[Linux] ์šฐ๋ถ„ํˆฌ(Ubuntu) Fail2ban ๋ณด์•ˆ ์„ค์ •

2023. 7. 8. 16:46ใ†System ์ž‘์—…์‹ค/LINUX

728x90
๋ฐ˜์‘ํ˜•

 




 

[ํ•œ๋น›๋ฏธ๋””์–ด]์ด๊ฒƒ์ด ์šฐ๋ถ„ํˆฌ ๋ฆฌ๋ˆ…์Šค๋‹ค : ์šฐ๋ถ„ํˆฌ ๋ฆฌ๋ˆ…์Šค ์„ค์น˜๋ถ€ํ„ฐ ๋„คํŠธ์›Œํฌ์™€ ์„œ๋ฒ„ ๊ตฌ์ถ• ์šด์˜๊นŒ์ง€

COUPANG

www.coupang.com

"์ด ํฌ์ŠคํŒ…์€ ์ฟ ํŒก ํŒŒํŠธ๋„ˆ์Šค ํ™œ๋™์˜ ์ผํ™˜์œผ๋กœ, ์ด์— ๋”ฐ๋ฅธ ์ผ์ •์•ก์˜ ์ˆ˜์ˆ˜๋ฃŒ๋ฅผ ์ œ๊ณต๋ฐ›์Šต๋‹ˆ๋‹ค."

 

 

 

 

๐Ÿš€ ์šฐ๋ถ„ํˆฌ(Ubuntu) Fail2ban ๋ณด์•ˆ ์„ค์ •

    ๐Ÿ”ฝ ๊ฐœ์š”

        ๐Ÿ“ฆ ์†Œ๊ฐœ

์ด๋ฒˆ์—๋Š” Fail2ban์ด๋ผ๋Š” ๊ฒƒ์„ ํ†ตํ•ด ๊ธฐ๊น”๋‚˜๋Š” ์‚ฌ๋žŒ๋“ค ๋‚ด๋ถ€ ์„œ๋ฒ„์˜ ๋ณด์•ˆ์„ ์ข€ ๋” ๊ฒฌ๊ณ ํ•˜๊ฒŒ ํ•˜๋Š” ์ž‘์—…์„ ํ•ด๋ณด๋ ค๊ณ  ํ•ด์š”. 


 

        ๐Ÿ“ฆ Fail2ban์ด๋ž€?

Fail2ban์€ ์นจ์ž… ์ฐจ๋‹จ Software Framework(์†Œํ”„ํŠธ์›จ์–ด ํ”„๋ ˆ์ž„์›Œํฌ)๋กœ Python(ํŒŒ์ด์ฌ) ์–ธ์–ด๋กœ ๊ฐœ๋ฐœ๋œ ํ”„๋กœ๊ทธ๋žจ์ด์—์š”.

Log(๋กœ๊ทธ), iptables๋ฅผ ์ด์šฉํ•˜์—ฌ ์ ‘์† ์‹œ๋„๋ฅผ ํ™•์ธํ•˜๊ณ , ์ฐจ๋‹จํ•˜์—ฌ ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž… ๊ณต๊ฒฉ์œผ๋กœ ๋ถ€ํ„ฐ System(์‹œ์Šคํ…œ)์„ ๋ณดํ˜ธํ•˜๋Š” ์—ญํ• ์„ ํ•ด์š”.

Packet(ํŒจํ‚ท) ์ œ์–ด ์‹œ์Šคํ…œ์ด๋‚˜, Local Firewall(๋กœ์ปฌ ๋ฐฉํ™”๋ฒฝ; iptalbes ๋˜๋Š” TCP wrapper)์™€์˜ Interface(์ธํ„ฐํŽ˜์ด์Šค)๋ฅผ ๊ฐ–๋Š” POSIX ์‹œ์Šคํ…œ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ณ , GNU General Public License(GNU GPL ๋˜๋Š” GPL) v2+ License(๋ผ์ด์„ผ์Šค)๊ฐ€ ์ ์šฉ๋œ Open Source(์˜คํ”ˆ ์†Œ์Šค)๋กœ ๋ฐฐํฌ(Release) ๋˜๊ณ  ์žˆ์–ด์š”.

์ด๋ฒˆ์— ์ฃผ๋‹ˆ๋Š” ์•„๋ž˜ ๋‹จ๊ณ„๋ฅผ ํ†ตํ•ด ์„ค์น˜๋ฅผ ์ง„ํ–‰ํ•  ๊ฑฐ์—์š”.

โˆ™ apt ๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ fail2ban ์„ค์น˜ 

โˆ™ fail2ban ์ •์ƒ ์„ค์น˜ ์—ฌ๋ถ€ ํ™•์ธ
โˆ™ systemctl ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•œ fail2ban Service(์„œ๋น„์Šค) ๊ด€๋ฆฌ
โˆ™ fail2ban ์„ค์ •
โˆ™ fail2ban ์‚ฌ์šฉ ๋ฐฉ๋ฒ•

 

 

        ๐Ÿ“ฆ apt ๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•˜์—ฌ fail2ban ์„ค์น˜

์ตœ์ดˆ ์„ค์น˜๋ฅผ ์œ„ํ•ด Package(ํŒจํ‚ค์ง€) ์ตœ์‹ ํ™”๋ฅผ ์ง„ํ–‰ํ•ด ์ค„๊ฒŒ์š”. 

apt-get update && apt-get upgrade -y

 

 

 

apt-get install -y fail2ban ufw

728x90
 

 

apt-get install -y fail2ban ufw

 

 

 

 

 

        ๐Ÿ“ฆ fail2ban ์ •์ƒ ์„ค์น˜ ์—ฌ๋ถ€ ํ™•์ธ

fail2ban-client -V

 


์œ„์™€ ๊ฐ™์ด Version ์ •๋ณด๊ฐ€ ๋‚˜์˜จ๋‹ค๋ฉด ์ •์ƒ ์„ค์น˜ ๋œ ๊ฒƒ์ด์—์š”.

 

 

        ๐Ÿ“ฆ systemctl ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•œ fail2ban Service(์„œ๋น„์Šค) ๊ด€๋ฆฌ

# 1.fail2ban service ์„ค์ • ๋ฐ˜์˜
$ sudo systemctl daemon-reload

# 2.fail2ban service ์‹œ์ž‘
$ sudo systemctl start fail2ban.service

# 3.fail2ban service ์ค‘์ง€
$ sudo systemctl stop fail2ban.service

# 4.fail2ban service ์žฌ์‹œ์ž‘
$ sudo systemctl restart fail2ban.service

# 5.fail2ban service ์„ค์ • ์žฌ์ ์šฉ
$ sudo systemctl reload fail2ban.service

# 5.fail2ban service ์ƒํƒœ ์กฐํšŒ
$ sudo systemctl status fail2ban.service

# 6.fail2ban service ํ™œ์„ฑํ™”(๋ถ€ํŒ…์‹œ ์ž๋™ ์‹œ์ž‘)
$ sudo systemctl enable fail2ban.service

# 7.fail2ban service ๋น„ํ™œ์„ฑํ™”
$ sudo systemctl disable fail2ban.service

# 8.fail2ban service ๋ฐ ๊ด€๋ จ ํ”„๋กœ์„ธ์Šค ๋ชจ๋‘ ์ค‘์ง€
$ sudo systemctl kill fail2ban.service
 

 

systemctl start fail2ban

 


์ฃผ๋‹ˆ๋Š” ์œ„์™€ ๊ฐ™์ด fail2ban์„ ์‹œ์ž‘ํ•˜์—ฌ ์ฃผ์—ˆ์–ด์š”.







        ๐Ÿ“ฆ fail2ban ์„ค์ •

vim /etc/fail2ban/jail.conf


vim /etc/fail2ban/jail.conf

 

 

vim /etc/fail2ban/jail.conf


์œ„ ๋‚ด์šฉ์ด Default Value์ธ๋ฐ, ์šฐ๋ถ„ํˆฌ์˜ ๊ฒฝ์šฐ ufw๋ฅผ ๋ฐฉํ™”๋ฒฝ์œผ๋กœ ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์•„๋ž˜์™€ ๊ฐ™์ด ๋ณ€๊ฒฝํ•ด ์ฃผ์—ˆ์–ด์š”.

 

vim /etc/fail2ban/jail.conf

 

----------------------------------------
[DEFAULT]
# ์ฐจ๋‹จ ์˜ˆ์™ธ IPs, ์ถ”๊ฐ€ ์‹œ ์ŠคํŽ˜์ด์Šค๋กœ ๊ตฌ๋ถ„
ignoreip = 127.0.0.1/8

# ์ ‘์† ์ฐจ๋‹จ ์‹œ๊ฐ„, 1๋ถ„ = 60, ์•„๋ž˜ ์˜ˆ์ œ๋Š” 1์ผ, -1 ์„ค์ • ์‹œ ์˜๊ตฌ ์ฐจ๋‹จ
bantime = 86400

# ์„ค์ • ์‹œ๊ฐ„ ๋‚ด maxretry ์„ค์ •๋งŒํผ ์ ‘์† ์‹คํŒจ ์‹œ ์ฐจ๋‹จ
findtime = 86400

# ์ตœ๋Œ€ ํ—ˆ์šฉ ํšŸ์ˆ˜
maxretry = 3

# ์ฐจ๋‹จ ๋ฐฉ๋ฒ•, firewalld ์‚ฌ์šฉ ์‹œ 'firewallcmd-new', iptables ์‚ฌ์šฉ ์‹œ 'iptables-multiport'
banaction = iptables-multiport


[sshd]
enabled = true
----------------------------------------
๋ฐ˜์‘ํ˜•

 

์ฃผ๋‹ˆ๋Š” ์œ„์™€ ๊ฐ™์ด ์„ค์ • ํ•ด ์ฃผ์—ˆ์–ด์š”.

์ฐธ๊ณ ๋กœ /etc/fail2ban/fail.conf File(ํŒŒ์ผ)์€ Update(์—…๋ฐ์ดํŠธ) ์‹œ ์ดˆ๊ธฐํ™” ๋˜๊ธฐ ๋•Œ๋ฌธ์—, /etc/fail2ban/jail.d/*conf ๋˜๋Š” /etc/fail2ban/jail.local ํŒŒ์ผ ์ƒ์„ฑ ๋’ค ์„ค์ •ํ•˜๋Š” ๊ฒƒ์„ ์ถ”์ฒœํ•ด์š”.

 

vim /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local

 

์—ฌ๊ธฐ๊นŒ์ง€ ํ•ด ์ฃผ์—ˆ๋‹ค๋ฉด ์ €์žฅํ•˜๊ณ , ๋‚˜์˜ต๋‹ˆ๋‹ค.

 

touch /var/log/auth.log


๊ทธ๋ฆฌ๊ณ , ์œ„์™€ ๊ฐ™์ด Log๊ฐ€ ๋‚จ์„ auth.log ํŒŒ์ผ์„ ๋นˆ ํŒŒ์ผ๋กœ ๋งŒ๋“ค์–ด ์ฃผ์—ˆ์–ด์š”.


chmod 644 /var/log/auth.log


๊ทธ๋Ÿฐ ๋’ค ๊ถŒํ•œ์„ ์ˆ˜์ •ํ•ด ์ฃผ์—ˆ์–ด์š”.



systemctl restart fail2ban.service

 


๊ทธ๋ฆฌ๊ณ , ์œ„์™€ ๊ฐ™์ด Service๋ฅผ ์žฌ ์‹œ์ž‘ํ•ด ์ฃผ์—ˆ์–ด์š”.

์—ฌ๊ธฐ์„œ ์ฐธ๊ณ ํ•ด์•ผ ํ•  ์ ์€ ์žฌ ์‹œ์ž‘ํ•  ๋•Œ ๋งˆ๋‹ค, ban Lise(๋ฒค ๋ชฉ๋ก) ์ฆ‰, ์ฐจ๋‹จํ•˜๋Š” ํšŸ์ˆ˜ ๋“ฑ์ด ์ดˆ๊ธฐํ™” ๋˜๋Š” ์ ์ด์—์š”.


journalctl -f

 


์œ„ ๋ช…๋ น์–ด๋กœ ์‹ค์‹œ๊ฐ„ ssh Login(๋กœ๊ทธ์ธ) ์‹คํŒจ ๊ธฐ๋ก์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์–ด์š”.

์•„์ง ์ด ์„œ๋ฒ„์— ๋ˆ„๊ตฐ๊ฐ€ ์ ‘๊ทผํ•œ ํ”์ ์€ ์—†๋‚˜๋ณด๋„ค์š”.




 

        ๐Ÿ“ฆ fail2ban ์‚ฌ์šฉ ๋ฐฉ๋ฒ•

์ตœ์ดˆ ์ฐจ๋‹จ ๋ชฉ๋ก ์กฐํšŒ๋ฅผ ํ•ด ๋ณผ๊ฒŒ์š”.

fail2ban-client status

 

 

fail2ban-client status sshd

 


SSH ๋ฅผ ํ†ตํ•ด ์ ‘์† ์‹œ๋„๋ฅผ ํ•˜๊ณ , ์ •์ฑ…์— ์˜๊ฑฐํ•˜์—ฌ ์ฐจ๋‹จํ•œ ํด๋ผ์ด์–ธํŠธ ๋‚ด์šฉ์„ ์ด๋ ‡๊ฒŒ ํ™•์ธํ•  ์ˆ˜ ์žˆ์–ด์š”.


๋งŒ์•ฝ ํŠน์ • IP์— ๋Œ€ํ•ด SSH ์ ‘์† ์ฐจ๋‹จ์„ ํ’€์–ด์ฃผ๊ณ  ์‹ถ๋‹ค๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

# fail2ban-client set sshd unbanip <Client IP>



cat /var/log/fail2ban.log

 


Fail2ban ๊ด€๋ จ ๋กœ๊ทธ๋Š” ์ด๋ ‡๊ฒŒ ํ™•์ธํ•  ์ˆ˜ ์žˆ์–ด์š”.

 

 

 

๐Ÿง ์ฐธ๊ณ  ์ž๋ฃŒ

 

MANUAL 0 8 - Fail2ban

Introduction The problem Brute-force break-in attempts are quite frequent against an SSH server and other password protected internet-services (such as ftp,pop,...). Automated scripts try multiple combinations of username/password (brute-force, dictionary

www.fail2ban.org

 

 

 

 

[ํ•œ๋น›๋ฏธ๋””์–ด]์ด๊ฒƒ์ด ์šฐ๋ถ„ํˆฌ ๋ฆฌ๋ˆ…์Šค๋‹ค : ์šฐ๋ถ„ํˆฌ ๋ฆฌ๋ˆ…์Šค ์„ค์น˜๋ถ€ํ„ฐ ๋„คํŠธ์›Œํฌ์™€ ์„œ๋ฒ„ ๊ตฌ์ถ• ์šด์˜๊นŒ์ง€

COUPANG

www.coupang.com

"์ด ํฌ์ŠคํŒ…์€ ์ฟ ํŒก ํŒŒํŠธ๋„ˆ์Šค ํ™œ๋™์˜ ์ผํ™˜์œผ๋กœ, ์ด์— ๋”ฐ๋ฅธ ์ผ์ •์•ก์˜ ์ˆ˜์ˆ˜๋ฃŒ๋ฅผ ์ œ๊ณต๋ฐ›์Šต๋‹ˆ๋‹ค."

 

 

 

 

 

 

728x90
๋ฐ˜์‘ํ˜•