Fail2banはシステムのログを監視し、指定したルールに基づいて何かしらの処理を行うIPS。
  WebサーバーとしてApacheが動作しており、CentOS7に導入するものとする。
  また下のルールは例であり、他にも色々できる

  jail.local内の注意

  enabled・・・起動有無
  filter   = filter.d内のどれを使うか指定
  action   = action.d内のどれを使うか指定
  logpath  = 監視するログのパスを指定
  maxretry = 下のbantimeと一緒に説明
  findtime = 下のbantimeと一緒に説明
  bantime  = findtimeで指定した時間内にmaxretryで指定した数の処理が見つかったらbantimeの間、上のactionを実行する

  # sudo yum -y install epel-release
  # sudo yum -y install fail2ban fail2ban-systemd
  # sudo mkdir /var/log/fail2ban
  # sudo vim /etc/fail2ban/fail2ban.conf
      loglevel  = NOTICE
      logtarget = /var/log/fail2ban/fail2ban.log
  # sudo vim /etc/fail2ban/filter.d/apache-request-dos.conf
      [Definition]
      failregex = ^<HOST> -.*"(GET|POST).*
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/filter.d/apache-403-dos.conf
      [Definition]
      failregex = ^<HOST>.*"(GET|POST).*" (403) .*$
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/filter.d/apache-404-dos.conf
      [Definition]
      failregex = ^<HOST>.*"(GET|POST).*" (404) .*$
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/jail.local ※基本jail.confはいじらない
      [DEFAULT]
      ignoreip  = 127.0.0.1
      backend   = auto
  
      # sshログインを5回連続で失敗したIPを15分間Ban
      [ssh-brute]
      enabled  = true
      filter   = sshd
      action   = iptables[name=ssh_brute, port="ssh"]
      logpath  = /var/log/secure
      maxretry = 5
      bantime  = 900
     
      # 3分間に100回以上のリクエストを送ったIPを60分間Ban
      [apache-short-span-dos]
      enabled  = true
      filter   = apache-request-dos
      action   = iptables-multiport[name=apache_short_span_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 100
      findtime = 180
      bantime  = 3600

      # 24時間中に100回以上のリクエストを送ったIPを60分間Ban
      [apache-long-span-dos]
      enabled  = true
      filter   = apache-request-dos
      action   = iptables-multiport[name=apache_long_span_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 100
      findtime = 86400
      bantime  = 3600
  
      # 3分間に403を60回発生させたIPを1時間Ban
      [apache-403-dos]
      enabled  = true
      filter   = apache-403-dos
      action   = iptables-multiport[name=apache_403_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 60
      findtime = 180
      bantime  = 3600
  
      ## 3分間に404を60回数発生させたIPを1時間Ban
      [apache-404-dos]
      enabled  = true
      filter   = apache-404-dos
      action   = iptables-multiport[name=apache_404_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 60
      findtime = 180
      bantime  = 3600
  # systemctl enable fail2ban
  # systemctl start fail2ban

  ssh-iptablesの状況確認
# fail2ban-client status ssh-iptables

Banの解除
# fail2ban-client set <jail名> unbanip <IPアドレス>
トップへ