|
|
# fw
|
|
|
|
|
|
SIP 网络安全
|
|
|
|
|
|
sudo apt-get install ipset fail2ban
|
|
|
|
|
|
|
|
|
voipbl.sh
|
|
|
|
|
|
```
|
|
|
#!/bin/bash
|
|
|
|
|
|
URL="https://voipbl.org/update/"
|
|
|
|
|
|
set -e
|
|
|
echo "Downloading rules from VoIP Blacklist"
|
|
|
wget -qO - $URL -O /tmp/voipbl.txt
|
|
|
|
|
|
echo "Loading rules..."
|
|
|
|
|
|
# Check if rule set exists and create one if required
|
|
|
if ! $(/sbin/ipset list voipbl > /dev/null 2>&1); then
|
|
|
ipset -N voipbl iphash
|
|
|
fi
|
|
|
|
|
|
#Check if rule in iptables
|
|
|
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
|
|
|
/sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
|
|
|
fi
|
|
|
|
|
|
# Create temporary chain
|
|
|
ipset destroy voipbl_temp > /dev/null 2>&1 || true
|
|
|
ipset -N voipbl_temp iphash hashsize 131072 maxelem 260000
|
|
|
|
|
|
cat /tmp/voipbl.txt |\
|
|
|
awk '{print "if ! [[ \""$1"\" =~ ^#$|^0.0.0.0 ]]; then /sbin/ipset -A voipbl_temp \""$1"\" ; fi;"}' | sh
|
|
|
|
|
|
ipset swap voipbl_temp voipbl
|
|
|
ipset destroy voipbl_temp || true
|
|
|
|
|
|
echo "Done! Rules loaded"
|
|
|
|
|
|
```
|
|
|
|
|
|
/etc/cron.d/voipbl
|
|
|
|
|
|
```
|
|
|
# update blacklist each 4 hours
|
|
|
0 */4 * * * * root /usr/local/bin/voipbl.sh
|
|
|
```
|
|
|
|
|
|
|
|
|
## Fail2Ban
|
|
|
|
|
|
Fail2Ban 就是一个日志 IP 的过滤筛选器,根据不同的监狱规则从日志中找出这些“行为不端”的 IP,一旦这些 IP 发送了触犯监狱规则的请求达到阈值就会在 iptables 里直接封禁屏蔽,并且可以设置屏蔽这个 IP 的时间长久来避免误伤造成的危害过大。
|
|
|
|
|
|
所以用好 Fail2Ban 其实最重要的就是如何根据日志制定有效的监狱规则,规则制订完了还需要测试一下这个规则是否生效了,是否真的可以起到预期的目的。
|
|
|
|
|
|
打开编辑 nginx-not-found.conf 监狱规则文件,注意一定要在/etc/fail2ban/filter.d/目录内哦。
|
|
|
|
|
|
```
|
|
|
[Definition]
|
|
|
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
|
|
|
ignoreregex =
|
|
|
```
|
|
|
|
|
|
再打开编辑 jail.local 启用这个监狱规则。
|
|
|
|
|
|
vim /etc/fail2ban/jail.local
|
|
|
|
|
|
添加下面的代码到 jail.local 里即可。同样的,注意 jail.local 文件的目录哦。
|
|
|
|
|
|
```
|
|
|
[nginxno404]
|
|
|
#处理 nginx 下的恶意 404 结果扫描
|
|
|
enabled = true
|
|
|
port = http,https
|
|
|
filter = nginx-not-found
|
|
|
action = iptables[name=nginxno404, port=http, protocol=tcp]
|
|
|
#Fail2Ban 要监控的站点日志文件,大家可以根据自己站点来灵活调整。
|
|
|
logpath = /home/wwwlogs/access.log
|
|
|
/home/wwwlogs/www.imydl.com.log
|
|
|
/home/wwwlogs/www.imydl.tech.log
|
|
|
/home/wwwlogs/service.imydl.com.log
|
|
|
/home/wwwlogs/eat.ymanz.com.log
|
|
|
bantime = 3600 #默认是屏蔽 IP 地址 10 分钟
|
|
|
#下面这两个是说 60 秒内 5 次 404 失败请求就开始屏蔽这个 IP 地址
|
|
|
findtime = 60
|
|
|
maxretry = 5
|
|
|
|
|
|
```
|
|
|
|
|
|
/etc/fail2ban/jail.conf
|
|
|
|
|
|
```
|
|
|
[asterisk-iptables]
|
|
|
action = iptables-allports[name=ASTERISK, protocol=all]
|
|
|
voipbl[serial=XXXXXXXXXX]
|
|
|
|
|
|
```
|
|
|
|
|
|
/etc/fail2ban/action.d/voipbl.conf.
|
|
|
|
|
|
```
|
|
|
# Description: Configuration for Fail2Ban
|
|
|
|
|
|
[Definition]
|
|
|
|
|
|
actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
|
|
|
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"
|
|
|
|
|
|
[Init]
|
|
|
|
|
|
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
|
|
|
--read-timeout=60 --retry-connrefused --output-document=- \
|
|
|
--user-agent=Fail2Ban
|
|
|
|
|
|
url = http://www.voipbl.org
|
|
|
|
|
|
```
|
|
|
|
|
|
重新启动 Fail2Ban:
|
|
|
|
|
|
systemctl restart fail2ban.service
|
|
|
|
|
|
|
|
|
### 解除
|
|
|
|
|
|
fail2ban-client set asterisk unbanip 172.104.78.195
|
|
|
|
|
|
### 查看
|
|
|
|
|
|
fail2ban-client status asterisk
|
|
|
|
|
|
|
|
|
|
