OPENSIPS系列之拉黑IP，防无效请求攻击

最新推荐文章于 2023-03-18 19:15:00 发布

原创最新推荐文章于 2023-03-18 19:15:00 发布 · 684 阅读

0 ·

CC 4.0 BY-SA版权

Opensips 专栏收录该内容

4 篇文章

订阅专栏

该博客介绍了如何在Ubuntu系统中安装fail2ban，以保护服务器免受恶意登录尝试。首先通过apt安装fail2ban及邮件服务，然后配置jail.conf和filter.d/opensips.conf文件，设定针对opensips的日志分析规则。当匹配到特定的失败登录模式时，fail2ban会将对应IP加入黑名单，禁止其访问。博主还提供了检查状态、调整ban时间、解禁IP等常用命令，并展示了正则表达式的测试过程。此外，文章还提及了黑名单和白名单的管理操作。

安装fail2ban

apt install -y fail2ban sendmail mailutils

/etc/init.d/sendmail start

配置fail2ban

增加以下内容到配置文件/etc/fail2ban/jail.conf :

[opensips]
enabled  = true
filter   = opensips
action   = iptables-allports[name=opensips, protocol=all]
           sendmail-whois[name=opensips, dest=xx@xx, sender=xx@xx]
logpath  = /var/log/opensips/opensips.log
maxretry = 5
bantime = 3600

注：5次失败后将IP加入黑名单1个小时

新增/etc/fail2ban/filter.d/opensips.conf 配置文件


# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = opensips

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

#failregex = Auth error for .* from <HOST> cause -[0-9]
failregex = Authentication failed for .* from <HOST> cause -[0-9]
    Inivte failed for .* from <HOST> .* cause -[0-9]  #indent with 4 spaces

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

重启fail2ban:/etc/init.d/fail2ban restart

常用命令

fail2ban-client status opensips

root@Develop01:/var/log/opensips# fail2ban-client status opensips
Status for the jail: opensips
|- filter
|  |- File list:        /var/log/opensips/opensips.log 
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

比如增加屏蔽时间为一天
fail2ban-client set opensips bantime 86400

重新读入配置文件
fail2ban-client reload

解禁IP

fail2ban-client set opensips unbanip 8.8.8.8

• 黑名单操作 (注意，黑名单测试时，不要把自己的IP加到黑名单里做测试，否则就连不上机器了)
• IP加入黑名单：fail2ban-client set opensips banip 192.168.1.8 
• IP解锁：fail2ban-client set opensips unbanip 192.168.1.8
• 白名单操作
• IP加入白名单：fail2ban-client set opensips addignoreip 192.168.1.8
• IP从白名单中移除：fail2ban-client set opensips delignoreip 192.168.1.8
• 在所有监狱中加入IP白名单：fail2ban-clien unban 192.168.1.8

测试正则表达式：fail2ban-regex /var/log/opensips/opensips.log

root@Develop01:/bin#  fail2ban-regex /var/log/opensips/opensips.log /etc/fail2ban/filter.d/opensips.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/opensips.conf
Use         log file : /var/log/opensips/opensips.log


Results
=======

Failregex: 9 total
|-  #) [# of hits] regular expression
|   1) [9] Authentication failed for .* from <HOST> cause -[0-9]
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [110422] MONTH Day Hour:Minute:Second
`-

Lines: 110422 lines, 0 ignored, 9 matched, 110413 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 110413 lines