Howto: Debian - fail2ban für CCcam installieren und einrichten

Aus Zebradem WIKI
Zur Navigation springenZur Suche springen

Das Board mit Freiheiten





Installation der Software fail2ban:

apt-get install fail2ban -y


Bearbeiten von /etc/fail2ban/jail.conf und folgende Zeilen anfügen. Ggf. muss Port an den Port von eurem CCcam Server angepasst werden. Mit maxretry geben wir die Fehlversuche an. Nach diesen wird die IP via iptable Regel für eine halbe Stunde gesperrt. Diese Zeit können wir durch bantime anpassen. Die Angabe ist in Sekunden. 30 Minuten = 1800 Sekunden.


	
[cccam_signaturefailed] 
enabled = true 
port = 12000 
filter = cccam-signature 
logpath = /var/log/daemon.log 
bantime = 1800 
maxretry = 10 

[cccam_badcommand] 
enabled = 
true port = 12000 
filter = cccam-command
logpath = /var/log/daemon.log 
bantime = 1800 
maxretry = 10 

[cccam_doublelogin] 
enabled = true 
port = 12000 
ilter = cccam-login 
logpath = /var/log/daemon.log 
bantime = 1800 
maxretry = 10

maxretry = Fehlversuche die erlaubt sind, bevor die IP gebannt wird bantime = Bandauer - Angabe erfolgt in Sekunden Gegebenenfalls müsst Ihr noch den Port an euren CCcam Port anpassen.


Jetzt noch die drei Filter unter /etc/fail2ban/filter.d/ anlegen. Das könnt ihr mit eurem Lieblingseditor machen

cccam-signature.conf

	
# Fail2Ban configuration file 
# 
# Author: Cyril Jaquier 
# 
# $Revision: 510 $ 
# 
[Definition] 
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "<HOST>" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P<host>\S+) 
# Values: TEXT 
# 
failregex = CCcam: kick <HOST>, signature failed 
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 
# 
ignoreregex =

cccam-login.conf

		
# Fail2Ban configuration file 
# 
# Author: Cyril Jaquier 
# 
# $Revision: 510 $ 
# 
[Definition]
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "<HOST>" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT 
# 
failregex = CCcam: double login .*, .* \(<HOST>\) 
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 
# 
ignoreregex =

cccam-command.conf

		
# Fail2Ban configuration file 
# 
# Author: Cyril Jaquier 
# 
# $Revision: 510 $ 
# 
[Definition] 
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "<HOST>" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P<host>\S+) 
# Values: TEXT 
# 
failregex = CCcam: kick <HOST>.*, bad command 
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 
# 
ignoreregex =

Am Ende muss fail2ban noch durchgestartet werden.

/etc/init.d/fail2ban restart


Warnungen und Banvorgänge könnt ihr von nun an unter /var/log/fail2ban.log sehen. Sieht zum Beispiel dann so aus.

2009-08-04 15:30:19,863 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 80.137.xxx.xxx
2009-08-04 15:32:09,002 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx
2009-08-04 15:33:26,104 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx
2009-08-04 15:38:51,471 fail2ban.actions: WARNING [cccam_badcommand] Unban 88.152.xxx.xxx
2009-08-04 15:42:38,764 fail2ban.actions: WARNING [cccam_badcommand] Ban 88.152.xxx.xxx
2009-08-04 16:00:20,017 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 80.137.xxx.xxx
2009-08-04 16:03:26,240 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx
2009-08-04 16:04:15,312 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx


Quellenangaben und Links