https://blog.jarao.work/tags/%E5%AE%89%E5%85%A8/ Recent content in 安全 on Jarao's Blog Hugo -- gohugo.io zh-cn Thu, 19 Oct 2023 08:07:00 +0000 https://blog.jarao.work/articles/2023/10/fail2ban/ Thu, 19 Oct 2023 08:07:00 +0000 https://blog.jarao.work/articles/2023/10/fail2ban/ <img src="https://blog.jarao.work/articles/2023/10/fail2ban/cover.png" alt="Featured image of post 在OpenWrt上配置Fail2Ban" /><p><em>封面PID=112536466</em></p> <p>前段时间为了排查路由器的一些服务问题，去翻系统日志，发现自己的路由器因为有在公网上被扫了几百次（好家伙，我都换端口了还能扫😅），整个系统日志全是各种ssh连接失败的报错。虽然禁用了密码登录，但是整个日志被刷的太乱，导致正常运维都成问题，属实是伤害不高侮辱性极强了。于是为了保证我的路由器不被这些脚本小子搭讪，开始研究如何使用Fail2Ban来自动拉黑这些扫描的脚本机。</p> <h2 id="安装">安装 </h2><p>这块没什么好说的，不管是官方源还是目前国内普及的lean lede源都有fail2ban的包，直接opkg就行</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">opkg install fail2ban </span></span></code></pre></td></tr></table> </div> </div><p>安装好后在终端中输入<code>which fail2ban-client</code>，验证下是否安装成功，正常的话会输出对应的执行文件路径。</p> <h2 id="配置">配置 </h2><p>默认配置文件目录在<code>/etc/fail2ban</code>。Fail2Ban需要配置两个地方，一个是过滤规则，或者说是正则匹配逻辑；一个是配置具体封禁策略，包含hit次数，日志位置等。</p> <h3 id="过滤规则">过滤规则 </h3><p><code>/etc/fail2ban/filter.d</code>下是项目自带的默认过滤规则，而官方本身OpenWrt的dropbaer规则不能直接使用，不知道是不是因为迭代没跟上还是怎么的，dropbear的日志匹配逻辑对不上，因此需要我们自己修改过滤规则。下面给出我自己配置的规则供参考，把官方的<code>dropbear.conf</code>改了即可：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># The standard Dropbear output doesn&#39;t provide enough information to</span> </span></span><span class="line"><span class="cl"><span class="c"># ban all types of attack. The Dropbear patch adds IP address</span> </span></span><span class="line"><span class="cl"><span class="c"># information to the &#39;exit before auth&#39; message which is always</span> </span></span><span class="line"><span class="cl"><span class="c"># produced for any form of non-successful login. It is that message</span> </span></span><span class="line"><span class="cl"><span class="c"># which this file matches.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># More information: http://bugs.debian.org/546913</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">INCLUDES</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Read common prefixes. If any customizations available -- read them from</span> </span></span><span class="line"><span class="cl"><span class="c"># common.local</span> </span></span><span class="line"><span class="cl"><span class="nx">before</span> <span class="p">=</span> <span class="nx">common</span><span class="p">.</span><span class="nx">conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">Definition</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">_daemon</span> <span class="p">=</span> <span class="nx">dropbear</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">datepattern</span> <span class="p">=</span> <span class="err">^%%</span><span class="nx">a</span> <span class="err">%%</span><span class="nx">b</span> <span class="err">%%</span><span class="nx">d</span> <span class="err">%%</span><span class="nx">H</span><span class="err">:%%</span><span class="nx">M</span><span class="err">:%%</span><span class="nx">S</span> <span class="err">%%</span><span class="nx">Y</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">prefregex</span> <span class="p">=</span> <span class="err">^%(</span><span class="nx">__prefix_line</span><span class="err">)</span><span class="nx">s</span><span class="err">&lt;</span><span class="nx">F-CONTENT</span><span class="err">&gt;(?:</span><span class="p">[</span><span class="nx">Ll</span><span class="p">]</span><span class="nx">ogin</span><span class="err">|</span><span class="p">[</span><span class="nx">Bb</span><span class="p">]</span><span class="nx">ad</span><span class="err">|</span><span class="p">[</span><span class="nx">Ee</span><span class="p">]</span><span class="nx">xit</span><span class="err">)</span><span class="p">.</span><span class="err">+&lt;/</span><span class="nx">F-CONTENT</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">failregex</span> <span class="p">=</span> <span class="err">^</span><span class="p">[</span><span class="nx">Ee</span><span class="p">]</span><span class="nx">xit</span> <span class="nx">before</span> <span class="nx">auth</span> <span class="nx">from</span> <span class="err">&lt;&lt;</span><span class="nx">HOST</span><span class="err">&gt;:\</span><span class="nx">d</span><span class="err">+&gt;:\</span><span class="nx">s</span><span class="p">.</span><span class="err">*$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">ignoreregex</span> <span class="p">=</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># DEV Notes:</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># The first two regexs here match the unmodified dropbear messages. It isn&#39;t</span> </span></span><span class="line"><span class="cl"><span class="c"># possible to match the source of the &#39;exit before auth&#39; messages from dropbear</span> </span></span><span class="line"><span class="cl"><span class="c"># as they don&#39;t include the &#34;from &lt;HOST&gt;&#34; bit.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># The second last failregex line we need to match with the modified dropbear.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># For the second regex the following apply:</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c</span> </span></span><span class="line"><span class="cl"><span class="c"># http://svn.dd-wrt.com/changeset/16642#file64</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># Author: Francis Russell</span> </span></span><span class="line"><span class="cl"><span class="c"># Zak B. Elep</span> </span></span></code></pre></td></tr></table> </div> </div><p>接下来，我们需要把系统日志重定向到系统文件中，使用以下命令操作：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mkdir -p /tmp/log </span></span><span class="line"><span class="cl">touch /tmp/log/system.log </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> system.@system<span class="o">[</span>0<span class="o">]</span>.log_file<span class="o">=</span><span class="s1">&#39;/tmp/log/system.log&#39;</span> </span></span><span class="line"><span class="cl">uci commit </span></span></code></pre></td></tr></table> </div> </div><p>这套过滤规则可以过滤出登录失败的主机ip。fail2ban也有专门的命令可以测试配置有效性，可以使用<code>fail2ban-regex /tmp/log/system.log /etc/fail2ban/filter.d/dropbear.conf</code>命令测试过滤匹配是否正确。</p> <p><img src="https://blog.jarao.work/articles/2023/10/fail2ban/image.png" width="1618" height="1220" srcset="https://blog.jarao.work/articles/2023/10/fail2ban/image_hu_79b8d9bc8eae7cd4.png 480w, https://blog.jarao.work/articles/2023/10/fail2ban/image_hu_c86847002c1cc521.png 1024w" loading="lazy" alt="验证规则" class="gallery-image" data-flex-grow="132" data-flex-basis="318px" ></p> <h3 id="封禁策略">封禁策略 </h3><p>随后我们还需要配置封禁策略，这个策略一般是放在<code>/etc/fail2ban/jail.d</code>目录下，我们可以在这个目录下面新建一个策略名为<code>dropbear.local</code>的文件，在其中配置命中策略：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">dropbear</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="nx">filter</span> <span class="p">=</span> <span class="nx">dropbear</span> </span></span><span class="line"><span class="cl"><span class="c"># port为你对应的ssh端口</span> </span></span><span class="line"><span class="cl"><span class="nx">action</span> <span class="p">=</span> <span class="nx">iptables</span><span class="p">[</span><span class="nx">port</span><span class="p">=</span><span class="mi">22</span><span class="p">,</span> <span class="nx">protocol</span><span class="p">=</span><span class="nx">tcp</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="c"># 上一步创建的日志文件路径</span> </span></span><span class="line"><span class="cl"><span class="nx">logpath</span> <span class="p">=</span> <span class="err">/</span><span class="nx">tmp</span><span class="err">/</span><span class="nx">log</span><span class="err">/</span><span class="nx">system</span><span class="p">.</span><span class="nx">log</span> </span></span><span class="line"><span class="cl"><span class="nx">maxretry</span> <span class="p">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="nx">bantime</span> <span class="p">=</span> <span class="mi">604800</span> </span></span><span class="line"><span class="cl"><span class="nx">findtime</span> <span class="p">=</span> <span class="mi">86400</span> </span></span></code></pre></td></tr></table> </div> </div><p>这个封禁策略会将在一天内ssh登录失败3次的ip封禁一个星期。</p> <p>最后，我们使用命令<code>fail2ban-client start</code>启动Fail2Ban。</p> <h2 id="效果">效果 </h2><p>使用命令<code>fail2ban-client status dropbear</code>，查看当前dropbear规则的封禁情况</p> <p><img src="https://blog.jarao.work/articles/2023/10/fail2ban/image-1.png" width="2436" height="556" srcset="https://blog.jarao.work/articles/2023/10/fail2ban/image-1_hu_2b00affdf066a071.png 480w, https://blog.jarao.work/articles/2023/10/fail2ban/image-1_hu_466dc6e28791c2b8.png 1024w" loading="lazy" alt="规则状态" class="gallery-image" data-flex-grow="438" data-flex-basis="1051px" ></p> <p>可以看到，这封禁ip的数量还真不少，用ipip查了下，国内国外的都有。</p> <h2 id="进阶">进阶 </h2><h3 id="luci登录封禁">luci登录封禁 </h3><p>既然我们都把dropbear配了登录封禁，那么就顺道给web登录页面也配一个吧😉</p> <p>具体步骤和dropbear一样，由于我用的是nginx作为luci的服务器，而且修改了日志格式，因此以下配置仅供参考。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">INCLUDES</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Read common prefixes.If any customizations available -- read them from</span> </span></span><span class="line"><span class="cl"><span class="c"># common.local</span> </span></span><span class="line"><span class="cl"><span class="nx">before</span> <span class="p">=</span> <span class="nx">common</span><span class="p">.</span><span class="nx">conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">Definition</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">_daemon</span> <span class="p">=</span> <span class="nx">luci</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">datepattern</span> <span class="p">=</span> <span class="err">^\</span><span class="p">[</span><span class="err">%%</span><span class="nx">d</span><span class="err">/%%</span><span class="nx">b</span><span class="err">/%%</span><span class="nx">Y</span><span class="err">:%%</span><span class="nx">H</span><span class="err">:%%</span><span class="nx">M</span><span class="err">:%%</span><span class="nx">S</span> <span class="err">\</span><span class="mi">+0800</span><span class="err">\</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">prefregex</span> <span class="p">=</span> <span class="err">^</span><span class="p">.</span><span class="err">*</span><span class="nx">POST</span><span class="p">.</span><span class="err">*&lt;</span><span class="nx">F-CONTENT</span><span class="err">&gt;(?:</span><span class="mi">403</span><span class="err">)</span><span class="p">.</span><span class="err">+&lt;/</span><span class="nx">F-CONTENT</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">failregex</span> <span class="p">=</span> <span class="err">^</span><span class="mi">403</span><span class="p">.</span><span class="err">*</span><span class="nx">from</span> <span class="err">&lt;</span><span class="nx">HOST</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">ignoreregex</span> <span class="p">=</span> <span class="err">^</span><span class="mi">403</span><span class="p">.</span><span class="err">*</span><span class="nx">from</span> <span class="mf">127.0</span><span class="p">.</span><span class="mf">0.1</span><span class="err">$</span> </span></span></code></pre></td></tr></table> </div> </div><p>其中过滤规则的ignore是因为luci在第一次进入主页时会触发本地反代403，因此需要忽略。日期格式匹配可能需要自行根据自己的nginx日志进行调整。</p> <p>最后加上封禁策略：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># luci web</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">luci</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="nx">filter</span> <span class="p">=</span> <span class="nx">luci</span> </span></span><span class="line"><span class="cl"><span class="nx">action</span> <span class="p">=</span> <span class="nx">iptables</span><span class="p">[</span><span class="nx">port</span><span class="p">=</span><span class="nx">https</span><span class="p">,</span> <span class="nx">protocol</span><span class="p">=</span><span class="nx">tcp</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">logpath</span> <span class="p">=</span> <span class="err">/</span><span class="nx">tmp</span><span class="err">/</span><span class="nx">log</span><span class="err">/</span><span class="nx">nginx</span><span class="err">/</span><span class="nx">access</span><span class="p">.</span><span class="nx">log</span> </span></span><span class="line"><span class="cl"><span class="nx">maxretry</span> <span class="p">=</span> <span class="mi">5</span> </span></span><span class="line"><span class="cl"><span class="nx">bantime</span> <span class="p">=</span> <span class="mi">604800</span> </span></span><span class="line"><span class="cl"><span class="nx">findtime</span> <span class="p">=</span> <span class="mi">1800</span> </span></span></code></pre></td></tr></table> </div> </div><p>重启Fail2Ban，收工！</p>