fail2ban 防止WEB攻擊

1. 簡介

fail2ban簡單來說就是通過不斷讀取設定的日志檔案，并通過正則校驗每條日志是否符合規則。一旦符合，則提取日志中的IP位址與時間戳，然後寫入到fail2ban的資料庫中。寫庫的同時進行計數，如果該IP在設定的時間間隔内被比對的次數超過門檻值，則調用iptables，将其的請求reject。

Linux 系統生産環境配置指南  ​​https://blog.51cto.com/waringid/5782872​​

Linux 系統防火牆 Firewall-cmd 日常操作指南 ​https://blog.51cto.com/waringid/5806004​​

利用 ipset 封禁大量 IP ​https://blog.51cto.com/waringid/5806004​​

前期的準備操作請參考“​​Linux 系統生産環境配置指南​​”。Fail2ban 結構如下：

/etc/fail2ban ## fail2ban 服務配置目錄

/etc/fail2ban/action.d ## iptables 、mail 等動作檔案目錄

/etc/fail2ban/filter.d ## 條件比對檔案目錄，過濾日志關鍵内容

/etc/fail2ban/jail.conf ## fail2ban 防護配置檔案

/etc/fail2ban/fail2ban.conf ## fail2ban 配置檔案，定義日志級别、日志、sock 檔案位置等

2. 檢查防火牆

#如果您已經安裝iptables建議先關閉
service iptables stop
#檢視Firewalld狀态
firewall-cmd --state
#啟動firewalld
systemctl start firewalld
#設定開機啟動
systemctl enable firewalld.service
#放行22端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
#重載配置
firewall-cmd --reload
#檢視已放行端口
firewall-cmd --zone=public --list-ports      

3. 安裝配置

3.1. 安裝

yum -y install fail2ban      

安裝成功後fail2ban配置檔案位于/etc/fail2ban，其中jail.conf為主配置檔案，相關的比對規則位于filter.d目錄，其它目錄/檔案一般很少用到，如果需要詳細了解可自行搜尋。

3.2. 配置jail

cp jail.conf jail.local
vim jail.local      

banaction = firewallcmd-ipset
action = %(action_mwl)s
#将預設的執行動作由iptables改為firewallcmd-ipset
[waf-blockip]
enabled = true
filter = waf-blockip
port = http,https
logpath = /tmp/2019*_waf.log
blocktype = DROP
action          = %(action_mwl)s
datapattern = %Y-%m-%d %H:%M:%S
bantime = 120
maxretry = 1
findtime = 1
 
[nginx-cc]
enabled = true
filter = nginx-cc
port = http,https
logpath = /tmp/cc.log
blocktype = DROP
action          = %(action_mwl)s
bantime = 120
maxretry = 1
findtime = 1      

以上每行内容的大緻意義如下：

[nginxx-cc]：定義jail名稱

• enabled：是否啟用該jail，預設的所有規則都沒有該項，需要手動添加
• port：指定封禁的端口，預設為0:65535，也就是所有端口，但可以在jail中設定
• filter：指定過濾器名稱
• logpath：日志路徑
• action：達到門檻值後的動作
• maxretry：門檻值
• findtime：時間間隔
• bantime：封禁時長
• ignoreip：忽略的IP

注意

logpath與action可以有多行，如action中的設定：調用iptables-multiport封禁目标IP通路的多個端口，調用sendmail發送告警郵件

findtime不是檢查日志的時間間隔，日志的檢查是實時的。因為fail2ban自帶資料庫，是以可以在設定的時間内統計比對次數

ignoreip添加後端伺服器的IP或CDN的IP

3.3. 配置filter

vim waf-blockip.conf
[Definition]
failregex = \"<HOST>\",\"rule_tag\"
ignoreregex =      

日志内容如下所示：

{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 11:59:45","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_agent":"ApacheBench\/2.3"}
{"local_time":"2019-06-18 12:00:13","client_ip":"192.168.13.215","rule_tag":"-","attack_method":"CC_Attack","server_name":"status.myj.com.cn","req_url":"\/","req_data":"-","user_age      

vim nginx-cc.conf
[Definition]
failregex =  <HOST> - - \[.*\] .*GET \/\?=*
#failregex = <HOST> - - \[.*\] \".*(403|400).*\"      #比對403或404的錯誤
ignoreregex =      

47.52.195.189 - - [13/Jun/2019:18:18:47 +0800] "GET /?=18566 HTTP/1.1" 403 552 "https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; Linux x86_64)AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24"
47.52.195.189 - - [13/Jun/2019:18:18:47 +0800] "GET /?=18566 HTTP/1.1" 403 552 "https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; Linux x86_64)AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24"
47.52.195.189 - - [13/Jun/2019:18:18:47 +0800] "GET /?=18566 HTTP/1.1" 403 552 "https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; Linux x86_64)AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24"
47.52.195.189 - - [13/Jun/2019:18:18:47 +0800] "GET /?=18566 HTTP/1.1" 403 552 "https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; Linux x86_64)AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24"
50.195.104.171 - - [13/Jun/2019:18:18:47 +0800] "GET /?=13253 HTTP/1.1" 504 905"https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; U; NetBSD amd64; en-US; rv:1.9.2.15) Gecko/20110308 Namoroka/3.6.15"
47.52.195.189 - - [13/Jun/2019:18:18:47 +0800] "GET /?=18566 HTTP/1.1" 403 552 "https://www.google.com/search?q=120.79.35.33/" "Mozilla/5.0 (X11; Linux x86_64)AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24"
192.168.13.43 - - [06/Jun/2019:18:25:58 +0800] "GET /ngx_status HTTP/1.1" 301 16"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge      

4. 常用配置

#檢視被ban IP，其中ssh-iptables為名稱，比如上面的[ssh-iptables]和[nginx-dir-scan]
fail2ban-client status ssh-iptables
#添加白名單
fail2ban-client set ssh-iptables addignoreip IP位址
#删除白名單
fail2ban-client set ssh-iptables delignoreip IP位址
#檢視狀态
fail2ban-client status
#檢視日志
tail /var/log/fail2ban.log
#檢視規則
firewall-cmd --direct --get-all-rules
ipset list      

4.1. 定時清理日志

vi /root/del_waf_log.sh
#! /bin/bash
cat /dev/null > /tmp/`date +"%Y-%m-%d"`-waf.log
chmod +x /root/del_waf_log.sh
crontab -e
30 3 * * 0 sh /root/del_waf_log.sh      

5. 核心優化

針對TIME_WAIT的問題，可以通過調整核心的方式進行優化。
#修改逾時時間為30秒，某些情況可以進一步降低該值
net.ipv4.tcp_fin_timeout = 30
#将keepalive的發送頻率降低為20分鐘一次
net.ipv4.tcp_keepalive_time = 1200
#開啟SYN Cookies，當SYN隊列溢出時啟用Cookies
net.ipv4.tcp_syncookies = 1
#開啟TIME-WAIT sockets重用功能
net.ipv4.tcp_tw_reuse = 1
#開啟TIME-WAIT sockets快速回收功能
net.ipv4.tcp_tw_recycle = 1
#加大SYN隊列
net.ipv4.tcp_max_syn_backlog = 8192
#最大TIME_WAIT保持數，超過将全部清除
net.ipv4.tcp_max_tw_buckets = 5000      

6. 過濾規則

6.1. nginx的驗證

fail2ban-regex /tmp/2019-07-10_waf.log /etc/fail2ban/filter.d/waf-blockip.conf
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$      

6.2. 檢查fail2ban啟動問題

fail2ban-client -x start      

6.3. modsecurity 日志過濾

利用 modsecurity 結合 nginx 并整合到 微服務網關實作 web 安全防護。

kong 網關結合 modsecurity 輸出的日志格式如下

112.119.33.91 - - [18/Dec/2020:09:21:58 +0800] "GET /socket.io/?__sails_io_sdk_version=0.13.8&__sails_io_sdk_platform=browser&__sails_io_sdk_language=javascript&EIO=3&transport=polling&t=NPpS75x&sid=o6ZI8VoIHqBUgvFMAACb HTTP/2.0" 200 4 "https://dashboard.waringid.me/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
2020/12/18 09:23:10 [error] 25142#0: *659 [client 113.78.65.148] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.19.0.5"] [uri "/.env"] [unique_id "1608254590"] [ref ""], client: 113.78.65.148, server: kong, request: "GET /.env HTTP/1.1", host: "dashboard.waringid.me"
113.78.65.148 - - [18/Dec/2020:09:23:10 +0800] "GET /.env HTTP/1.1" 403 150 "-" "curl/7.29.0"
51.159.23.43 - - [18/Dec/2020:09:28:46 +0800] "GET / HTTP/1.1" 404 48 "-" "-"
89.97.157.10 - - [18/Dec/2020:09:43:52 +0800] "GET / HTTP/1.1" 404 48 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"      

注意2種不同的日志格式類型，2中不同日志類型比對不同的正則式。

同時注意不同日志時間格式也不一樣。