fail2ban on 대충어쩌고저쩌고샬라샬라https://dntco43u.github.io/tags/fail2ban/Recent content in fail2ban on 대충어쩌고저쩌고샬라샬라HugoenTue, 09 Dec 2025 00:00:00 +0000fail2banhttps://dntco43u.github.io/apps/fail2ban/Tue, 09 Dec 2025 00:00:00 +0000https://dntco43u.github.io/apps/fail2ban/<p><img src="https://dntco43u.github.io/images/fail2ban-logo.webp#center" alt="image"></p> <pre class="mermaid"> graph LR subgraph gvp6nx1a A1[sshd] -- log --&gt; B[fail2ban] A2[vsftpd] -- log --&gt; B A1[sshd] &lt;-- 22/tcp --&gt; A3 A2[vsftpd] &lt;-- 21/tcp --&gt; A3 end B -- ip/port bsn/unban --&gt; A3[iptables] B -- https --&gt; C[telegram] A3 &lt;-- 6****/tcp --&gt; D1[client]</pre> <h2 id="host-구성">host 구성<a class="td-heading-self-link" href="#host-%ea%b5%ac%ec%84%b1" aria-label="Heading self-link"></a></h2> <h3 id="설치">설치<a class="td-heading-self-link" href="#%ec%84%a4%ec%b9%98" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo dnf -y update <span class="o">&amp;&amp;</span> sudo dnf install -y fail2ban whois </span></span></code></pre></div><h3 id="jaillocal">jail.local<a class="td-heading-self-link" href="#jaillocal" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vi /etc/fail2ban/jail.local </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[INCLUDES]</span> </span></span><span class="line"><span class="cl"><span class="na">before</span> <span class="o">=</span> <span class="s">paths-fedora.conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[DEFAULT]</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreip</span> <span class="o">=</span> <span class="s">192.168.192.1 2**.**.**.* 1**.***.**.* 1**.***.**.** 1**.***.**.**</span> </span></span><span class="line"><span class="cl"><span class="na">ignorecommand</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1h</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">1h</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">10</span> </span></span><span class="line"><span class="cl"><span class="na">maxmatches</span> <span class="o">=</span> <span class="s">%(maxretry)s</span> </span></span><span class="line"><span class="cl"><span class="na">backend</span> <span class="o">=</span> <span class="s">auto</span> </span></span><span class="line"><span class="cl"><span class="na">usedns</span> <span class="o">=</span> <span class="s">warn</span> </span></span><span class="line"><span class="cl"><span class="na">logencoding</span> <span class="o">=</span> <span class="s">auto</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">false</span> </span></span><span class="line"><span class="cl"><span class="na">mode</span> <span class="o">=</span> <span class="s">normal</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">%(__name__)s[mode=%(mode)s]</span> </span></span><span class="line"><span class="cl"><span class="na">blocktype</span> <span class="o">=</span> <span class="s">DROP</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">destemail</span> <span class="o">=</span> <span class="s">x*******-********@yahoo.com</span> </span></span><span class="line"><span class="cl"><span class="na">sender</span> <span class="o">=</span> <span class="s">x*******-********@yahoo.com</span> </span></span><span class="line"><span class="cl"><span class="na">mta</span> <span class="o">=</span> <span class="s">sendmail</span> </span></span><span class="line"><span class="cl"><span class="na">protocol</span> <span class="o">=</span> <span class="s">tcp</span> </span></span><span class="line"><span class="cl"><span class="na">chain</span> <span class="o">=</span> <span class="s">&lt;known/chain&gt;</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">0:65535</span> </span></span><span class="line"><span class="cl"><span class="na">fail2ban_agent</span> <span class="o">=</span> <span class="s">Fail2Ban/%(fail2ban_version)s</span> </span></span><span class="line"><span class="cl"><span class="na">banaction</span> <span class="o">=</span> <span class="s">iptables-multiport</span> </span></span><span class="line"><span class="cl"><span class="na">banaction_allports</span> <span class="o">=</span> <span class="s">iptables-allports</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">%(action_local)s</span> </span></span><span class="line"><span class="cl"><span class="na">action_</span> <span class="o">=</span> <span class="s">%(banaction)s[port=&#34;%(port)s&#34;, protocol=&#34;%(protocol)s&#34;, chain=&#34;%(chain)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_mw</span> <span class="o">=</span> <span class="s">%(action_)s </span></span></span><span class="line"><span class="cl"><span class="s"> %(mta)s-whois[sender=&#34;%(sender)s&#34;, dest=&#34;%(destemail)s&#34;, protocol=&#34;%(protocol)s&#34;, chain=&#34;%(chain)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_mwl</span> <span class="o">=</span> <span class="s">%(action_)s </span></span></span><span class="line"><span class="cl"><span class="s"> %(mta)s-whois-lines[sender=&#34;%(sender)s&#34;, dest=&#34;%(destemail)s&#34;, logpath=&#34;%(logpath)s&#34;, chain=&#34;%(chain)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_xarf</span> <span class="o">=</span> <span class="s">%(action_)s </span></span></span><span class="line"><span class="cl"><span class="s"> xarf-login-attack[service =%(__name__)s, sender=&#34;%(sender)s&#34;, logpath=&#34;%(logpath)s&#34;, port=&#34;%(port)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_cf_mwl</span> <span class="o">=</span> <span class="s">cloudflare[cfuser=&#34;%(cfemail)s&#34;, cftoken=&#34;%(cfapikey)s&#34;] </span></span></span><span class="line"><span class="cl"><span class="s"> %(mta)s-whois-lines[sender=&#34;%(sender)s&#34;, dest=&#34;%(destemail)s&#34;, logpath=&#34;%(logpath)s&#34;, chain=&#34;%(chain)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_blocklist_de</span> <span class="o">=</span> <span class="s">blocklist_de[email=&#34;%(sender)s&#34;, service=&#34;%(__name__)s&#34;, apikey=&#34;%(blocklist_de_apikey)s&#34;, agent=&#34;%(fail2ban_agent)s&#34;]</span> </span></span><span class="line"><span class="cl"><span class="na">action_abuseipdb</span> <span class="o">=</span> <span class="s">abuseipdb</span> </span></span><span class="line"><span class="cl"><span class="na">action_local</span> <span class="o">=</span> <span class="s">iptables-multiport[chain=&#34;%(chain)s&#34;, protocol=&#34;%(protocol)s&#34;, port=&#34;%(port)s&#34;, blocktype=&#34;%(blocktype)s&#34;] </span></span></span><span class="line"><span class="cl"><span class="s"> telegram</span> </span></span></code></pre></div><h3 id="telegramlocal">telegram.local<a class="td-heading-self-link" href="#telegramlocal" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vi /etc/fail2ban/action.d/telegram.local </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">actionstart</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="na">actionstop</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="na">actioncheck</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="na">actionban</span> <span class="o">=</span> <span class="s">/home/dev/.local/bin/notify_fail2ban.sh actionban &lt;name&gt; &lt;ip&gt;</span> </span></span><span class="line"><span class="cl"><span class="na">actionunban</span> <span class="o">=</span> <span class="s">/home/dev/.local/bin/notify_fail2ban.sh actionunban &lt;name&gt; &lt;ip&gt;</span> </span></span></code></pre></div><h3 id="11-sshdlocal">11-sshd.local<a class="td-heading-self-link" href="#11-sshdlocal" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vi /etc/fail2ban/jail.d/11-sshd.local </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[sshd]</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">sshd[mode=aggressive]</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">%(syslog_authpriv)s</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">%(action_local)s</span> </span></span><span class="line"><span class="cl"><span class="na">chain</span> <span class="o">=</span> <span class="s">INPUT</span> </span></span><span class="line"><span class="cl"><span class="na">protocol</span> <span class="o">=</span> <span class="s">tcp</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">22</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">1</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span></code></pre></div><h3 id="12-vsftpdlocal">12-vsftpd.local<a class="td-heading-self-link" href="#12-vsftpdlocal" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vi /etc/fail2ban/jail.d/12-vsftpd.local </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[vsftpd]</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">vsftpd</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">%(vsftpd_log)s</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">%(action_local)s</span> </span></span><span class="line"><span class="cl"><span class="na">chain</span> <span class="o">=</span> <span class="s">INPUT</span> </span></span><span class="line"><span class="cl"><span class="na">protocol</span> <span class="o">=</span> <span class="s">tcp</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">21,6****:6****</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">1</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span></code></pre></div><h3 id="구성-적용">구성 적용<a class="td-heading-self-link" href="#%ea%b5%ac%ec%84%b1-%ec%a0%81%ec%9a%a9" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo fail2ban-server restart <span class="o">&amp;&amp;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo fail2ban-client restart <span class="o">&amp;&amp;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo systemctl restart fail2ban <span class="o">&amp;&amp;</span> sudo systemctl status fail2ban <span class="o">&amp;&amp;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo systemctl list-units --type service </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo fail2ban-client status sshd<span class="p">;</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client status vsftpd </span></span></code></pre></div><h3 id="logrotate">logrotate<a class="td-heading-self-link" href="#logrotate" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo vi /etc/logrotate.d/fail2ban </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">/var/log/fail2ban.log { </span></span><span class="line"><span class="cl"> daily </span></span><span class="line"><span class="cl"> rotate 7 </span></span><span class="line"><span class="cl"> missingok </span></span><span class="line"><span class="cl"> notifempty </span></span><span class="line"><span class="cl"> dateext </span></span><span class="line"><span class="cl"> dateyesterday </span></span><span class="line"><span class="cl"> dateformat -%Y%m%d </span></span><span class="line"><span class="cl"> sharedscripts </span></span><span class="line"><span class="cl"> postrotate </span></span><span class="line"><span class="cl"> /usr/bin/fail2ban-client flushlogs &gt;/dev/null || true </span></span><span class="line"><span class="cl"> endscript </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h3 id="밴-등록취소">밴 등록/취소 <sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup><a class="td-heading-self-link" href="#%eb%b0%b4-%eb%93%b1%eb%a1%9d%ec%b7%a8%ec%86%8c" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd banip 1.1.1.1<span class="p">;</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd unbanip 1.1.1.1<span class="p">;</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> vsftpd banip 1.1.1.1<span class="p">;</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> vsftpd unbanip 1.1.1.1 </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">vi /home/dev/.local/bin/notify_fail2ban.sh </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="cp">#!/bin/sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1"># fail2ban 알림</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">. /home/dev/.bashrc </span></span><span class="line"><span class="cl">. /home/dev/.local/bin/utils.sh </span></span><span class="line"><span class="cl"><span class="nv">log_file</span><span class="o">=</span>/home/dev/.local/log/<span class="k">$(</span>basename <span class="s2">&#34;</span><span class="nv">$0</span><span class="s2">&#34;</span> <span class="p">|</span> sed <span class="s1">&#39;s/.sh//&#39;</span><span class="k">)</span>.log </span></span><span class="line"><span class="cl"><span class="nv">msg_file</span><span class="o">=</span>/home/dev/.local/log/<span class="k">$(</span>basename <span class="s2">&#34;</span><span class="nv">$0</span><span class="s2">&#34;</span> <span class="p">|</span> sed <span class="s1">&#39;s/.sh//&#39;</span><span class="k">)</span>.tmp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$1</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">name</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$2</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">ip</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$3</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">{</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$action</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;actionstart&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="o">[</span><span class="s2">&#34;</span><span class="nv">$name</span><span class="s2">&#34;</span><span class="o">]</span> started </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$action</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;actionstop&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="o">[</span><span class="s2">&#34;</span><span class="nv">$name</span><span class="s2">&#34;</span><span class="o">]</span> stopped </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$action</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;actionban&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="o">[</span><span class="s2">&#34;</span><span class="nv">$name</span><span class="s2">&#34;</span><span class="o">]</span> Ban <span class="s2">&#34;</span><span class="nv">$ip</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> whois <span class="s2">&#34;</span><span class="nv">$ip</span><span class="s2">&#34;</span> <span class="p">|</span> grep -iE <span class="s2">&#34;^(address|country)&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="p">|</span> sed -E <span class="s1">&#39;s/^(country|address)(.*:)( +)(.*)/\1: \4/gI&#39;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$action</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;actionunban&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="o">[</span><span class="s2">&#34;</span><span class="nv">$name</span><span class="s2">&#34;</span><span class="o">]</span> Unban <span class="s2">&#34;</span><span class="nv">$ip</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> &gt; <span class="s2">&#34;</span><span class="nv">$log_file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">cp <span class="s2">&#34;</span><span class="nv">$log_file</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$msg_file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">send_tel_msg <span class="s2">&#34;</span><span class="nv">$TEL_BOT_KEY</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$TEL_CHAT_ID</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$msg_file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">rm <span class="s2">&#34;</span><span class="nv">$msg_file</span><span class="s2">&#34;</span> </span></span></code></pre></div><p><img src="https://dntco43u.github.io/images/fail2ban-1.webp" alt="image"></p>