Howto: Debian - fail2ban für CCcam installieren und einrichten
Installation der Software fail2ban:
apt-get install fail2ban -y
Bearbeiten von /etc/fail2ban/jail.conf und folgende Zeilen anfügen.
Ggf. muss Port an den Port von eurem CCcam Server angepasst werden.
Mit maxretry geben wir die Fehlversuche an. Nach diesen wird die IP via iptable Regel für eine halbe Stunde gesperrt.
Diese Zeit können wir durch bantime anpassen. Die Angabe ist in Sekunden. 30 Minuten = 1800 Sekunden.
[cccam_signaturefailed] enabled = true port = 12000 filter = cccam-signature logpath = /var/log/daemon.log bantime = 1800 maxretry = 10 [cccam_badcommand] enabled = true port = 12000 filter = cccam-command logpath = /var/log/daemon.log bantime = 1800 maxretry = 10 [cccam_doublelogin] enabled = true port = 12000 ilter = cccam-login logpath = /var/log/daemon.log bantime = 1800 maxretry = 10
maxretry = Fehlversuche die erlaubt sind, bevor die IP gebannt wird bantime = Bandauer - Angabe erfolgt in Sekunden Gegebenenfalls müsst Ihr noch den Port an euren CCcam Port anpassen.
Jetzt noch die drei Filter unter /etc/fail2ban/filter.d/ anlegen. Das könnt ihr mit eurem Lieblingseditor machen
cccam-signature.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = CCcam: kick <HOST>, signature failed
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
cccam-login.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = CCcam: double login .*, .* \(<HOST>\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
cccam-command.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = CCcam: kick <HOST>.*, bad command
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Am Ende muss fail2ban noch durchgestartet werden.
/etc/init.d/fail2ban restart
Warnungen und Banvorgänge könnt ihr von nun an unter /var/log/fail2ban.log sehen.
Sieht zum Beispiel dann so aus.
2009-08-04 15:30:19,863 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 80.137.xxx.xxx 2009-08-04 15:32:09,002 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx 2009-08-04 15:33:26,104 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx 2009-08-04 15:38:51,471 fail2ban.actions: WARNING [cccam_badcommand] Unban 88.152.xxx.xxx 2009-08-04 15:42:38,764 fail2ban.actions: WARNING [cccam_badcommand] Ban 88.152.xxx.xxx 2009-08-04 16:00:20,017 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 80.137.xxx.xxx 2009-08-04 16:03:26,240 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx 2009-08-04 16:04:15,312 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx
Quellenangaben und Links
