Plesk - настройка fail2ban

fail2ban - это ПО для автоматического блокирования доступа до сервисов для определенных IP-адресов. Решение о блокировании принимает по результатам парсинга логов. Используется как средство от DDOS.
Может, например, блокировать ip-адреса, с которых за 2 минуты было 10 неудачных попыток аутентифицироваться на SSH-сервис.

Установка

yum install fail2ban

Настройка

/etc/fail2ban/fail2ban.conf

[Definition]

loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock

/etc/logrotate.d/fail2ban

/var/log/fail2ban.log {
        weekly
        rotate 4
        missingok
        notifempty
        create 0600 root root
        postrotate
                /usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 2> /dev/null || true
        endscript
}

/etc/fail2ban/jail.conf

[DEFAULT]

ignoreip = 127.0.0.1

bantime  = 1800
findtime  = 600
maxretry = 3

backend = auto

# -------------- jails -------------------------------------------------------

# ------------------------ SSH ----------------------------------------
[ssh]

enabled  = true
filter   = sshd
action   = iptables[name=ssh, port=ssh, protocol=tcp]
logpath  = /var/log/secure
bantime  = 3600
maxretry = 6

[ssh-ddos]

enabled = true
filter  = sshd-ddos
action   = iptables[name=ssh-ddos, port=ssh, protocol=tcp]
logpath  = /var/log/secure
bantime  = 3600
maxretry = 6

[sftp-ddos]

enabled = true
filter  = sshd-ddos
action   = iptables[name=sftp-ddos, port=sftp, protocol=tcp]
logpath  = /var/log/secure
bantime  = 3600
maxretry = 6
# ---------------------------------------------------------------------

# ------------------------ FTP ----------------------------------------
[proftpd]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath  = /usr/local/psa/var/log/proftpd.log
maxretry = 6
# ---------------------------------------------------------------------

# ------------------------ Plesk --------------------------------------
[plesk]

enabled  = true
filter   = plesk-auth
action   = iptables[name=Plesk, port=8443, protocol=tcp]
logpath  = /usr/local/psa/admin/logs/httpsd_access_log
# ---------------------------------------------------------------------

# ------------------------- Mail -------------------------------------
[sasl-smtp]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl-smtp, port=smtp, protocol=tcp]
logpath  = /usr/local/psa/var/log/maillog

[sasl-smtps]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl-smtps, port=smtps, protocol=tcp]
logpath  = /usr/local/psa/var/log/maillog

[postfix-smtp]

enabled  = true
filter   = postfix
backend  = polling
action   = iptables[name=postfix-smtp, port=smtp, protocol=tcp]
logpath  = /usr/local/psa/var/log/maillog

[postfix-smtps]

enabled  = true
filter   = postfix
backend  = polling
action   = iptables[name=postfix-smtps, port=smtps, protocol=tcp]
logpath  = /usr/local/psa/var/log/maillog
# --------------------------------------------------------------------

/etc/fail2ban/filter.d/plesk-auth.conf

[Definition]
failregex = ^<HOST>.*"-"\ "-"$
ignoreregex =

Проверка работы фильтра

 fail2ban-regex /usr/local/psa/admin/logs/httpsd_access_log /etc/fail2ban/filter.d/plesk-auth.conf

Ссылки

Комментарии

 
blog/2011/12/23-plesk_-_настройка_fail2ban.txt · Последние изменения: 2011/12/23 11:31 — Антон Бугреев · []