[º¸¾È] Æнº¿öµå ¹«ÀÛÀ§ ´ëÀÔ °ø°Ý ¹æ¾î¸¦ À§ÇÑ "fail2ban ¼³Ä¡ ¹× ¼³Á¤"
¼¹ö¿î¿µÀ» ÇÏ´Ùº¸¸é SSH,FTPµîÀ» ÅëÇØ ¿ÜºÎ¿¡¼ ¾Ë ¼ö ¾ø´Â IP°¡ °èÁ¤Á¢±Ù ½ÃµµÇÏ´Â °æ¿ì°¡ ÀÖ½À´Ï´Ù.
±×Ä¡¸¸ Æнº¿öµå¸¦ ¸ð¸£´Ï, Á¢±Ù½ÇÆа¡ µÉ °ÍÀÔ´Ï´Ù..
±×·±µ¥ À̵éÀº ÇØÅ·ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© Á¢¼ÓÀÌ µÉ¶§±îÁö Æнº¿öµå¸¦ °è¼Ó ¹Ù²Ù¸ç, °è¼Ó Á¢±ÙÀ» ½ÃµµÇÒ °Ì´Ï´Ù..
°á±¹ Æнº¿öµå°¡ ¶Õ¸®¸ç root °èÁ¤¿¡ Á¢¼ÓµÉ °ÍÀÔ´Ï´Ù.
ÀÌ ¹®Á¦¸¦ ÇØ°áÇϱâÀ§Çؼ´Â °£´ÜÇÏ°Ô °ü¸®ÀÚ IP¸¸ ¼¹öÁ¢±ÙÀ» Çã¿ëÇÏ¸é µË´Ï´Ù.
ÇÏÁö¸¸, °ü¸®ÀÚIP°¡ À¯µ¿À̰ųª ´Ù¸¥ ¿ÜºÎ¿¡¼ Á¢±ÙÇÒ °æ¿ìµµ ÀÖÀ» ¼ö ÀÖ½À´Ï´Ù.
±×·³ Â÷¼±Ã¥À¸·Î ¸îȸ ÀÌ»ó Á¢±Ù¿¡ ½ÇÆÐÇÒ °æ¿ì ÇØ´ç Á¢±ÙIP¸¦ ¿ÏÀüÈ÷¶Ç´Â ÀÏÁ¤½Ã°£ µ¿¾ÈÀº Â÷´Ü ÇØ¾ß ÀÌ·± °ø°Ý¿¡ ´ëºñÇÒ ¼ö ÀÖ°ÚÁö¿ä..
¿©±â¼´Â fail2ban À̶õ ÇÁ·Î±×·¥À» ÀÌ¿ëÇØ ¹«ÀÛÀ§ °ø°Ý¹æ¾î¸¦ Çغ¼±îÇÕ´Ï´Ù.
fail2banÇÁ·Î±×·¥Àº Á¢±Ù·Î±×ÆÄÀÏ¿¡¼ ½ÇÆÐȽ¼ö¸¦ °è»êÇÏ°í iptablesÀ» ÀÌ¿ëÇØ ¼¹öÁ¢±ÙÀ» Â÷´ÜÇÏ´Â ÅøÀÔ´Ï´Ù.
¾ÆÂü, ¾Æ·¡ÀÇ ¼³Ä¡°úÁ¤°ú ¼³Á¤Àº centos6¿¡¼ ÁøÇà ÇßÀ¸´Ï, ´Ù¸¥ ¸®´ª½º¿¡¼´Â ´Ù¸¦ ¼ö ÀÖ½À´Ï´Ù.
fail2ban ¼³Ä¡
1. ¸ÕÀú http://www.fail2ban.org ¿¡¼ fail2ban ´Ù¿î·Îµå ÇÕ´Ï´Ù.
# tar zxvf fail2ban-0.8.11.tar.gz# cd fail2ban-0.8.11# python setup.py install
# cp files/redhat-initd /etc/init.d/fail2ban
# chkconfig --add fail2ban# chkconfig fail2ban on
*¼³Á¤ÆÄÀÏ¿¡¼ ¼³Á¤ (¿©±â¿¡¼± vi ÆíÁý±â¸¦ ÀÌ¿ëÇØ º¯°æÇÏ°Ú½À´Ï´Ù.)
# vi /etc/fail2ban/jail.conf
-> 29ÁÙÂë¿¡¼ºÎÅÍ ~ (À̺κÐÀº ¿øÇϽô °ªÀ¸·Î ¼³Á¤Çϼ¼¿ä.)
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 #ÀÔ·ÂÇϽŠIP·Î Á¢±Ù½Ã ¾Æ¹«¸® ½ÇÆÐÇصµ Â÷´ÜµÇÁö¾Ê½À´Ï´Ù. (°ü¸®ÀÚIP¸¦ Àû¾îµÎ½Ã¸é µÇ°Ú³×¿ä)
# "bantime" is the number of seconds that a host is banned.
bantime = 600 #ÀÏÁ¤È½¼ö ÃÊ°ú½Ãµµ½Ã Á¢±Ù°ÅºÎ ½Ã°£ÀÔ´Ï´Ù. (´ÜÀ§ : ÃÊ)
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600 #ÀÔ·ÂÇϽŠ½Ã°£°£°Ý »çÀÌ¿¡ ÁöÁ¤È½¼ö¸¦ ÃÊ°ú½Ã Â÷´ÜÇÕ´Ï´Ù. (´ÜÀ§ : ÃÊ)
# "maxretry" is the number of failures before a host get banned.
maxretry = 3 #ÀÔ·ÂÇϽŠȽ¼öÃÊ°ú½Ã Á¢±Ù°ÅºÎÇÕ´Ï´Ù.
-> 72ÁÙÂë ºÎÅÍ ~
[ssh-iptables]
enabled = true #À̺κÐÀ» true·Î ÇØÁà¾ß sshÁ¢±Ù½Ã fail2ban°¡ µ¿ÀÛµÉ ¼ö ÀÖ½À´Ï´Ù.
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath = /var/log/secure #ssh Á¢±Ù·Î±×ÆÄÀÏÀ» ÀÔ·ÂÇØÁÖ¼¼¿ä. ·Î±×ÆÄÀÏÀº ¸®´ª½º¸¶´Ù ´Ù¸¨´Ï´Ù. centos6.4°æ¿ì "/var/log/secure" ÀÔ´Ï´Ù. ·Î±×ÆÄÀÏÀÌ Á¸ÀçÇÏÁö¾ÊÀ¸¸é ¼ºñ½º½ÇÇà ½ÇÆе˴ϴÙ.
maxretry = 5 #ÀÔ·ÂÇϽŠȽ¼öÃÊ°ú½Ã Á¢±Ù°ÅºÎÇÕ´Ï´Ù. (À¼³Á¤°ú »ó°ü¾øÀÌ sshÁ¢±Ù¿¡¸¸ Àû¿ëµË´Ï´Ù. »èÁ¦ÇϽøé À¼³Á¤ÀÌ Àû¿ëµË´Ï´Ù.)
- ÃßÈÄ ¼³Á¤ÆÄÀÏÀ» º¯°æÇÏ¸é ¹Ýµå½Ã ¼ºñ½ºÀç½ÃÀÛ(# service fail2ban restart)À» ÇØÁà¾ß Àû¿ëµË´Ï´Ù.
*¼ºñ½º ½ÃÀÛ
# service fail2ban start
- ¼ºñ½º ½ÇÇà½Ã [OK]°¡ ³ª¿Í¾ß Á¤»óµ¿ÀÛÀÔ´Ï´Ù.
¡Ø½ÇÆÐÂ÷´Ü½Ã iptables¿¡¼ IP¸¦ Â÷´ÜÇÏ°í ÀÖ¾î¼ iptables¿¡¼ Â÷´ÜµÈ IPÈ®ÀÎ¹× Â÷´ÜÇØÁ¦¸¦ ÇÒ ¼ö ÀÖ½À´Ï´Ù.
* fail2ban¿¡¼ Â÷´ÜµÈ ip ÇØÁ¦
- iptables -D fail2ban-ProFTPD -s xxx.xxx.xxx.xxx -j REJECT
- iptables -D fail2ban-SSH -s xxx.xxx.xxx.xxx -j REJECT