1

嗨团队,首先感谢您投入宝贵的时间来帮助像我这样的初学者。

我在 centos 中安装了 failed 2 ban

在我的 haproxy 日志中

Mar  7 02:37:07 localhost haproxy[9378]: 115.xxx.xxx.xxx:19004 [07/Mar/2015:02:37:03.823] http-ingress testing/new-server 2952/0/0/17/3242 302 689 - - --VN 3/3/0/0/0 0/0 "GET /myadmin/scripts/setup.php HTTP/1.1"

如何阻止

我已经完成了以下步骤,如果有任何错误请纠正

==================================================== =========

命令:

vim /etc/fail2ban/filter.d/vulscan.conf

文件:

[Definition]

failregex = ^<HOST>.*\"GET

ignoreregex =


[vulscan]

enabled = true

port = http,https

filter = vulscan

banaction = iptables-allports

logpath = /var/log/haproxy_0.log

#action   = hostsdeny[file=/etc/hosts.deny]

action = iptables-multiport[name=vulscan,port="http,https", protocol=tcp]

maxretry = 1

bantime = 604800

==================================================== ====================

命令:

iptables -L

输出粘贴在下面:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-vulscan  tcp  --  anywhere             anywhere            multiport dports http,https 
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-vulscan (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
4

2 回答 2

0

不是原始老问题的确切答案,但希望能让任何人开始一起使用 Docker、Fail2Ban 和 Haproxy。我花了很长时间弄清楚它,它在 2022 年撰写本文时确实有效。

此处列出的文件主要是此特定任务所需的核心部分,大多数 haproxy、fail2ban 和 docker 文件将包含更多信息。

haproxy.cfg - 这设置了超级简单的日志记录并将某些路径设置为 403 denied 用于我们稍后会寻找的机器人

global
  log stdout local0 debug

defaults
  log global
  option httplog
  log-format "%Tl|%ci-%ST-%r"

frontend input-main-web
  bind *:80
  bind *:443 ssl crt /astro/ssl-certs
  option forwardfor header X-Real-IP
  http-request set-header X-Real-IP %[src]
  
  # attempting to deny bots to anywhere
  acl bot-path path -i -m sub wp-includes
  acl bot-path path -i -m sub wp-login
  acl bot-path path -i -m sub xmlrpc
  acl bot-path path -i -m sub wordpress
  http-request deny if bot-path

haproxy Dockerfile - 这会将标准输出记录到 fail2ban 可以读取的实际文件中(如果在 docker 中使用 haproxy,这将是最后一行)

CMD haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg | tee /var/log/haproxy.log 2>&1

fail2ban.yml - 这将在它自己的容器中很好地运行 fail2ban,但仍然保护主机和所有在其上运行的容器

version: '3.8'
services:
  astro-fail2ban:
    build: ./fail2ban
    image: astro-fail2ban
    restart: unless-stopped
    volumes:
      - /home/docker-data/fail2ban:/data
      - /home/docker-log/haproxy:/log:ro
      - /var/log/secure:/var/log/secure:ro
    environment: 
      - TZ=America/Phoenix
      - F2B_DB_PURGE_AGE=30d
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_LOG_LEVEL=INFO
      - F2B_IPTABLES_CHAIN=INPUT

    network_mode: "host"

    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW

fail2ban Dockerfile - 复制您正在创建的自定义文件

FROM crazymax/fail2ban:latest

RUN mkdir -p /var/log
RUN touch /var/log/auth.log

RUN mkdir -p /etc/fail2ban
COPY ./jail.local /etc/fail2ban/
COPY ./haproxy.conf /etc/fail2ban/filter.d/
COPY ./docker-action.conf /etc/fail2ban/action.d/

jail.local - 这告诉fail2ban通过haproxy日志查看定义的过滤器并对其找到的任何内容执行自定义禁令操作(可以将findtime和bantime设置为您自己的规范)

[haproxy]
enabled = true
port = http,https
filter = haproxy
logpath = /log/haproxy.log
maxretry = 3
findtime = 300
bantime = 1800
banaction = docker-action
ignoreip = 127.0.0.1

haproxy.conf - 告诉fail2ban在日志中寻找403状态码(我们的机器人信号)

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = haproxy
failregex = \|<HOST>-403
ignoreregex =

docker-action.conf - 用于转发链和丢弃数据包的自定义禁止操作 - 有点神奇,但确实有效

[Definition]
 
actionstart = iptables -N f2b-haproxy
              iptables -A f2b-haproxy -j RETURN
              iptables -I FORWARD -p tcp -m multiport --dports 80,443 -j f2b-haproxy
 
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 80,443 -j f2b-haproxy
             iptables -F f2b-haproxy
             iptables -X f2b-haproxy
 
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-haproxy[ \t]'
 
actionban = iptables -I f2b-haproxy 1 -s <ip> -j DROP
 
actionunban = iptables -D f2b-haproxy -s <ip> -j DROP

还有什么问题……发表评论。

于 2022-01-28T07:23:56.500 回答
0

使用这个 failregex = haproxy[\d+]:

你可以通过运行 fail2ban-regex [haproxy_log] [fail2ban_haproxy.conf] 来检查你的正则表达式与 haproxy 日志

于 2017-05-12T06:19:41.907 回答