Fail2ban mit Firewalld zur Vermeidung von Bruteforce Angriffen
Fail2ban (sinngemäß „Fehlschlag führt zum Bann“) ist ein in Python geschriebenes Intrusion Prevention System (Framework zur Vorbeugung gegen Einbrüche), das auf allen POSIX-Betriebssystemen läuft, die ein manipulierbares Paketfiltersystem oder eine Firewall besitzen (z. B. iptables unter Linux). [Quelle: Wikipedia]
Anker
Installation unter Red Hat Enterprise Linux 7 / CentOS 7
yum install fail2ban fail2ban-firewalld
================================================================================================================================
Package Arch Version Paketquelle Größe
================================================================================================================================
Installieren:
fail2ban noarch 0.9.6-3.el7 Default_Organization_EPEL_EPEL 11 k
fail2ban-firewalld noarch 0.9.6-3.el7 Default_Organization_EPEL_EPEL 11 k
Als Abhängigkeiten installiert:
fail2ban-sendmail noarch 0.9.6-3.el7 Default_Organization_EPEL_EPEL 14 k
fail2ban-server noarch 0.9.6-3.el7 Default_Organization_EPEL_EPEL 286 k
systemd-python x86_64 219-30.el7_3.9 rhel-7-server-rpms 110 k
Transaktionsübersicht
================================================================================================================================
Installieren 2 Pakete (+3 Abhängige Pakete)
Anker
Anpassungen für Firewalld
Da Fail2ban mit Firewalld nicht zuverlässig funktioniert, sind folgende Anpassungen vorzunehmen.
(icon: document text: file: /etc/fail2ban/jail.d/00-firewalld.conf)
[DEFAULT]
banaction = custom-firewalld(icon: document text: /etc/fail2ban/action.d/custom-firewalld.conf)
[INCLUDES]
before =
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent
actionunban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent && firewall-cmd --remove-source=<ip> --zone=drop && firewall-cmd --remove-source=<ip> --zone=drop --permanent
[Init]
Anker
Test
Durch fail2ban-client -v -d wird die aktuelle Konfiguration ausgegeben.
Mittels fail2ban-client set dovecot banip 55.55.55.55 wird die IP-Adresse 55.55.55.55 auf die Black-List gesetzt und im Firewalld aktiviert. Dies ist durch die Ausgabe von iptables -L -n sichtbar.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
FWDI_nagios all -- 10.71.1.22 0.0.0.0/0 [goto]
FWDI_drop all -- 55.55.55.55 0.0.0.0/0
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
FWDO_nagios all -- 0.0.0.0/0 10.71.1.22 [goto]
FWDO_drop all -- 0.0.0.0/0 55.55.55.55
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_drop (1 references)
target prot opt source destination
FWDI_drop_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_drop_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_drop_allow all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_drop_allow (1 references)
target prot opt source destination
Chain FWDI_drop_deny (1 references)
target prot opt source destination
Chain FWDI_drop_log (1 references)
target prot opt source destination
Chain FWDI_nagios (4 references)
target prot opt source destination
FWDI_nagios_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_nagios_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_nagios_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_nagios_allow (1 references)
target prot opt source destination
Chain FWDI_nagios_deny (1 references)
target prot opt source destination
Chain FWDI_nagios_log (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_drop (1 references)
target prot opt source destination
FWDO_drop_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_drop_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_drop_allow all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_drop_allow (1 references)
target prot opt source destination
Chain FWDO_drop_deny (1 references)
target prot opt source destination
Chain FWDO_drop_log (1 references)
target prot opt source destination
Chain FWDO_nagios (4 references)
target prot opt source destination
FWDO_nagios_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_nagios_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_nagios_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_nagios_allow (1 references)
target prot opt source destination
Chain FWDO_nagios_deny (1 references)
target prot opt source destination
Chain FWDO_nagios_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
IN_nagios all -- 10.71.1.22 0.0.0.0/0 [goto]
IN_drop all -- 55.55.55.55 0.0.0.0/0
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_drop (1 references)
target prot opt source destination
IN_drop_log all -- 0.0.0.0/0 0.0.0.0/0
IN_drop_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_drop_allow all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain IN_drop_allow (1 references)
target prot opt source destination
Chain IN_drop_deny (1 references)
target prot opt source destination
Chain IN_drop_log (1 references)
target prot opt source destination
Chain IN_nagios (4 references)
target prot opt source destination
IN_nagios_log all -- 0.0.0.0/0 0.0.0.0/0
IN_nagios_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_nagios_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_nagios_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6556 ctstate NEW
Chain IN_nagios_deny (1 references)
target prot opt source destination
Chain IN_nagios_log (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1352 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1501 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1581 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destinationDurch den Befehl fail2ban-client set dovecot unbanip 55.55.55.55 wird für den Dienst dovecot die IP wieder freigegeben.