Translated tech/20170209 How to protect your server with badIPs.com and report IPs with Fail2ban on Debian.md

This commit is contained in:
ictlyh 2017-04-24 19:54:01 +08:00
parent 68c4bfdf17
commit b516efa186
No known key found for this signature in database
GPG Key ID: 6861F1F0C29F118D
2 changed files with 224 additions and 227 deletions

View File

@ -1,227 +0,0 @@
ictlyh Translating
How to protect your server with badIPs.com and report IPs with Fail2ban on Debian
============================================================
### On this page
1. [Use the badIPs list][4]
1. [Define your security level and category][1]
2. [Let's create the script][5]
3. [Report IP addresses to badIPs with Fail2ban][6]
1. [Fail2ban >= 0.8.12][2]
2. [Fail2ban < 0.8.12][3]
4. [Statistics of your IP reporting][7]
This tutorial documents the process of using the badips abuse tracker in conjunction with Fail2ban to protect your server or computer. I've tested it on a Debian 8 Jessie and Debian 7 Wheezy system.
**What is badIPs?**
BadIps is a listing of IP that are reported as bad in combinaison with [fail2ban][8].
This tutorial contains two parts, the first one will deal with the use of the list and the second will deal with the injection of data.
###
Use the badIPs list
### Define your security level and category
You can get the IP address list by simply using the REST API.
When you GET this URL : [https://www.badips.com/get/categories][9]
Youll see all the different categories that are present on the service.
* Second step, determine witch score is made for you.
Here a quote from badips that should help (personnaly I took score = 3):
* If you'd like to compile a statistic or use the data for some experiment etc. you may start with score 0.
* If you'd like to firewall your private server or website, go with scores from 2\. Maybe combined with your own results, even if they do not have a score above 0 or 1.
* If you're about to protect a webshop or high traffic, money-earning e-commerce server, we recommend to use values from 3 or 4\. Maybe as well combined with your own results (key / sync).
* If you're paranoid, take 5.
So now that you get your two variables, let's make your link by concatening them and grab your link.
http://www.badips.com/get/list/{{SERVICE}}/{{LEVEL}}
Note: Like me, you can take all the services. Change the name of the service to "any" in this case.
The resulting URL is:
https://www.badips.com/get/list/any/3
### Let's create the script
Alright, when thats done, well create a simple script.
1. Put our list in a tempory file.
2. (only once) create a chain in iptables.
3. Flush all the data linked to our chain (old entries).
4. Well link each IP to our new chain.
5. When its done, block all INPUT / OUTPUT / FORWARD thats linked to our chain.
6. Remove our temp file.
Nowe we'll create the script for that:
cd /home/<user>/
vi myBlacklist.sh
Enter the following content into that file.
```
#!/bin/sh
# based on this version http://www.timokorthals.de/?p=334
# adapted by Stéphane T.
_ipt=/sbin/iptables    # Location of iptables (might be correct)
_input=badips.db       # Name of database (will be downloaded with this name)
_pub_if=eth0           # Device which is connected to the internet (ex. $ifconfig for that)
_droplist=droplist     # Name of chain in iptables (Only change this if you have already a chain with this name)
_level=3               # Blog level: not so bad/false report (0) over confirmed bad (3) to quite aggressive (5) (see www.badips.com for that)
_service=any           # Logged service (see www.badips.com for that)
# Get the bad IPs
wget -qO- http://www.badips.com/get/list/${_service}/$_level > $_input || { echo "$0: Unable to download ip list."; exit 1; }
### Setup our black list ###
# First flush it
$_ipt --flush $_droplist
# Create a new chain
# Decomment the next line on the first run
# $_ipt -N $_droplist
# Filter out comments and blank lines
# store each ip in $ip
for ip in `cat $_input`
do
# Append everything to $_droplist
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j LOG --log-prefix "Drop Bad IP List "
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j DROP
done
# Finally, insert or append our black list
$_ipt -I INPUT -j $_droplist
$_ipt -I OUTPUT -j $_droplist
$_ipt -I FORWARD -j $_droplist
# Delete your temp file
rm $_input
exit 0
```
When thats done, you should create a cronjob that will update our blacklist.
For this, I used crontab and I run the script every day on 11:30PM (just before my delayed backup).
crontab -e
```
23 30 * * * /home/<user>/myBlacklist.sh #Block BAD IPS
```
Dont forget to chmod your script:
chmod + x myBlacklist.sh
Now thats done, your server/computer should be a little bit safer.
You can also run the script manually like this:
cd /home/<user>/
./myBlacklist.sh
It should take some time… so dont break the script. In fact, the value of it lies in the last lines.
### Report IP addresses to badIPs with Fail2ban
In the second part of this tutorial, I will show you how to report bd IP addresses bach to the badips.com website by using Fail2ban.
### Fail2ban >= 0.8.12
The reporting is made with Fail2ban. Depending on your Fail2ban version you must use the first or second section of this chapter.If you have fail2ban in version 0.8.12.
If you have fail2ban version 0.8.12 or later.
fail2ban-server --version
In each category that youll report, simply add an action.
```
[ssh]
enabled = true
action = iptables-multiport
badips[category=ssh]
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry= 6
```
As you can see, the category is SSH, take a look here ([https://www.badips.com/get/categories][11]) to find the correct category.
### Fail2ban < 0.8.12
If the version is less recent than 0.8.12, youll have a to create an action. This can be downloaded here: [https://www.badips.com/asset/fail2ban/badips.conf][12].
wget https://www.badips.com/asset/fail2ban/badips.conf -O /etc/fail2ban/action.d/badips.conf
With the badips.conf from above, you can either activate per category as above or you can enable it globally:
cd /etc/fail2ban/
vi jail.conf
```
[DEFAULT]
...
banaction = iptables-multiport
badips
```
Now restart fail2ban - it should start reporting from now on.
service fail2ban restart
### Statistics of your IP reporting
Last step not really useful… You can create a key.
This one is usefull if you want to see your data.
Just copy / paste this and a JSON response will appear on your console.
wget https://www.badips.com/get/key -qO -
```
{
"err":"",
"suc":"new key 5f72253b673eb49fc64dd34439531b5cca05327f has been set.",
"key":"5f72253b673eb49fc64dd34439531b5cca05327f"
}
```
Then go on [badips][13] website, enter your “key” and click “statistics”.
Here we go… all your stats by category.
--------------------------------------------------------------------------------
via: https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/
作者:[Stephane T][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/
[1]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#define-your-security-level-and-category
[2]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#failban-gt-
[3]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#failban-ltnbsp
[4]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#use-the-badips-list
[5]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#lets-create-the-script
[6]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#report-ip-addresses-to-badips-with-failban
[7]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#statistics-of-your-ip-reporting
[8]:http://www.fail2ban.org/
[9]:https://www.badips.com/get/categories
[10]:http://www.timokorthals.de/?p=334
[11]:https://www.badips.com/get/categories
[12]:https://www.badips.com/asset/fail2ban/badips.conf
[13]:https://www.badips.com/

View File

@ -0,0 +1,224 @@
如何在 Debian 中使用 badIPs.com 保护你的服务器并通过 Fail2ban 报告 IP
============================================================
### 文章导航
1. [使用 badIPs 列表][4]
1. [定义安全等级和类别][1]
2. [创建脚本][5]
3. [使用 Fail2ban 向 badIPs 报告 IP][6]
1. [Fail2ban >= 0.8.12][2]
2. [Fail2ban < 0.8.12][3]
4. [你的 IP 报告统计信息][7]
这篇指南向你介绍使用 badips 滥用追踪器abuse tracker 和 Fail2ban 保护你的服务器或计算机的步骤。我已经在 Debian 8 Jessie 和 Debian 7 Wheezy 系统上进行了测试。
**什么是 badIPs**
BadIps 是通过 [fail2ban][8] 报告为不良 IP 的列表。
这个指南包括两个部分,第一部分介绍列表的使用,第二部分介绍数据注入。
### 使用 badIPs 列表
### 定义安全等级和类别
你可以通过使用 REST API 获取 IP 地址列表。
当你使用 GET 请求获取 URL[https://www.badips.com/get/categories][9] 后,你就可以看到服务中现有的所有不同类别。
* 第二步,决定适合你的等级。
参考 badips 应该有所帮助(我个人使用 scope=3
* 如果你想要编译统计信息或者将数据用于实验目的,那么你应该用等级 0 开始。
* 如果你想用防火墙保护你的服务器或者网站,使用等级 2。可能也要和你的结果相结合尽管它们可能没有超过 0 或 1 的等级。
* 如果你想保护一个网络商店、或高流量、赚钱的电子商务服务器,我推荐你使用值 3 或 4。当然还是要和你的结果相结合。
* 如果你是偏执狂,那就使用 5。
现在你已经有了两个变量,通过把它们两者连接起来获取你的链接。
http://www.badips.com/get/list/{{SERVICE}}/{{LEVEL}}
注意:像我一样,你可以要求所有服务。在这种情况下把服务的名称改为 “any”。
最终的 URL 就是:
https://www.badips.com/get/list/any/3
### 创建脚本
所有都完成了之后,我们就会创建一个简单的脚本。
1. 把你的列表放到一个临时文件。
2. 在 iptables 中创建一个 chain只需要一次译者注iptables 可能包括多个表tables表可能包括多个链chains链可能包括多个规则rules
3. 把所有链接的数据(旧条目)刷到 chain。
4. 把每个 IP 连接到新的 chain。
5. 完成后,阻塞所有链接到 chain 的 INPUT / OUTPUT /FORWARD。
6. 删除我们的临时文件。
为此,我们创建脚本:
cd /home/<user>/
vi myBlacklist.sh
把以下内容输入到文件。
#!/bin/sh
# based on this version http://www.timokorthals.de/?p=334
# adapted by Stéphane T.
_ipt=/sbin/iptables    # iptables 路径(应该是对的)
_input=badips.db       # 数据库的名称会用这个名称下载Name of database (will be downloaded with this name)
_pub_if=eth0           # 连接到网络的设备(执行 $ifconfig 获取Device which is connected to the internet (ex. $ifconfig for that)
_droplist=droplist     # iptables 中 chain 的名称(只有当你已经有这么一个名称的 chain 时才修改它Name of chain in iptables (Only change this if you have already a chain with this name)
_level=3               # Blog译者注Bad log等级不怎么坏0、确认坏3、相当坏5从 www.badips.com 获取详情Blog level: not so bad/false report (0) over confirmed bad (3) to quite aggressive (5) (see www.badips.com for that)
_service=any           # 记录日志的服务(从 www.badips.com 获取详情Logged service (see www.badips.com for that)
# 获取不良 IPs
wget -qO- http://www.badips.com/get/list/${_service}/$_level > $_input || { echo "$0: Unable to download ip list."; exit 1; }
### 设置我们的黑名单 ###
# 首先刷盘
$_ipt --flush $_droplist
# 创建新的 chain
# 首次运行时取消下面一行的注释
# $_ipt -N $_droplist
# 过滤掉注释和空行
# 保存每个 ip 到 $ip
for ip in `cat $_input`
do
# 添加到 $_droplist
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j LOG --log-prefix "Drop Bad IP List "
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j DROP
done
# 最后,插入或者追加我们的黑名单列表
$_ipt -I INPUT -j $_droplist
$_ipt -I OUTPUT -j $_droplist
$_ipt -I FORWARD -j $_droplist
# 删除你的临时文件
rm $_input
exit 0
完成这些后,你应该创建一个 cronjob 定期更新我们的黑名单。
为此,我使用 crontab 在每天晚上 11:30在我的延迟备份之前 运行脚本。
crontab -e
23 30 * * * /home/<user>/myBlacklist.sh #Block BAD IPS
别忘了更改脚本的权限:
chmod + x myBlacklist.sh
现在终于完成了,你的服务器/计算机应该更安全了。
你也可以像下面这样手动运行脚本:
cd /home/<user>/
./myBlacklist.sh
它可能要花费一些时间,因此期间别中断脚本。事实上,耗时取决于最后一行。
### 使用 Fail2ban 向 badIPs 报告 IP 地址
在本篇指南的第二部分,我会向你展示如何通过使用 Fail2ban 向 badips.com 网站报告不良 IP 地址。
### Fail2ban >= 0.8.12
通过 Fail2ban 完成报告。取决于你 Fail2ban 的版本,你要使用本章的第一或第二节。
如果你 fail2ban 的版本是 0.8.12 或更新版本。
fail2ban-server --version
在每个你要报告的类别中添加一个action。
[ssh]
enabled = true
action = iptables-multiport
badips[category=ssh]
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry= 6
正如你看到的,类别是 SSH从 ([https://www.badips.com/get/categories][11]) 查找正确类别。
### Fail2ban < 0.8.12
如果版本是 0.8.12 之前,你需要新建一个 action。你可以从 [https://www.badips.com/asset/fail2ban/badips.conf][12] 下载。
wget https://www.badips.com/asset/fail2ban/badips.conf -O /etc/fail2ban/action.d/badips.conf
在上面的 badips.conf 中,你可以像前面那样激活每个类别,也可以全局启用它:
cd /etc/fail2ban/
vi jail.conf
[DEFAULT]
...
banaction = iptables-multiport
badips
现在重启 fail2ban - 从现在开始它就应该开始报告了。
service fail2ban restart
### 你的 IP 报告统计信息
最后一步 - 没那么有用。你可以创建一个密钥。
如果你想看你的数据,这一步就很有帮助。
复制/粘贴下面的命令,你的控制台中就会出现一个 JSON 响应。
wget https://www.badips.com/get/key -qO -
{
"err":"",
"suc":"new key 5f72253b673eb49fc64dd34439531b5cca05327f has been set.",
"key":"5f72253b673eb49fc64dd34439531b5cca05327f"
}
到[badips][13] 网站,输入你的 “key” 并点击 “statistics”。
现在你就可以看到不同类别的统计信息。
--------------------------------------------------------------------------------
via: https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/
作者:[Stephane T][a]
译者:[ictlyh](https://github.com/ictlyh)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/
[1]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#define-your-security-level-and-category
[2]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#failban-gt-
[3]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#failban-ltnbsp
[4]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#use-the-badips-list
[5]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#lets-create-the-script
[6]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#report-ip-addresses-to-badips-with-failban
[7]:https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/#statistics-of-your-ip-reporting
[8]:http://www.fail2ban.org/
[9]:https://www.badips.com/get/categories
[10]:http://www.timokorthals.de/?p=334
[11]:https://www.badips.com/get/categories
[12]:https://www.badips.com/asset/fail2ban/badips.conf
[13]:https://www.badips.com/