1. 概要
わたしは、「portsentry」(「メンテナンス・トラブルシュート - セキュリティ対策 - ポート遮断 portsentry」)を使っているので、「portsentry」の出力ログも監視対象とします。
2. フィルタ
「portsentry」は。
/var/log/messages
にログを出力し、下記のようなログを吐いています。
Feb 27 14:46:13 ns portsentry[181]: attackalert: Host 205.210.31.91 has been blocked via dropped route using command: "/bin/echo 'block in log on external_interface from 205.210.31.91/32 to any' | /sbin/ipf -f -"
Feb 27 14:46:13 ns portsentry[181]: attackalert: Connect from host: 205.210.31.91/205.210.31.91 to TCP port: 1080
Feb 27 14:46:13 ns portsentry[181]: attackalert: Host: 205.210.31.91 is already blocked. Ignoring
Feb 27 15:09:32 ns portsentry[183]: attackalert: Connect from host: 134.33.73.4/134.33.73.4 to UDP port: 161
Feb 27 15:09:32 ns portsentry[183]: attackalert: Host 134.33.73.4 has been blocked via wrappers with string: "ALL: 134.33.73.4"
Feb 27 15:09:32 ns portsentry[183]: attackalert: Host 134.33.73.4 has been blocked via dropped route using command: "/bin/echo 'block in log on external_interface from 134.33.73.4/32 to any' | /sbin/ipf -f -"
Feb 27 15:16:07 ns portsentry[181]: attackalert: Connect from host: vmi3077151.contaboserver.net/94.72.103.91 to TCP port: 1080
Feb 27 15:16:07 ns portsentry[181]: attackalert: Host 94.72.103.91 has been blocked via wrappers with string: "ALL: 94.72.103.91"
Feb 27 15:16:07 ns portsentry[181]: attackalert: Host 94.72.103.91 has been blocked via dropped route using command: "/bin/echo 'block in log on external_interface from 94.72.103.91/32 to any' | /sbin/ipf -f -"
Feb 27 15:42:05 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host 165.154.59.118 has been blocked via wrappers with string: "ALL: 165.154.59.118"
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host 165.154.59.118 has been blocked via dropped route using command: "/bin/echo 'block in log on external_interface from 165.154.59.118/32 to any' | /sbin/ipf -f -"
Feb 27 15:42:05 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:05 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:05 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:05 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:05 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:06 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:06 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:06 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:06 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
Feb 27 15:42:06 ns portsentry[181]: attackalert: Connect from host: tumndes.com/165.154.59.118 to TCP port: 32772
Feb 27 15:42:06 ns portsentry[181]: attackalert: Host: 165.154.59.118 is already blocked. Ignoring
実は、デフォルトで「portsentry」のフィルタは。
/usr/local/etc/fail2ban/filter.d/portsentry.conf
に用意されており、下記のように記述されておるのですが。
# Fail2Ban filter for failure attempts in Counter Strike-1.6
#
#
[Definition]
failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
ignoreregex =
datepattern = {^LN-BEG}Epoch
{^LN-BEG}
# Author: Pacop <pacoparu@gmail.com>
フィルタパターンが、実際のログに合いませんでな、「portsentry」が検知した瞬間の「Connect from host:」を狙います。
日付も「FreeBSD」の標準的な日付形式に対応させます。
failregex = ^.* portsentry\[\d+\]: attackalert: Connect from host: [^/]+/<HOST> to (?:TCP|UDP) port: \d+$
ignoreregex =
datepattern = {^LN-BEG}
フィルタが整合しているかチェックしてみます。
fail2ban-regex /var/log/messages /usr/local/etc/fail2ban/filter.d/portsentry.conf
Running tests
=============
Use filter file : portsentry, basedir: /usr/local/etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /var/log/messages
Use encoding : UTF-8
Results
=======
Failregex: 296 total
|- #) [# of hits] regular expression
| 1) [296] ^.* portsentry\[\d+\]: attackalert: Connect from host: [^/]+/<HOST> to (?:TCP|UDP) port: \d+$
'-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [664] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
'-
Lines: 664 lines, 0 ignored, 296 matched, 368 missed
[processed in 0.05 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 368 lines
うまくヒットするようです。
3. 設定
vi /usr/local/etc/fail2ban/jail.local
下記の行を加えます。
[portsentry]
enabled = true
filter = portsentry
logpath = /var/log/messages
banaction = ipfw
maxretry = 1
bantime = 2592000
ポートスキャンは、悪意を持って、接続してきますから、一発アウトにして良いので、リトライは1回。
かつ、「BAN」の期間は長めに、1ヶ月 = 2592000秒。
設定をチェックします。
fail2ban-client -d
特にエラーが出なければ。
再読み込みして有効化します。
service fail2ban reload
4. 参考サイト
本ページは、「Gemini」伍長を参考にさせていただきました。
