First of all, I want to explain why I want to write this blog. I suddenly received an alert email from Nagios yesterday afternoon, saying that the number of processes on the mail server has exceeded the threshold. Therefore, log on to the system to view the information.
The analysis process is as follows:
1. Since the number of processes exceeds the threshold, you must first check the process: ps-ef;
2. If the problem cannot be seen in real time, it will be displayed dynamically: top, to see which program occupies so many processes;
3. Finally, it was determined that it should be courier-imap, but I still don't know why;
4. Check the ip connection and check whether it is faulty: netstat-ant. A large number of 110 connections are found;
5. Since it is a mail receiving service, you can quickly track and view the Mail log: tail-f/var/log/maillog;
6. detected problems: the log contains a large number of Logon error messages, which are found to be the same ip address and brute force cracking using different user names and passwords.
7. Wait a moment. After determining the target IP address, discard the ip address package: iptables-I INPUT-s 176.61.143.41-j DROP # this ip address is a real attack ip address, so it is exposed here
8. Wait a moment and check the process again. The number of processes drops significantly and the fault is resolved.
In the future, we can use fail2ban to prevent brute-force cracking and malicious attacks.
What is fail2ban.
Introduction:
Fail2ban can monitor your system logs, and then match the log error information (Regular Expression matching) to execute the corresponding blocking action (usually called firewall blocking), such: when someone tries to test your SSH, SMTP, and FTP passwords, fail2ban will call the firewall to block this IP address as long as it reaches your preset number of times and send an e-mail to the system administrator, is a very practical and powerful software!
Functions and features:
1. support a large number of services. Such as sshd, apache, qmail, proftpd, sasl, etc.
2. Multiple actions are supported. Such as iptables, tcp-wrapper, shorewall (iptables third-party tool), mail notifications, and so on.
3. Support wildcards in the logpath Option
4. Gamin support is required (Note: Gamin is a service tool used to monitor whether files and directories are changed)
5. Install python, iptables, tcp-wrapper, shorewall, and Gamin. To send an email, you must install postfix or sendmail.
Core Principles:
In fact, fail2ban is used for monitoring. Specifically, iptables is called to implement the action!
Well, let's talk about how to install and deploy it.
1. First, install the service
First, configure the yum source. Here yum is used for direct installation (or source code installation)
Vim/etc/yum. repos. d/CentOS-Base.repo
Add at the end:
[Atrpms]
Name = Red Hat Enterprise Linux $ releasever-$ basearch-ATrpms
Baseurl = http://dl.atrpms.net/el?releasever-#basearch/atrpms/stable
Gpgkey = http://ATrpms.net/RPM-GPG-KEY.atrpms
Gpgcheck = 1
Enabled = 1
Then install yum: yum-y install fail2ban.
After the installation is complete, the service configuration directory is/etc/fail2ban.
/Etc/fail2ban/action. d # action folder, which contains the default file. Iptables, mail, and other action configurations
/Etc/fail2ban/fail2ban. conf # defines the fai2ban Log Level, log location, and sock File Location
/Etc/fail2ban/filter. d # condition folder, which contains the default file. Filter key log content settings
/Etc/fail2ban/jail. conf # main configuration file, modular. Mainly sets the service and action threshold for enabling ban actions
/Etc/rc. d/init. d/fail2ban # Start the script file
Ii. Configuration after installation
First, let's take a look at the default definition of the log file:
Cat/etc/fail2ban/fail2ban. conf | grep-v ^ #
[Definition]
Loglevel = 3
Logtarget = SYSLOG # what we need to do is to change this line to/var/log/fail2ban. log, which can be used to easily record log information.
Socket =/var/run/fail2ban/fail2ban. sock
Let's take a look at the configuration that the main configuration takes effect by default:
Cat/etc/fail2ban/jail. conf | grep-v ^ # | less
[DEFAULT] # global settings
Ignoreip = 127.0.0.1 # list of ignored IP addresses, unrestricted (whitelist)
Bantime = 600 # shielding time, in seconds
Findtime = 600 # ban will be dropped if the specified number of times is exceeded in this time period
Maxretry = 3 # maximum number of attempts
Backend = auto # log modification detection mechanism (gamin, polling, and auto)
[Ssh-iptables] # Check configurations for each service, such as setting bantime, findtime, maxretry, and global conflicts. The service priority is higher than the global setting.
Enabled = true # Whether to activate this item (true/false)
Filter = sshd # Name of the filter rule, corresponding to sshd. conf under the filter. d directory
Action = iptables [name = SSH, port = ssh, protocol = tcp] # parameters related to the action
Sendmail-whois [name = SSH, dest = root, sender = fail2ban@example.com] # Alert trigger recipient
Logpath =/var/log/secure # log file of the detected System
Maxretry = 5 # maximum number of attempts
PS: logpath (in Centos5 and Rhel5) must be written as/var/log/secure. This is the system login log and cannot be set at will.
Service fail2ban start # start the service (defined in the default main configuration file)
Service iptables start # fail2ban depends on the pre-iptables # previously changed the Log Path. If not, restart fail2ban.
Iii. test functions
Test Machine: 192.168.30.htm
Fail2ban: 192.168.29.253
Ssh 192.168.29.253 on the test machine, and the entered password is incorrect for more than five consecutive times (there is a delay in the test, multiple times), it will appear and the connection fails.
A log is generated on fail2ban: the connection to this ip address is blocked.
Iv. Extensions
In fact, fail2ban has rich functions. It just tested its anti-ssh Brute force cracking function.
The following are some of my functions:
I am using the email server, so I will monitor services such as pop and http. For detailed configuration, see (no demonstration)
[Pop3]
Enabled = true
Filter = courierlogin
Action = iptables [name = pop3, port = 110, protocol = tcp]
Logpath =/var/log/maillog
Banktime = 1800
Findtime= 300
Maxretry = 30
[Webmail]
Enabled = true
Filter = webmail
Action = iptables [name = httpd, port = http, protocol = tcp]
Logpath =/var/log/maillog
Banktime = 900
Findtime= 300
Maxretry = 5
Okay. Come here first!
Original article: http://xtony.blog.51cto.com/3964396/981573