环境介绍:http是一个tomcat 的js程序 ,设置的路径为/opt/tomcat5/logs/localhost_access_log.txt
OS:centos 5.3 fail2ban版本:fail2ban-0.8.2-3.el5.rf.noarch.rpm
官方网站:http://www.fail2ban.org/wiki/index.php/Main_Page
背景:及时发现别人的恶意请求并禁止
步骤:
1.安装fail2ban
这里我走了弯路,下源码包安装报错,大家可以这个网址下载:http://packages.sw.be/fail2ban/
- #rpm -ivh fail2ban-0.8.23.el5.rf.noarch.rpm
2.配置fail2ban的自定义过滤规则
分析/opt/tomcat5/logs/localhost_access_log.txt 日志的恶意请求如下 :
- 192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
- 192.168.32.41 - - [10/Sep/2010:18:11:27 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
- 192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
- 192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
- 192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
- 192.168.32.41 - - [10/Sep/2010:18:11:29 +0800] "GET 12345678.txt HTTP/1.1" 404 1063
从***行为特征来看, 这是短时间连续导致服务器发送HTTP 404文件未找到错误码, 下面是用于发现上述***的fail2ban filter规则,
在/etc/fail2ban/filter.d/目录下建立tomcat.conf文件保存下面的内容:
- [Definition]
- failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
- ignoreregex =
3.测试fail2ban的过滤规则
- # fail2ban-regex /opt/tomcat5/logs/localhost_access_log.txt /etc/fail2ban/filter.d/tomcat.conf
结果如下:
- Running tests
- =============
- Use regex file : /etc/fail2ban/filter.d/tomcat.conf
- Use log file : /opt/tomcat5/logs/localhost_access_log.txt
- Results
- =======
- Failregex
- |- Regular expressions:
- | [1] -.*- .*HTTP/1.* 404 .*$
- |
- `- Number of matches:
- [1] 13 match(es)
- Ignoreregex
- |- Regular expressions:
- |
- `- Number of matches:
- Summary
- =======
- Addresses found:
- [1]
- 192.168.32.41 (Fri Sep 10 18:10:59 2010)
- 192.168.32.41 (Fri Sep 10 18:11:27 2010)
- 192.168.32.41 (Fri Sep 10 18:11:27 2010)
- 192.168.32.41 (Fri Sep 10 18:11:29 2010)
- 192.168.32.41 (Fri Sep 10 18:11:29 2010)
- 192.168.32.41 (Fri Sep 10 18:11:29 2010)
- 192.168.32.41 (Fri Sep 10 18:11:29 2010)
- 192.168.32.41 (Fri Sep 10 18:11:30 2010)
- 192.168.32.41 (Fri Sep 10 18:11:30 2010)
- 192.168.32.41 (Fri Sep 10 18:27:44 2010)
- 192.168.32.41 (Fri Sep 10 18:27:47 2010)
- 192.168.32.41 (Fri Sep 10 18:27:50 2010)
- 192.168.32.41 (Fri Sep 10 18:27:53 2010)
- Date template hits:
- 0 hit(s): Month Day Hour:Minute:Second
- 0 hit(s): Weekday Month Day Hour:Minute:Second Year
- 0 hit(s): Weekday Month Day Hour:Minute:Second
- 0 hit(s): Year/Month/Day Hour:Minute:Second
- 130 hit(s): Day/Month/Year:Hour:Minute:Second
- 0 hit(s): Year-Month-Day Hour:Minute:Second
- 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
- 0 hit(s): TAI64N
- 0 hit(s): Epoch
- Success, the total number of match is 13
- However, look at the above section 'Running tests' which could contain important
- information.
4.激活fail2ban的规则
从测试结果可以看出, 恶意***节点的IP地址和***时间都能够正确发现, 因此可以进一步修改fail2ban的配置文件激活上述规则.
下面是我的/etc/fail2ban/jail.local配置文件内容:
- [tomcat]
- enabled = true
- port = http,https
- filter = tomcat
- action = iptables[name=tomcat, port=8080, protocol=tcp]
- sendmail-whois[name=tomcat, dest=abc@mail.com]
- maxretry = 2
- logpath = /opt/tomcat5/logs/localhost_access_log.txt
- bantime = 1800
5.测试效果
生成2个错误的链接,查看fail2ban日志 如下:
- 2010-09-10 18:33:30,156 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
- From: Fail2Ban <>
- To: \n
- Hi,\n
- The jail has been started successfully.\n
- Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f
- 2010-09-10 18:33:30,157 fail2ban.actions.action: INFO Set actionUnban =
- 2010-09-10 18:33:30,158 fail2ban.actions.action: INFO Set actionCheck =
- 2010-09-10 18:33:31,546 fail2ban.actions: WARNING [tomcat] Ban 192.168.32.41
并查看管理员邮箱 ,已经收到邮件了,内容大概如下:
- Hi,
- The IP 192.168.32.41 has just been banned by Fail2Ban after
- 4 attempts against tomcat.
- Here are more information about 192.168.32.41:
- [Querying whois.arin.net]
- [whois.arin.net]
- #
- # Query terms are ambiguous. The query is assumed to be:
- # "n 192.168.32.41"
- #
- # Use "?" to get help.
6.写完收工。
上面只是根据我的需求,写的一点东西,其他很功能大家自己可以去研究 。
转载于:https://blog.51cto.com/wenxin1234114/391104
776
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
