洛克人zero有几部:用fail2ban监控nginx日志 | 小李贼

用fail2ban监控nginx日志

背景

fail2ban是一款日志扫描软件, 尝试从日志中发现恶意的攻击行为, 尤其是用户名密码的失败尝试, 并可以通过iptables防火墙封禁恶意用户的IP, 以防止进一步的攻击.

最近在nginx服务器的日志中发现了很多可疑的请求, 看起来像是试图从Web服务器上发现漏洞页面:

221.204.246.105 - - [08/Sep/2010:06:45:13 +0000] "GET /dbzhedit/ewebeditor.asp HTTP/1.1" 404 5748 "-" "Mozilla/4.0"221.204.246.105 - - [08/Sep/2010:06:45:14 +0000] "GET /edit/ewebeditor.asp HTTP/1.1" 404 5744 "-" "Mozilla/4.0"221.204.246.105 - - [08/Sep/2010:06:45:15 +0000] "GET /ugvbadmin/edit/ewebeditor.asp HTTP/1.1" 404 5754 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:50 +0000] "GET /piqmUserReg.asp HTTP/1.1" 404 5790 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:51 +0000] "GET /UserReg.asp HTTP/1.1" 404 5786 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:52 +0000] "GET /ioifupfile_flash.asp HTTP/1.1" 404 5795 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:53 +0000] "GET /upfile_flash.asp HTTP/1.1" 404 5791 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:53 +0000] "GET /admin/zhmuupfile_flash.asp HTTP/1.1" 404 5801 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:54 +0000] "GET /admin/upfile_flash.asp HTTP/1.1" 404 5797 "-" "Mozilla/4.0"222.189.228.42 - - [08/Sep/2010:18:10:54 +0000] "GET /admins/xvmbupfile_flash.asp HTTP/1.1" 404 5802 "-" "Mozilla/4.0"

安装fail2ban

我觉得可以用fail2ban扫描日志中上述攻击, 并且封禁恶意用户. 首先安装fail2ban, 在Ubuntu/Debian下用apt-get一次搞定:

apt-get install fail2ban

配置fail2ban的nginx过滤规则

从攻击行为特征来看, 这是短时间连续导致服务器发送HTTP 404文件未找到错误码, 下面是用于发现上述攻击的fail2ban filter规则, 在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容:

[Definition] failregex = <HOST> -.*- .*HTTP/1.* 404 .*$ignoreregex =

测试fail2ban过滤规则

在正式激活改过滤规则之前, 可以首先用fail2ban-regex测试规则的有效性:

# fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx.confRunning tests============= Use regex file : /etc/fail2ban/filter.d/nginx.confUse log file   : /var/log/nginx/access.log Results======= Failregex|- Regular expressions:|  [1] <HOST> -.*-.*HTTP/1.* 404 .*$|`- Number of matches:[1] 1304 match(es) Ignoreregex|- Regular expressions:|`- Number of matches: Summary======= Addresses found:[1]222.189.228.42 (Wed Sep 08 18:10:50 2010)222.189.228.42 (Wed Sep 08 18:10:51 2010)222.189.228.42 (Wed Sep 08 18:10:52 2010)222.189.228.42 (Wed Sep 08 18:10:52 2010)... Date template hits:...XXXX hit(s): Day/MONTH/Year:Hour:Minute:Second... Success, the total number of match is YYYY However, look at the above section 'Running tests' which could contain importantinformation.

激活fail2ban过滤规则

从测试结果可以看出, 恶意攻击节点的IP地址和攻击时间都能够正确发现, 因此可以进一步修改fail2ban的配置文件激活上述规则. 下面是我的/etc/fail2ban/jail.local配置文件内容:

[DEFAULT]ignoreip = 127.0.0.1bantime  = 3600maxretry = 6destemail = rootaction = %(action_mwl)s [nginx]enabled = trueport= http,httpsfilter = nginxlogpath =  /var/log/nginx/access.log

上述配置设置fail2ban用nginx过滤规则监控nginx的access.log文件, 如果发现恶意攻击, 除了在iptables防火墙中封禁该客户端IP之外, 还将发送邮件包含该IP地址的whois信息给root. 用下面的命令激活上述配置:

fail2ban-client reload

从/var/log/fail2ban.log日志文件中可以看到上述nginx规则激活的信息:

2010-09-09 08:00:54,810 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.42010-09-09 08:00:54,810 fail2ban.jail   : INFO   Creating new jail 'nginx'2010-09-09 08:00:54,811 fail2ban.jail   : INFO   Jail 'nginx' uses poller2010-09-09 08:00:54,812 fail2ban.filter : INFO   Added logfile = /var/log/nginx/access.log2010-09-09 08:00:54,813 fail2ban.filter : INFO   Set maxRetry = 502010-09-09 08:00:54,815 fail2ban.filter : INFO   Set findtime = 6002010-09-09 08:00:54,815 fail2ban.actions: INFO   Set banTime = 3600...2010-09-09 08:00:54,970 fail2ban.jail   : INFO   Jail 'nginx' started

测试fail2ban的效果

可以用下面的命令模拟攻击者连续访问不存在的URL, 看看fail2ban的效果:

while true ; do wget http://127.0.0.10/404 ; done# type Ctrl-C when you stuck at "Connecting to 127.0.0.10:80... "

看fail2ban的日志是否记录了上述攻击:

#   grep Ban /var/log/fail2ban.log2010-09-09 08:06:09,338 fail2ban.actions: WARNING [nginx-fnf] Ban 127.0.0.10

用iptables命令看fail2ban添加的IP封禁规则:

# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destinationfail2ban-nginx  tcp  --  anywhere             anywhere            multiport dports www,https Chain FORWARD (policy ACCEPT)target     prot opt source               destination Chain OUTPUT (policy ACCEPT)target     prot opt source               destination Chain fail2ban-nginx (1 references)target     prot opt source               destinationDROP       all  --  127.0.0.10           anywhereRETURN     all  --  anywhere             anywhere

fail2ban发来的邮件看起来像是这样的:

Hi, The IP 222.169.224.226 has just been banned by Fail2Ban after7 attempts against ssh. Here are more information about 222.169.224.226: % [whois.apnic.net node-3]% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html inetnum:        222.168.0.0 - 222.169.255.255netname:        CHINANET-JLdescr:          CHINANET Jilin province networkdescr:          Jilin Telecom Corporation... Lines containing IP:222.169.224.226 in /var/log/auth.log Sep  9 02:30:14 localhost sshd[24401]: Did not receive identification string from 222.169.224.226Sep  9 02:34:59 localhost sshd[24511]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226  user=rootSep  9 02:35:01 localhost sshd[24511]: Failed password for root from 222.169.224.226 port 36724 ssh2Sep  9 02:35:03 localhost sshd[24515]: Invalid user fluffy from 222.169.224.226Sep  9 02:35:03 localhost sshd[24515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226Sep  9 02:35:05 localhost sshd[24515]: Failed password for invalid user fluffy from 222.169.224.226 port 36927 ssh2Sep  9 02:35:06 localhost sshd[24519]: Invalid user admin from 222.169.224.226Sep  9 02:35:06 localhost sshd[24519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226Sep  9 02:35:09 localhost sshd[24519]: Failed password for invalid user admin from 222.169.224.226 port 37140 ssh2Sep  9 02:35:10 localhost sshd[24521]: Invalid user test from 222.169.224.226Sep  9 02:35:10 localhost sshd[24521]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.169.224.226Sep  9 02:35:12 localhost sshd[24521]: Failed password for invalid user test from 222.169.224.226 port 37391 ssh2