.v4 и /etc/iptables/iptables.v6 на Ваш жесткий диск

# service iptables-persistent reload
# service iptables-persistent save
# /sbin/iptables -L -v -n

Список команд

# service iptables-persistent flush (Почистить)
# service iptables-persistent force-reload (Перезапуск настроек)
# service iptables-persistent reload (Перезапуск настроек)
# service iptables-persistent save (Сохранить)
# service iptables-persistent start (Старт)
# service iptables-persistent restart (Рестарт)

Usage: /etc/init.d/iptables-persistent {start|restart|reload|force-reload|save|flush}

Посмотреть список цепочек  можно командой:

# /sbin/iptables -L -v -n или # iptables -L -v -n

root@pbx:~# /sbin/iptables -L -v -n
Chain INPUT (policy DROP 52 packets, 4775 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpflags:! 0x17/0x02
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW tcpflags: 0x12/0x12 reject-with tcp-reset
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
12 556 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2299
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8099
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:4445
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:5038
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24 0.0.0.0/0 udp dpts:4000:4999
0 0 ACCEPT udp -- eth1 * 10.220.0.0/24 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth1 * 10.220.0.0/24 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth1 * 10.223.0.0/24 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth1 * 10.223.0.0/24 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 77.245.113.157 0.0.0.0/0 udp dpts:5000:7000
0 0 ACCEPT udp -- eth0 * 77.245.113.157 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 77.245.112.131 0.0.0.0/0 udp dpts:5000:7000
0 0 ACCEPT udp -- eth0 * 77.245.112.131 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 80.75.130.134 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 80.75.130.134 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 217.115.80.105 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 217.115.80.105 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 217.115.80.105 0.0.0.0/0 udp dpts:4000:4999
0 0 ACCEPT udp -- eth0 * 193.201.229.35 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 193.201.229.35 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 85.140.81.28 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 85.140.81.28 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp -- eth0 * 85.140.87.248 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- eth0 * 85.140.87.248 0.0.0.0/0 udp dpts:10000:20000
0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2299flags: 0x17/0x02 recent: SET name: dmitro side: source
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2299flags: 0x17/0x02 recent: UPDATE seconds: 30 hit_count: 3 name: dmitro side: source
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 968 bytes)
pkts bytes target prot opt in out source destination
root@pbx:~#

6.4.2 Установка и настройка пакета fail2ban для Debian/Ubuntu

# apt-get install -y iptables-persistent fail2ban jwhois

Изменить конфигурационный файл /etc/fail2ban/jail.conf для пакета fail2ban

# nano /etc/fail2ban/jail.conf

Вставить код

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>;
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost>
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
## Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = 2299
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = true
port = 2299
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log

[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log

[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
##start##
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
# Modify and uncomment below to send email, make sure exim4 has been reconfigured
mail-whois[name=ASTERISK, dest=ru@ru.ru, sender=fail2ban@pbx.asterisk.org]
logpath = /var/log/asterisk/fail2ban
maxretry = 2
bantime = 259200
##end##

Добавить отчет журналирования для пакета fail2ban

# nano /etc/asterisk/logger_logfiles_custom.conf

fail2ban => security,notice,warning,error

Создать фильтр для пакета fail2ban

# cd /etc/fail2ban/filter.d/
# nano asterisk.conf

##start##

# Fail2Ban configuration file
# Author: Xavier Devlamynck

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>;\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>;>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

##end##

Создать файл журналирования для пакета fail2ban

# touch /var/log/asterisk/fail2ban
# chown -R asterisk:asterisk /var/log/asterisk/fail2ban

Перезагрузить службу журналирования в Asterisk

# asterisk -rx "logger reload"

Настроить пакет fail2ban на уровне Linux

# update-rc.d fail2ban defaults
# service fail2ban restart
# service iptables-persistent restart

Просмотр статуса работы пакета fail2ban

# iptables -L -n -v
# fail2ban-client status asterisk-iptables
# fail2ban-client get asterisk-iptables actionunban 192.168.1.101
Поставьте свой рейтинг этой записи блога:

Комментарии

  • Никаких комментариев пока не было создано. Будьте первым комментатором.

Оставить комментарий

Гость
Гость Вторник, 17 Сентябрь 2019
Яндекс.Метрика Рейтинг@Mail.ru