Титла: Надеждност на iptables?
Публикувано от: angie_bg в Sep 08, 2016, 11:05
Здравейте, доколко надеждно е блокирането на външни заявки с iptables? Ситуацията е следната: В ufw съм блокирал всичко от адреси 116.16.0.0 /12 $ sudo ufw status numbered | grep 116 [ 1] Anywhere DENY IN 116.16.0.0/12 Съответното правило (2) в iptables е: $ sudo iptables -L | grep 116 DROP all -- 116.31.116.51 anywhere DROP all -- 116.16.0.0/12 anywhere Маската 12 трябва да покрива адресите 116.16.0.0 - 116.31.255.255: $ sudo whois 116.16.0.0/12 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '116.16.0.0 - 116.31.255.255'
inetnum: 116.16.0.0 - 116.31.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: IC83-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-GD mnt-routes: MAINT-CHINANET-GD status: ALLOCATED PORTABLE ...
Въпреки блокирането на адрес от този диапазон (116.31.116.51) от iptables в 09:56: $ sudo cat /var/log/ufw.log | grep "SRC=116." |tail ... Sep 8 09:56:15 localhost kernel: [2163845.260896] [UFW BLOCK] IN=eth0 OUT= MAC=00:03:47:62:66:1b:00:17:3f:62:4e:2c:08:00 SRC=116.31.116.51 DST=192.168.1.3 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=17876 DF PROTO=TCP SPT=49121 DPT=22 WINDOW=0 RES=0x00 RST URGP=0 в 10:10 той отново е блокиран от fail2ban: $ sudo cat /var/log/fail2ban.log |grep "Ban 116" ... 2016-09-07 15:09:33,978 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-07 16:20:03,830 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-07 18:45:52,513 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-07 19:55:17,292 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-08 00:23:02,900 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-08 02:15:08,732 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-08 03:45:36,210 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 2016-09-08 10:10:05,415 fail2ban.actions: WARNING [ssh] Ban 116.31.116.51 Как заявките от този адрес се „промъкват“ и защо?
Титла: Re: Надеждност на iptables?
Публикувано от: makeme в Sep 08, 2016, 12:01
До колкото съм запознат, когато инсталираш и конфигурираш fail2ban заявките за ssh минават през него първо и после ги дропи през айпитаблиците. Така, че предполагам затова ти излиза в fail2ban лога. Споко, напълно защитен си.
Титла: Re: Надеждност на iptables?
Публикувано от: angie_bg в Sep 08, 2016, 12:52
До колкото съм запознат, когато инсталираш и конфигурираш fail2ban заявките за ssh минават през него първо и после ги дропи през айпитаблиците. Така, че предполагам затова ти излиза в fail2ban лога. @Makeme, мисля, че не си напълно прав. Според мен последователността е следната: заявка -> iptables -> филтрирана заявка -> fail2ban -> нов филтър/правило в iptables. В моя случай DROP all -- 116.16.0.0/12 anywhere е филтъра/правилото на iptables, която е „прескочено“ от 116.31.116.51, и след 3 поредни опита за влизане за времето от 09:56 до 10:10 е създадено ново правило, важащо 1 час DROP all -- 116.31.116.51 anywhere . Напр. в момента (12:51) е валидно „твърдото“ правило на iptables, като след 10:10 не е правен нов опит да влизане от този адрес (има от други).
Титла: Re: Надеждност на iptables?
Публикувано от: makeme в Sep 08, 2016, 13:24
Разбира се може и да греша, но съдейки по това -> http://www.the-art-of-web.com/system/fail2ban/ (точка 3), да заявката пристига 1во в iptables, но в "fail2ban-ssh chain" и от там вече, дропи. И аз ще чакам да се изкаже някой малко по-компетентен по темата, понеже ми е интересно :) . Не съм го ползвал много тоя fail2ban, понеже за брутфорсите към SSh, CSF ми е фаворит.
Титла: Re: Надеждност на iptables?
Публикувано от: petar258 в Sep 08, 2016, 15:57
По спомени правилото на fail2ban стои най-отгоре и затова минава първо през него. Другия вариант е да имаш някаква грешка. Като си гледаш конфигурацията ползвай iptables -Lv за да видиш повече подробности, и не грепвай само 116, за да видиш всички редове и да ти се изясни картинката. И може да се наложи да ползваш и -t filter към командата.
Титла: Re: Надеждност на iptables?
Публикувано от: Demayl в Sep 08, 2016, 16:12
Да, трябва да проследиш целия chain. 100% не стига до този rule ( misconfig ). Иначе fail2ban добавя в самото начало на rules и затова винаги работи.
Титла: Re: Надеждност на iptables?
Публикувано от: angie_bg в Sep 08, 2016, 17:04
15:01 $ sudo iptables -L -v Chain INPUT (policy DROP 2058 packets, 197K bytes) pkts bytes target prot opt in out source destination 929 51087 fail2ban-proftpd tcp -- any any anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data,1234,1233 124K 13M fail2ban-ssh-ddos tcp -- any any anywhere anywhere multiport dports ssh 124K 13M fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh 28M 21G ufw-before-logging-input all -- any any anywhere anywhere 28M 21G ufw-before-input all -- any any anywhere anywhere 227K 55M ufw-after-input all -- any any anywhere anywhere 211K 53M ufw-after-logging-input all -- any any anywhere anywhere 211K 53M ufw-reject-input all -- any any anywhere anywhere 211K 53M ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- any any anywhere anywhere 0 0 ufw-before-forward all -- any any anywhere anywhere 0 0 ufw-after-forward all -- any any anywhere anywhere 0 0 ufw-after-logging-forward all -- any any anywhere anywhere 0 0 ufw-reject-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5210K 310M ufw-before-logging-output all -- any any anywhere anywhere 5210K 310M ufw-before-output all -- any any anywhere anywhere 25074 2368K ufw-after-output all -- any any anywhere anywhere 25074 2368K ufw-after-logging-output all -- any any anywhere anywhere 25074 2368K ufw-reject-output all -- any any anywhere anywhere 25074 2368K ufw-track-output all -- any any anywhere anywhere
Chain fail2ban-proftpd (1 references) pkts bytes target prot opt in out source destination 929 51087 RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 89872 10M RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh-ddos (1 references) pkts bytes target prot opt in out source destination 124K 13M RETURN all -- any any anywhere anywhere
Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 8453 660K ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 2383 591K ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 11 528 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 25 1260 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 11 3701 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 1990 460K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 1318 134K LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination 246 28342 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 133 10494 ACCEPT all -- lo any anywhere anywhere 16M 12G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1025 54531 ufw-logging-deny all -- any any anywhere anywhere state INVALID 1025 54531 DROP all -- any any anywhere anywhere state INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 98 3756 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 11 6336 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 120K 8694K ufw-not-local all -- any any anywhere anywhere 3307 247K ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 117K 8447K ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination 1318 150K LOG all -- any any anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination 245 28290 LOG all -- any any anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 133 10494 ACCEPT all -- any lo anywhere anywhere 3019K 169M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 9514 1002K ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 1 40 LOG all -- any any anywhere anywhere state INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] " 1 40 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 72539 6248K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 42820 1359K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 4807 1088K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 12873 1716K DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 1338 81860 ACCEPT tcp -- any any anywhere anywhere state NEW 8067 913K ACCEPT udp -- any any anywhere anywhere state NEW
Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 66 4193 DROP all -- any any 116.16.0.0/12 anywhere 0 0 DROP all -- any any 221.192.0.0/14 anywhere 19 1076 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ssh 19 1012 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:http 6 296 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:https 1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1234 1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:49152 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:65534 1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp 0 0 ACCEPT tcp -- any any angie-desktop.local anywhere tcp dpt:webmin 0 0 ACCEPT udp -- any any angie-desktop.local anywhere udp dpt:10000
Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
Титла: Re: Надеждност на iptables?
Публикувано от: Demayl в Sep 08, 2016, 19:14
Виж на chain-a ufw-not-local първия rule. Може да пробваш да го махнеш или ако не стане да пробваш някой друг RETURN. Виж и fail2ban-ssh-ddos Това е на пръв поглед
Титла: Re: Надеждност на iptables?
Публикувано от: petar258 в Sep 10, 2016, 22:25
Всъщност всичко си работи, но не си редактирал конфига на fail2ban и затова има чести опити. Ако е правилно конфигуриран, няма нужда да добавяш ръчно правила за блокиране. По подразбиране конфига на fail2ban позволява 5 опита и се сваля бан-а след 10 минути. Трябва да се промени на 3 опита и времето за бан да се вдигне поне на 3 дни. Това ще откаже напълно всички мераклии. Тук има едно обяснение за редактиране на конфига, при желание можеш да намериш и други обяснения. А и в самия конфиг има доста подробно обяснение на опциите. http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
|