如何使用Fail2Ban自动禁止UDP短数据包?

如何使用Fail2Ban自动禁止UDP短数据包?

该日志文件/var/log/kern.log包含一些 IP 地址,我希望系统能够自动禁止/阻止这些地址。

基本上,一个数据包来自 UDP 协议,并且是一个短数据包,然后我希望 IPTables 通过 Fail2Ban 禁止该数据包的主机。

03-serv:~# cat /var/log/kern.log | grep ' UDP: short packet: From '
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015

这是我最后的 Fail2Ban jail jail.conf

[ddos]
enabled   = true
port      = 27015
protocol  = udp
filter    = ddos
logpath   = /var/log/kern.log
maxretry  = 3
bantime   = 6000

下面是我的反短 UDP 配置/etc/fail2ban/filter.d/ddos.conf

[Definition]

# Option:  failregex
# Notes.:  Auto block short UDP.
# Values:  TEXT
#
failregex = ^.*kernel: UDP: short packet: From <HOST>:.*$

ignoreregex =

答案1

需要failregex匹配完整的输出,并且可以采用完整正则表达式的形式,因此如下所示:

'^.*kernel: UDP: short packet: From <HOST>:.*$'

您可以使用 ( 来测试正则表达式文档):

fail2ban-regex -v /var/log/kern.log /etc/fail2ban/filter.d/ddos.conf

经过以下测试和验证:

cwatson@loki:~$ cat ./kern.log
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015

cwatson@loki:~$ fail2ban-regex -v ./kern.log "^.*kernel: UDP: short packet: From <HOST>:.*$"

Running tests
=============

Use   failregex line : ^.*kernel: UDP: short packet: From <HOST>:.*$
Use         log file : ./kern.log


Results
=======

Failregex: 9 total
|-  #) [# of hits] regular expression
|   1) [9] ^.*kernel: UDP: short packet: From <HOST>:.*$
|      74.60.6.213  Fri Dec 19 16:05:12 2014
|      1.215.252.130  Fri Dec 19 16:05:57 2014
|      184.0.249.136  Fri Dec 19 16:08:17 2014
|      1.214.66.49  Fri Dec 19 16:09:54 2014
|      1.214.214.2  Fri Dec 19 16:11:28 2014
|      74.60.171.197  Fri Dec 19 18:00:45 2014
|      112.155.240.24  Fri Dec 19 18:00:59 2014
|      1.220.200.162  Sat Dec 20 16:02:07 2014
|      1.215.123.171  Sat Dec 20 16:02:30 2014
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [9] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 9 lines, 0 ignored, 9 matched, 0 missed

相关内容