Fail2ban mit Firewalld zur Vermeidung von Bruteforce Angriffen

Fail2ban (sinngemäß „Fehlschlag führt zum Bann“) ist ein in Python geschriebenes Intrusion Prevention System (Framework zur Vorbeugung gegen Einbrüche), das auf allen POSIX-Betriebssystemen läuft, die ein manipulierbares Paketfiltersystem oder eine Firewall besitzen (z. B. iptables unter Linux). [Quelle: Wikipedia]

Anker

Installation unter Red Hat Enterprise Linux 7 / CentOS 7

yum install fail2ban fail2ban-firewalld
================================================================================================================================
 Package                        Arch               Version                     Paketquelle                                Größe
================================================================================================================================
Installieren:
 fail2ban                       noarch             0.9.6-3.el7                 Default_Organization_EPEL_EPEL              11 k
 fail2ban-firewalld             noarch             0.9.6-3.el7                 Default_Organization_EPEL_EPEL              11 k
Als Abhängigkeiten installiert:
 fail2ban-sendmail              noarch             0.9.6-3.el7                 Default_Organization_EPEL_EPEL              14 k
 fail2ban-server                noarch             0.9.6-3.el7                 Default_Organization_EPEL_EPEL             286 k
 systemd-python                 x86_64             219-30.el7_3.9              rhel-7-server-rpms                         110 k

Transaktionsübersicht
================================================================================================================================
Installieren  2 Pakete (+3 Abhängige Pakete)
Anker

Anpassungen für Firewalld

Da Fail2ban mit Firewalld nicht zuverlässig funktioniert, sind folgende Anpassungen vorzunehmen.

file: /etc/fail2ban/jail.d/00-firewalld.conf

[DEFAULT]
banaction = custom-firewalld

/etc/fail2ban/action.d/custom-firewalld.conf


[INCLUDES]
before  =

[Definition]
actionstart =
actionstop =
actioncheck =

actionban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent
actionunban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent && firewall-cmd --remove-source=<ip> --zone=drop && firewall-cmd --remove-source=<ip> --zone=drop --permanent

[Init]
Anker

Test

Durch fail2ban-client -v -d wird die aktuelle Konfiguration ausgegeben.

Mittels fail2ban-client set dovecot banip 55.55.55.55 wird die IP-Adresse 55.55.55.55 auf die Black-List gesetzt und im Firewalld aktiviert. Dies ist durch die Ausgabe von iptables -L -n sichtbar.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination
FWDI_nagios  all  --  10.71.1.22           0.0.0.0/0           [goto]
FWDI_drop  all  --  55.55.55.55          0.0.0.0/0

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination
FWDO_nagios  all  --  0.0.0.0/0            10.71.1.22          [goto]
FWDO_drop  all  --  0.0.0.0/0            55.55.55.55

Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_drop (1 references)
target     prot opt source               destination
FWDI_drop_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_drop_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_drop_allow  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_drop_allow (1 references)
target     prot opt source               destination

Chain FWDI_drop_deny (1 references)
target     prot opt source               destination

Chain FWDI_drop_log (1 references)
target     prot opt source               destination

Chain FWDI_nagios (4 references)
target     prot opt source               destination
FWDI_nagios_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_nagios_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_nagios_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_nagios_allow (1 references)
target     prot opt source               destination

Chain FWDI_nagios_deny (1 references)
target     prot opt source               destination

Chain FWDI_nagios_log (1 references)
target     prot opt source               destination

Chain FWDI_public (2 references)
target     prot opt source               destination
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_drop (1 references)
target     prot opt source               destination
FWDO_drop_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_drop_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_drop_allow  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_drop_allow (1 references)
target     prot opt source               destination

Chain FWDO_drop_deny (1 references)
target     prot opt source               destination

Chain FWDO_drop_log (1 references)
target     prot opt source               destination

Chain FWDO_nagios (4 references)
target     prot opt source               destination
FWDO_nagios_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_nagios_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_nagios_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_nagios_allow (1 references)
target     prot opt source               destination

Chain FWDO_nagios_deny (1 references)
target     prot opt source               destination

Chain FWDO_nagios_log (1 references)
target     prot opt source               destination

Chain FWDO_public (2 references)
target     prot opt source               destination
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination
IN_nagios  all  --  10.71.1.22           0.0.0.0/0           [goto]
IN_drop    all  --  55.55.55.55          0.0.0.0/0

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_drop (1 references)
target     prot opt source               destination
IN_drop_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_drop_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_drop_allow  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain IN_drop_allow (1 references)
target     prot opt source               destination

Chain IN_drop_deny (1 references)
target     prot opt source               destination

Chain IN_drop_log (1 references)
target     prot opt source               destination

Chain IN_nagios (4 references)
target     prot opt source               destination
IN_nagios_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_nagios_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_nagios_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_nagios_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6556 ctstate NEW

Chain IN_nagios_deny (1 references)
target     prot opt source               destination

Chain IN_nagios_log (1 references)
target     prot opt source               destination

Chain IN_public (2 references)
target     prot opt source               destination
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1352 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1501 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1581 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Durch den Befehl fail2ban-client set dovecot unbanip 55.55.55.55 wird für den Dienst dovecot die IP wieder freigegeben.