用fail2ban监控nginx日志
September 9th, 2010
背景
fail2ban是一款日志扫描软件, 尝试从日志中发现恶意的攻击行为, 尤其是用户名密码的失败尝试, 并可以通过iptables防火墙封禁恶意用户的IP, 以防止进一步的攻击.
最近在nginx服务器的日志中发现了很多可疑的请求, 看起来像是试图从Web服务器上发现漏洞页面:
221.204.246.105 - - [08/Sep/2010:06:45:13 +0000] "GET /dbzhedit/ewebeditor.asp HTTP/1.1" 404 5748 "-" "Mozilla/4.0" 221.204.246.105 - - [08/Sep/2010:06:45:14 +0000] "GET /edit/ewebeditor.asp HTTP/1.1" 404 5744 "-" "Mozilla/4.0" 221.204.246.105 - - [08/Sep/2010:06:45:15 +0000] "GET /ugvbadmin/edit/ewebeditor.asp HTTP/1.1" 404 5754 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:50 +0000] "GET /piqmUserReg.asp HTTP/1.1" 404 5790 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:51 +0000] "GET /UserReg.asp HTTP/1.1" 404 5786 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:52 +0000] "GET /ioifupfile_flash.asp HTTP/1.1" 404 5795 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:53 +0000] "GET /upfile_flash.asp HTTP/1.1" 404 5791 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:53 +0000] "GET /admin/zhmuupfile_flash.asp HTTP/1.1" 404 5801 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:54 +0000] "GET /admin/upfile_flash.asp HTTP/1.1" 404 5797 "-" "Mozilla/4.0" 222.189.228.42 - - [08/Sep/2010:18:10:54 +0000] "GET /admins/xvmbupfile_flash.asp HTTP/1.1" 404 5802 "-" "Mozilla/4.0"
安装fail2ban
我觉得可以用fail2ban扫描日志中上述攻击, 并且封禁恶意用户. 首先安装fail2ban, 在Ubuntu/Debian下用apt-get一次搞定:
apt-get install fail2ban
配置fail2ban的nginx过滤规则
从攻击行为特征来看, 这是短时间连续导致服务器发送HTTP 404文件未找到错误码, 下面是用于发现上述攻击的fail2ban filter规则, 在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容:
[Definition] failregex = <HOST> -.*- .*HTTP/1.* 404 .*$ ignoreregex =
测试fail2ban过滤规则
在正式激活改过滤规则之前, 可以首先用fail2ban-regex测试规则的有效性:
# fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/nginx.conf Use log file : /var/log/nginx/access.log Results ======= Failregex |- Regular expressions: | [1] <HOST> -.*-.*HTTP/1.* 404 .*$ | `- Number of matches: [1] 1304 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 222.189.228.42 (Wed Sep 08 18:10:50 2010) 222.189.228.42 (Wed Sep 08 18:10:51 2010) 222.189.228.42 (Wed Sep 08 18:10:52 2010) 222.189.228.42 (Wed Sep 08 18:10:52 2010) ... Date template hits: ... XXXX hit(s): Day/MONTH/Year:Hour:Minute:Second ... Success, the total number of match is YYYY However, look at the above section 'Running tests' which could contain important information.
激活fail2ban过滤规则
从测试结果可以看出, 恶意攻击节点的IP地址和攻击时间都能够正确发现, 因此可以进一步修改fail2ban的配置文件激活上述规则. 下面是我的/etc/fail2ban/jail.local配置文件内容:
[DEFAULT] ignoreip = 127.0.0.1 bantime = 3600 maxretry = 6 destemail = root action = %(action_mwl)s [nginx] enabled = true port = http,https filter = nginx logpath = /var/log/nginx/access.log
上述配置设置fail2ban用nginx过滤规则监控nginx的access.log文件, 如果发现恶意攻击, 除了在iptables防火墙中封禁该客户端IP之外, 还将发送邮件包含该IP地址的whois信息给root. 用下面的命令激活上述配置:
fail2ban-client reload
从/var/log/fail2ban.log日志文件中可以看到上述nginx规则激活的信息:
2010-09-09 08:00:54,810 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2010-09-09 08:00:54,810 fail2ban.jail : INFO Creating new jail 'nginx' 2010-09-09 08:00:54,811 fail2ban.jail : INFO Jail 'nginx' uses poller 2010-09-09 08:00:54,812 fail2ban.filter : INFO Added logfile = /var/log/nginx/access.log 2010-09-09 08:00:54,813 fail2ban.filter : INFO Set maxRetry = 50 2010-09-09 08:00:54,815 fail2ban.filter : INFO Set findtime = 600 2010-09-09 08:00:54,815 fail2ban.actions: INFO Set banTime = 3600 ... 2010-09-09 08:00:54,970 fail2ban.jail : INFO Jail 'nginx' started
测试fail2ban的效果
可以用下面的命令模拟攻击者连续访问不存在的URL, 看看fail2ban的效果:
while true ; do wget http://127.0.0.10/404 ; done # type Ctrl-C when you stuck at "Connecting to 127.0.0.10:80... "
看fail2ban的日志是否记录了上述攻击:
# grep Ban /var/log/fail2ban.log 2010-09-09 08:06:09,338 fail2ban.actions: WARNING [nginx-fnf] Ban 127.0.0.10
用iptables命令看fail2ban添加的IP封禁规则:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-nginx tcp -- anywhere anywhere multiport dports www,https Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-nginx (1 references) target prot opt source destination DROP all -- 127.0.0.10 anywhere RETURN all -- anywhere anywhere
fail2ban发来的邮件看起来像是这样的:
Hi, The IP 222.169.224.226 has just been banned by Fail2Ban after 7 attempts against ssh. Here are more information about 222.169.224.226: % [whois.apnic.net node-3] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 222.168.0.0 - 222.169.255.255 netname: CHINANET-JL descr: CHINANET Jilin province network descr: Jilin Telecom Corporation ... Lines containing IP:222.169.224.226 in /var/log/auth.log Sep 9 02:30:14 localhost sshd[24401]: Did not receive identification string from 222.169.224.226 Sep 9 02:34:59 localhost sshd[24511]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226 user=root Sep 9 02:35:01 localhost sshd[24511]: Failed password for root from 222.169.224.226 port 36724 ssh2 Sep 9 02:35:03 localhost sshd[24515]: Invalid user fluffy from 222.169.224.226 Sep 9 02:35:03 localhost sshd[24515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226 Sep 9 02:35:05 localhost sshd[24515]: Failed password for invalid user fluffy from 222.169.224.226 port 36927 ssh2 Sep 9 02:35:06 localhost sshd[24519]: Invalid user admin from 222.169.224.226 Sep 9 02:35:06 localhost sshd[24519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226 Sep 9 02:35:09 localhost sshd[24519]: Failed password for invalid user admin from 222.169.224.226 port 37140 ssh2 Sep 9 02:35:10 localhost sshd[24521]: Invalid user test from 222.169.224.226 Sep 9 02:35:10 localhost sshd[24521]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226 Sep 9 02:35:12 localhost sshd[24521]: Failed password for invalid user test from 222.169.224.226 port 37391 ssh2
Recent Comments