DDoss Attack con fail2ban (servidores)

Archivado
Si tienen una solución diferente, por favor compartir.

El problema:

tail -f /var/log/syslog

Nov 10 11:05:30 mail named[474]: client u/0x7ff0fc0c7600 73.87.136.16#53 (sl): query (cache) 'sl/ANY/IN' denied
Nov 10 11:05:32 mail named[474]: client u/0x7ff0fc0c7600 86.19.33.285#647 (sl): query (cache) 'sl/ANY/IN' denied
Nov 10 11:05:33 mail named[474]: client u/0x7ff0fc0c7600 217.82.190.29#53 (sl): query (cache) 'sl/ANY/IN' denied


Mi configuración (fail2ban):

nano /etc/fail2ban/filter.d/stop-ddoss.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
daemon_combs_re = (?:%(pid_re)s?:\s+%(daemon_re)s|%(daemon_re)s%(__pid_re)s?:)
line_prefix = (?:\s\S+ %(daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$

ignoreregex =


nano /etc/fail2ban/jail.local

[stop-ddoss]   
enabled  = true
filter   = stop-ddoss 
action   = iptables[name=named, port=53, protocol=udp, blocktype=DROP]
logpath  = /var/log/syslog
bantime   = 31536000
maxretry  = 2
ignoreip = 10x.21x.2xx.2xx 10x.21x.2xx.1xx/16
#Máximo de intentos 2, tiempo de ban 1 año (-1 para siempre),  IPs ignoras 10x.21x.2xx.2xx 10x.21x.2xx.1xx/16


systemctl restart fail2ban
systemctl status fail2ban

Resultado:

fail2ban-client status stop-ddoss

Status for the jail: stop-ddoss
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     16
|  `- File list:        /var/log/syslog
`- Actions
   |- Currently banned: 5
   |- Total banned:     5
   `- Banned IP list:   217.82.190.29 73.87.136.16 174.72.248.226 86.19.33.285



No es la solución más óptima, pero si funcional para estos males
Si tienen una solución diferente, por favor compartir.


Es todo por ahora
Muy bueno compañero. Lo pondré en la lista de tareas que tengo por mirar ;)
Yo voy a poner otro filtro diferente para los atacas que estoy teniendo de lo siguiente:

nano /var/log/ufw.log

[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=219.117.229.2 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54077 DF PROTO=TCP SPT=38238 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0


Censuro la MAC y IP de mi servidor por "x" ya que no son relevantes [+risas]

Mi solución:

Mi configuración (fail2ban):

nano /etc/fail2ban/filter.d/iptables-dropped.conf

[Definition]
failregex = [UFW BLOCK] .* SRC=<HOST>
ignoreregex =


nano /etc/fail2ban/jail.local

[iptables-dropped]

filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/ufw.log
bantime = 2592000
maxretry = 2
#Máximo de intentos 2, tiempo de ban 1 mes, todos los puertos


systemctl restart fail2ban
systemctl status fail2ban

Resultado después de una semana en marcha:

fail2ban-client status iptables-dropped

Status for the jail: iptables-dropped
|- Filter
|  |- Currently failed:   13
|  |- Total failed:   4926
|  `- File list:   /var/log/ufw.log
`- Actions
   |- Currently banned:   457
   |- Total banned:   457
   `- Banned IP list:   193.56.146.13 193.56.146.12 152.89.198.135 193.56.146.11 1.162.93.155 1.247.0.230 100.26.61.194 101.78.193.50 103.217.245.219 104.192.3.10 106.253.245.169 106.3.151.11 106.56.150.128 109.86.1.60 111.67.202.249 112.112.135.158 112.113.196.76 112.197.248.6 113.108.79.9 113.239.161.199 114.226.50.113 114.239.62.161 114.32.105.39 114.33.110.211 114.35.176.47 116.203.33.34 117.245.192.254 117.62.27.124 117.80.101.148 117.81.227.141 117.95.65.251 118.123.105.89 118.193.106.155 119.153.168.83 119.92.140.154 120.85.116.83 121.132.126.156 121.139.26.169 121.177.36.244 121.56.200.175 123.165.154.106 123.241.96.55 124.13.177.225 124.234.200.197 124.246.65.14 125.119.236.251 125.24.137.24 125.24.139.159 128.14.209.252 128.199.77.96 132.148.76.25 138.197.220.255 139.28.37.166 139.59.44.54 141.255.166.2 143.244.50.176 144.52.192.46 148.153.0.46 152.230.22.70 158.181.182.220 159.89.146.222 159.89.146.89 16.162.227.233 162.142.125.219 162.83.243.110 167.94.138.62 172.105.102.94 172.81.129.178 172.81.129.230 173.214.175.178 175.107.13.105 175.4.216.131 176.10.54.34 176.110.124.21 176.36.131.107 176.65.137.6 177.131.95.197 178.141.137.229 178.150.72.58 178.252.170.210 179.43.177.154 179.60.147.107 180.103.211.229 180.116.226.238 181.84.102.51 182.247.140.170 182.247.184.137 182.59.97.150 185.140.32.36 185.163.124.12 185.163.127.122 185.224.128.11 185.224.128.14 185.224.128.17 185.224.128.4 185.234.75.144 185.237.96.28 185.24.53.232 185.246.220.167 185.3.34.255 185.49.87.86 185.7.214.173 188.163.43.245 189.254.114.49 190.149.56.230 190.153.81.221 192.166.101.126 193.47.61.200 193.56.146.188 194.110.203.60 194.165.16.10 194.165.16.77 194.180.48.125 194.44.213.105 194.99.45.6 194.99.45.7 195.154.107.223 2.190.204.231 200.56.65.129 202.105.238.155 203.151.253.98 204.144.199.157 206.83.40.96 207.46.13.151 207.46.13.232 209.159.155.182 209.94.132.115 210.61.141.189 213.102.74.234 213.149.157.96 213.230.111.98 213.230.69.13 218.24.233.69 218.35.247.103 220.164.229.210 220.93.63.172 221.124.18.253 222.113.53.15 222.219.13.91 222.220.238.57 223.18.45.79 24.199.80.129 24.32.117.241 27.47.40.94 31.173.188.82 35.93.120.212 35.93.49.93 35.93.75.181 36.49.51.201 36.68.53.82 37.151.82.49 37.77.145.196 38.75.137.77 42.176.129.205 42.200.81.78 45.134.144.48 45.134.23.249 45.134.23.254 45.142.192.6 45.142.192.8 45.142.192.9 45.173.6.67 45.227.254.51 45.29.75.80 45.79.149.116 45.89.35.210 45.93.201.59 46.173.63.132 46.241.119.30 46.70.110.136 46.70.236.123 46.71.11.84 46.71.193.169 46.71.238.239 46.73.66.97 47.22.28.158 47.24.115.94 49.159.94.35 49.89.65.206 5.181.80.161 5.94.77.169 50.79.71.113 51.15.244.101 51.15.244.103 52.139.183.239 58.216.97.241 59.126.92.107 59.181.150.197 59.5.230.116 59.89.107.24 59.99.206.217 60.10.194.134 60.217.75.70 61.231.87.88 61.41.24.246 61.72.17.8 68.69.184.202 69.122.32.153 72.167.32.184 72.251.235.148 74.50.95.90 78.169.152.106 78.186.173.242 78.29.43.204 79.124.56.102 81.17.21.250 82.157.138.101 82.157.41.6 83.229.86.122 84.21.172.65 84.237.248.79 84.238.96.115 84.54.236.18 85.208.136.185 85.31.44.138 85.31.44.32 88.225.212.135 88.248.206.241 89.132.9.72 91.106.63.110 91.213.50.102 92.118.39.78 92.154.95.236 92.63.196.41 94.232.45.22 95.134.96.188 95.180.227.81 95.9.156.196 96.126.107.79 96.44.142.190 96.71.136.41 98.165.210.29 35.92.166.13 185.130.224.57 126.93.44.185 113.90.246.35 46.71.94.70 49.86.90.51 44.200.8.162 61.216.33.196 182.180.153.206 185.180.143.79 180.26.210.37 114.24.7.157 74.194.200.19 85.105.252.42 147.78.47.189 192.169.139.217 109.206.243.220 189.179.126.116 46.70.202.227 84.21.172.67 78.186.248.36 61.15.107.31 221.127.41.184 43.200.50.108 217.28.76.18 52.36.34.215 65.190.16.85 66.214.92.168 8.212.18.242 121.150.198.102 37.228.129.26 165.227.57.166 35.247.244.122 183.111.204.170 80.94.92.40 220.187.160.14 42.98.117.76 45.134.144.80 111.26.181.225 194.165.16.72 112.116.99.130 115.96.132.111 59.99.117.101 45.137.22.115 120.85.117.14 123.234.131.51 109.206.241.13 60.249.147.77 59.11.130.153 46.70.169.52 181.233.160.25 43.143.243.88 97.86.110.157 103.159.32.122 39.107.178.16 122.117.95.29 108.170.128.82 36.102.98.82 1.34.114.204 45.91.133.134 45.134.144.70 165.227.57.51 80.66.75.170 182.84.148.163 103.59.148.166 123.25.30.146 167.99.119.168 123.202.50.158 175.5.75.98 222.174.157.26 110.42.247.185 88.127.243.80 186.218.65.216 113.90.188.110 110.40.230.124 59.1.229.5 190.83.50.107 104.55.6.101 219.73.26.209 125.164.17.164 193.13.15.161 107.189.13.72 91.102.218.104 198.244.158.71 198.244.156.80 198.244.157.33 92.47.82.151 121.236.57.182 49.64.240.147 123.4.255.206 78.137.51.223 61.137.202.46 198.244.154.91 45.227.254.26 74.84.150.150 124.43.16.12 81.158.48.51 89.189.154.166 34.81.161.156 125.26.98.80 185.180.143.138 14.176.156.60 185.142.126.198 49.179.61.110 101.100.131.59 110.147.195.133 220.198.241.125 78.187.166.199 31.28.241.69 8.219.240.56 175.107.13.41 84.238.101.226 102.64.216.135 210.113.168.143 35.92.69.3 146.59.245.142 20.2.80.2 103.124.141.19 125.212.235.215 45.137.201.3 115.96.154.27 77.210.186.182 131.186.47.69 104.152.52.122 118.216.119.21 198.23.206.25 112.244.68.214 183.89.221.63 111.61.30.104 27.204.124.75 103.171.0.49 88.151.197.155 39.46.248.143 54.200.111.189 73.100.202.18 182.241.66.8 49.213.179.156 170.187.151.149 195.154.211.56 91.134.167.2 176.88.114.250 1.168.163.28 46.70.97.255 112.103.60.4 185.246.221.145 192.141.114.228 74.215.161.50 121.153.246.36 109.205.213.147 202.14.123.90 31.134.120.252 31.184.198.71 45.142.192.5 185.234.75.128 121.147.238.219 57.128.68.86 45.55.57.126 206.72.198.250 113.238.11.136 123.209.87.72 118.39.235.126 175.136.249.45 220.130.245.66 122.227.52.58 138.199.2.51 159.89.131.219 159.65.205.179 221.124.52.204 49.142.144.30 140.207.77.146 8.219.184.159 139.144.188.181 203.177.202.72 34.214.194.175 113.61.204.65 185.213.25.242 141.193.68.230 124.93.201.50 61.64.16.17 220.141.82.125 185.122.204.244 84.54.83.198 34.127.103.33 210.252.37.61 182.48.111.138 124.163.64.182 123.165.155.114 49.232.203.74 34.223.215.68 121.254.121.17 39.85.49.3 46.71.133.242 146.120.18.84 209.141.45.167 40.66.48.63 220.163.198.158 61.91.182.198 188.49.162.119 27.47.40.4 185.188.182.139 69.10.63.138 206.189.113.97 82.223.89.11 175.141.16.168 82.156.162.3 5.161.177.194 200.2.165.196 103.86.55.57 14.232.133.205 121.182.176.148 117.216.22.146 223.16.85.52 5.104.78.98 165.227.3.229 45.134.144.114 106.75.135.67 39.99.255.212 203.163.232.115 117.204.71.164 8.140.115.219 222.179.42.134 71.70.219.74 138.68.241.161 218.63.86.223 113.14.111.22


Como podéis ver en una semana ya lleva 457 ips baneadas.
Hostia lo pondre en marcha, a ver que tal me va esta configuracion
3 respuestas
Archivado
Volver a Software libre