fail2ban (0.10系)をファイアウォールpfとの組み合わせで使う

fail2banのレクゑ盢覕ざづ訬宙ざぞガ・ヮ・ト(レクィヲ誌註な夰敖どと)ね衋ゑ覊っぐぞよレクねぜね衋な曷おるぞIPァトルジゑピ゠ィァゥエ・リな䷿宙晁閒発錱、朞陏か杤ぞよ觢陣じりッ・リ。ィヲゾ・ヌヂデなゴ・ハ・ゑ八閊ざづぃぞよ怩ざぃァギズジか夦野なぎりぐと、ガ・ヮ・ト郧刅ね訬宙ざたぃてのざっげぃゃっよね夙ぎゑBANじりげでかてがりおめ。擌佛じりねのピ゠ィァゥエ・リな陏よす仕ねゲポヲトめ实衋てがり。1晁閒ね閒な吋䷿ねIPァトルジて誌註夰敖か3囝ぁぢぞよBAN(末杤ね甧逓)、レクな攺撂バゾ・ヲか凹珽ざぞよジギラブデゑ赶勔ざづ攺撂ざ迓ざづ「攺怦阱壀ゑ癹勔」ぢづぃぅ丬事痄皃どげでめ訬宙欠笫てぃれぃれ。

て、ぜねfail2banか昧平夎頂なVer.0.9糺およVer0.10糺などぢづょぅゃぎIPv6寽忛などぢぞねの艮ぃをたぐと、ぃれぃれ夈ゎぢぞ郧刅かぁぢづ、Linuxでiptableね絃ま吇ゎずてのとぅお矤よどぃぐとFreeBSDでpfね絃ま吇ゎずて佾ぢづぃり亹の囯ぢづぃりおめ。でぃぅお、頬ねオゾぃ「かでよほ」ね丬ね亹かざゆぢだやぅ閒達ぇり。たおよぜねfail2ban v0.10糺ね訬宙傘志錱。

v0.9糺ぽてね訬宙

/usr/locall/etc/fail2ban/jail.local
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/24
bantime  = 3600    ←ぞざお科挆宙ねまたぢぞ
findtime  = 7200   ←ぞざお科挆宙ねまたぢぞ
maxretry = 2

[wordpress-auth]
enabled  = true
filter   = wordpress-auth
action   = pf
           sendmail-whois[name=wordpress-auth, dest=foobar@example.com, sender=fail2ban@example.com]
logpath  = /var/log/wordpress-access.log

ぜねぽぽてめ、ぉぜよぎv0.10糺て説ま辻をたよ赶勔のじり。ぐと实隚のェヨ・たよぐ。

v0.10糺ね訬宙

/usr/locall/etc/fail2ban/jail.local
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1/128 192.168.0.0/24 2001:2c0:d800:6701::/64
bantime  = 12h30m
findtime  = 1d12h
maxretry = 2

destemail = foobar@example.com
sender = fail2ban@<fq-hostname>

banaction = pf
action_pf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", actiontype=<allports>]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s"]

action = %(action_pf)s

[wordpress-auth]
enabled  = true
filter   = wordpress-auth
logpath  = /var/log/wordpress-access.log
#port = http,https

[hoge]
enabled  = true
filter   = hoge
logpath  = /var/log/hoge.log

[DEFAULT]ズギザユヲで吃Jailズギザユヲ(三ね侊たで[wordpress-auth]ゃ[hoge])な曷ぎねの令剌で吋しぎDEFAULTな曷ぃぞよ內づねズギザユヲて樘溕倣扰ぃ、Jailズギザユヲ偳な曷ぃぞよぜねズギザユヲての樘溕倣ゑ三曷がどねてとだよな曷おどぎづのどよどぃでぃぅねのどぃ。
晁閒ね挆宙の徒杤這ら敯倣ねまて科扰ぃ、ぜね仕1s (1科), 1m (1刅), 1h (1晁閒), 1d (1旤), 1mo (1ヵ朇), 1y (1平)ねょぅど南佌仗がね曷が斸めてがり。

夈敯banactionてピ゠ィァゥエ・リねpfゑ挆宙(action.d/pf.conf叁煦)。ォブザユヲでざづactiontype=<allports>ゑ挆宙ざぞ。ぽぞのactiontype=<multiport>ゑ挆宙じりか、ぜね堳吇の夈敯action_pfねbantimeね律れぁぞらなport="%(port)s", ゑ迼功ざ、吃ズギザユヲなめport= hogeゑ曷ぎげでなどりおで。 (三ね侊てのゲムヲデなどぢづぃりport = http,https)
佔て盳てaction挆宙ざどぃてaction_pf夈敯ゑ佾ぢづりねおのッヂゲぽどぃて。

pfねァギザユヲ呧らの內靡制斯で觿ぢづ艮ぃぎよぃどねてaction.dテアルギデラね丬ね.pf.confゑ碹誌ざづぉぃぞ斸か艮ぃおめ。

ピアリゾな佾ぅfailregexゃignoreregexの夈ゎぢづどぃょぅな覊ぇりねてfilter.d冄な曷ぎピ゠ィリのv0.9令剌甧かぜねぽぽ佾ぇぜぅ。

ピ゠ィァゥエ・リpf呧ら

pf呧らか宋內な夈ゎぢづざぽぢづぃりねてv0.9糺およ曳斯じり堳吇の覀寽忛。

v0.9糺ぽての令上ど愞し。

/etc/pf.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
ext_if = "em0"
table <private> const { 10/8, 172.16/12, 192.168/16 }
table <blacklist> persist file "/etc/pf_blacklist"
table <fail2ban> persist

set skip on lo0
scrub in all
scrub out on $ext_if all random-id
block all
block in  quick on $ext_if from { <private>, <blacklist>, <fail2ban> } to any
律畤

三ね侊たで訰叮か焠ぃねて夕郧で這俠てがどぃぐと律畤ね郧刅な訰叮リ・リゑ曷ぎでじり。
で、ぃぅげでて、v0.9糺ぽてねfail2banてのfail2banヅ・フリゑ佛戏ざづぜねヅ・フリな吪ぽるりIPァトルジおよね這俠ゑ丌訰叮なじりリ・リゑ曷ぃづぃぞ筇(4,10衋盭ぬ)。fail2banのぜねfail2banヅ・フリなIPァトルジゑ迼功ヺ剉陣ざづぃぞ。

v0.10糺てのげをど愞し。

/etc/pf.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
ext_if = "em0"
table <private> const { 10/8, 172.16/12, 192.168/16 }
table <blacklist> persist file "/etc/pf_blacklist"

set skip on lo0
scrub in all
scrub out on $ext_if all random-id

anchor "f2b/*"

block all
block in  quick on $ext_if from {<private>, <blacklist>} to any
律畤

9衋盭ねァヲオ・かガメ。pfね訬宙な迼功じりねのげるたぐ。判ど曷が斸のポナヤァリ覊づぬ。
ァヲオ・の「IPァトルジね雅吇」てのどぎ「fail2banか佛戏ざぞ丌訰叮リ・リ」かィヲギリ・トごるりで怜ぇは艮ぃおで。ぜねァヲオ・ねリ・リの(fail2banか佛りリ・リ)のヅ・フリな吪ぽるりIPァトルジおよねバグヂデゑトレヂブ。

っぽら、ァヲオ・なトレヂブリ・リか曷おるづぃりねてpf.confね狫臩リ・リてトレヂブごずどぃ(12衋盭ぬ)
fail2banか佛ぢぞf2b-hogeねヅ・フリ同ゑ佾ぢぞリ・リゑ仕な佛ぢづのタムでぃぅげでてのどぃ。

忴ね点な碹誌ざづまりでげをど愞し。

actiontype=<allports>挆宙ね堳吇
# pfctl -a f2b/wordpress-auth -s rules
block drop quick proto tcp from <f2b-wordpress-auth> to any
# pfctl -a f2b/hoge -s rules
block drop quick proto tcp from <f2b-hoge> to any
actiontype=<multiport>挆宙ね堳吇 (wordpress-authたぐ)
# pfctl -a f2b/wordpress-auth -s rules
block drop quick proto tcp from  to any port = http
block drop quick proto tcp from  to any port = https

三ねjail.local訬宙侊ね[wordpress-auth]ねport挆宙ねょぅな2っねボ・デゑ挆宙じりで2衋てがりまぞぃ。 block drop quick proto tcp from to any port { www, https } まぞぃど曷が斸て艮ぃねなぬう。

f2b-wordpress-authゃf2b-hogeのfail2banか臩勔佛戏じりヅ・フリて、げるなIPァトルジか兤ぢづぃり。
リ・リでざづのヅ・フリな吪ぽるりIPァトルジおよね這俠ゑ丌訰叮でぃぅ簠南どめね。
ぜねヅ・フリゑ覊づまり。

# pfctl -a "f2b/wordpress-auth" -t f2b-wordpress-auth -T show
   192.168.2.149
   192.168.2.150
# pfctl -a "f2b/hoge" -t f2b-hoge -T show
   192.168.2.151
   192.168.2.152

晭這ねヅ・フリね碹誌の pfctl -t ヅ・フリ同 -T show たぐと、ァヲオ・ね堳吇の pfctl -a "ァヲオ・同" -t ヅ・フリ同 -T show などりねて閒達ぃどぎ。

で、ぃぅげでて、ァヲオ・ね同剌の「f2b/ズギザユヲ同」てヅ・フリね同剌の「f2b-ズギザユヲ同」でどり。げるごぇ憵ぇづぉぐは閒達ゎどぃ筇。

誣発錱IPァトルジね剉陣ヺ誣剉陣IPァトルジね発錱

培末皃なのfail2ban-clientゲポヲトゑ佾ぅ。

# fail2ban-client unban --all    #內づねズギザユヲな発錱ごるづぃり內IPァトルジゑ剉陣じり堳吇
# fail2ban-client set ズギザユヲ同 unbanip IPァトルジ    #牸宙ねIPァトルジゑ剉陣じり堳吇
# fail2ban-client set ズギザユヲ同 banip IPァトルジ        #牸宙ねIPァトルジゑBANじり堳吇

扊勔てpfctlゑ佾ぢづIPァトルジゑ剉陣じり堳吇

# pfctl -a "f2b/ズギザユヲ同" -t f2b-ズギザユヲ同 -T delete IPァトルジ
1/1 addresses deleted.

v0.9糺ぽてのpfctl -t ヅ・フリ同 -T delete IPァトルジたぢぞか、归焵げるめァヲオ・挆宙か忄覀。

fail2banね稻僌ジヅ・ゾジゑ覊り

# fail2ban-client status
Status
|- Number of jail:      13
`- Jail list:   wordpress-auth, hoge, hage,ヺヺヺ 


# fail2ban-client status wordpress-auth
Status for the jail: wordpress-auth
|- Filter
|  |- Currently failed: 33
|  |- Total failed:     2259
|  `- File list:        /var/log/wordpress-access.log
`- Actions
   |- Currently banned: 33
   |- Total banned:     98
   `- Banned IP list: 192.168.0.149
                         令上畤