CentOS6에서 SSH 접근 시도 차단하기
1. Fail2Ban 설치
# rpm -Uhh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# yum install -y fail2ban –enablerepo=epel
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# vi /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp.udp]
sendmail-whois[name=SSH, dest=root, sender=admin@ycit.co.kr]
logpath = /var/log/secure
maxretry = 5
/etc/init.d/fail2ban restart 또는 service fail2ban restart
iptables -L
1-1. SSH 로그인 시도 IP를 확인
# ls /var/log/secure | xargs grep -E “[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+” -o | sort | uniq
1-2. 최근 로그인 실패 기록을 확인
[root@localhost ~]# last -f /var/log/btmp | more
20 Linux Log Files that are Located under /var/log Directory에 보면 /var/log/btmp에 대한 설명을 확인 할 수 있습니다.
fail2ban은 지정된 시간 내에 지정된 횟수 이상으로 ssh 로그인을 실패하면 해당 IP에서의 접근을 지정된 시간만큼 차단하는 역할을 합니다.
centos7
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
fail2ban 설치
# yum install -y fail2ban –enablerepo=epel
CentOS 7에서 설치시 fail2ban-firewalld 패키지가 같이 필수로 설치됩니다.
firewalld 말고, iptables을 계속 사용한다면 /etc/fail2ban/jail.d/00-firewalld.conf 파일을 제거해야 iptables를 통한 차단이 이루어집니다.
systemctl enable fail2ban
fail2ban-systemd 설치 (CentOS 7)
fail2ban는 접속로그 기록을 분석해서 실패기록을 근거로 차단하는 원리로 동작합니다.
# yum install fail2ban-system
fail2ban 기본 설정
fail2ban의 기본 설정파일은 /etc/fail2ban/jail.conf 입니다.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# vi /etc/fail2ban/jail.d/local.conf
[DEFAULT]
# Common
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 86400
maxretry = 3
banaction = firewallcmd-new
# Mail
destemail = 알림 수신메일 주소
sender = 알림 발신메일 주소
# Action
action_mw = %(banaction)s[name=%(__name__)s, bantime=”%(bantime)s”, port=”%(port)s”, protocol=”%(protocol)s”, chain=”%(chain)s”]
%(mta)s-whois[name=%(__name__)s, sender=”%(sender)s”, dest=”%(destemail)s”, protocol=”%(protocol)s”, chain=”%(chain)s”]
action = %(action_mw)s
[sshd]
enabled = true
8. 로그레벨 조정
fail2ban 로그파일( /var/log/fail2ban.log )에 로그가 너무 많이 생성된다면 로그레벨(loglevel)을 ERROR으로 조정하면 됩니다.
/etc/fail2ban/fail2ban.d 디렉토리에 사용자 설정파일( local.conf )을 생성하고, 로그레벨 설정을 넣으면 됩니다.
[root@localhost ~]# vi /etc/fail2ban/fail2ban.d/local.conf
[Definition]
loglevel = ERROR
9. fail2ban 서비스 시작
[root@localhost ~]# systemctl start fail2ban.service
10. fail2ban 상태 확인
[root@localhost ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 153
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 2
`- Banned IP list:
11. ipset에 설정(차단)된 내용 확인
[root@localhost ~]# ipset –list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16656
References: 1
Members:
12. fail2ban 로그 확인
[root@localhost ~]# cat /var/log/fail2ban.log | more
2017-08-12 00:48:50,511 fail2ban.server [32725]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-08-12 00:48:50,512 fail2ban.database [32725]: INFO Connected to fail2ban persistent database ‘/var/lib/fail2ban/fail2ban.sqlite3’
2017-08-12 00:48:50,515 fail2ban.database [32725]: WARNING New database created. Version ‘2’
2017-08-12 00:48:50,516 fail2ban.jail [32725]: INFO Creating new jail ‘sshd’
2017-08-12 00:48:50,538 fail2ban.jail [32725]: INFO Jail ‘sshd’ uses systemd {}
2017-08-12 00:48:50,566 fail2ban.jail [32725]: INFO Initiated ‘systemd’ backend
2017-08-12 00:48:50,567 fail2ban.filter [32725]: INFO Set maxRetry = 3
2017-08-12 00:48:50,568 fail2ban.filter [32725]: INFO Set jail log file encoding to UTF-8
2017-08-12 00:48:50,569 fail2ban.actions [32725]: INFO Set banTime = 86400
2017-08-12 00:48:50,570 fail2ban.filter [32725]: INFO Set findtime = 86400
2017-08-12 00:48:50,570 fail2ban.filter [32725]: INFO Set maxlines = 10
2017-08-12 00:48:50,660 fail2ban.filtersystemd [32725]: INFO Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
2017-08-12 00:48:50,677 fail2ban.filter [32725]: INFO [sshd] Found 59.63.166.83
2017-08-12 00:48:50,679 fail2ban.jail [32725]: INFO Jail ‘sshd’ started
2017-08-12 00:48:50,681 fail2ban.filter [32725]: INFO [sshd] Found 59.xx.166.83
…
14. 차단 IP 목록
설치하고 몇분동안 차단된 아이피가 벌써 5개나 …
[root@localhost ~]# awk ‘($(NF-1) = /Ban/){print $NF}’ /var/log/fail2ban.log | sort | uniq -c | sort -n
1 116.xx.116.41
1 2.xx.93.91
1 39.xx.93.107
1 59.xx.166.83
1 61.xx.172.66
[root@localhost ~]# firewall-cmd –direct –get-rules ipv4 filter f2b-sshd
1000 -j RETURN
0 -s 61.xx.172.66 -j REJECT –reject-with icmp-port-unreachable
0 -s 59.xx.166.83 -j REJECT –reject-with icmp-port-unreachable
0 -s 116.xx.116.41 -j REJECT –reject-with icmp-port-unreachable
0 -s 2.xx.93.91 -j REJECT –reject-with icmp-port-unreachable
0 -s 39.xx.93.107 -j REJECT –reject-with icmp-port-unreachable
15. ip 차단해제
[root@localhost ~]# firewall-cmd –direct –remove-rule ipv4 filter f2b-sshd 0 -s [해제할 ip주소] -j REJECT –reject-with icmp-port-unreachable