OCI Ubuntu22.04 fail2banで攻撃をブロックする

Oracle CloudでのSSHは証明書認証を使っているため、不正なSSHログインをされても問題ないと思われますが、SSHのログインログを確認すると色んなユーザ名で接続が試みられている状況でした。

grep “invalid” /var/log/auth.log

Aug 19 16:19:07 sv-techlog sshd[75415]: Connection closed by invalid user oldboy 106.10.122.53 port 55524 [preauth]
Aug 19 16:19:47 sv-techlog sshd[75418]: Connection closed by invalid user lsy 106.10.122.53 port 49626 [preauth]
Aug 19 16:20:28 sv-techlog sshd[75427]: Connection closed by invalid user user1 106.10.122.53 port 43734 [preauth]
Aug 19 16:21:09 sv-techlog sshd[75436]: Connection closed by invalid user user1 106.10.122.53 port 37776 [preauth]
Aug 19 16:22:34 sv-techlog sshd[75451]: Connection closed by invalid user user 106.10.122.53 port 54122 [preauth]
Aug 19 16:23:57 sv-techlog sshd[75466]: Connection closed by invalid user oracle 106.10.122.53 port 42170 [preauth]
Aug 19 16:24:38 sv-techlog sshd[75479]: Connection closed by invalid user test01 106.10.122.53 port 36112 [preauth]
Aug 19 16:25:18 sv-techlog sshd[75488]: Connection closed by invalid user centos 106.10.122.53 port 58278 [preauth]
Aug 19 16:25:57 sv-techlog sshd[75495]: Connection closed by invalid user user1 106.10.122.53 port 52276 [preauth]
Aug 19 16:26:37 sv-techlog sshd[75502]: Connection closed by invalid user sysman 106.10.122.53 port 46230 [preauth]
Aug 19 16:27:58 sv-techlog sshd[75517]: Connection closed by invalid user gpuadmin 106.10.122.53 port 33914 [preauth]
Aug 19 16:28:40 sv-techlog sshd[75523]: Connection closed by invalid user user 106.10.122.53 port 55790 [preauth]
Aug 19 16:30:05 sv-techlog sshd[75543]: Connection closed by invalid user wxy 106.10.122.53 port 43252 [preauth]
Aug 19 16:30:47 sv-techlog sshd[75546]: Connection closed by invalid user samba 106.10.122.53 port 36972 [preauth]
Aug 19 16:31:27 sv-techlog sshd[75555]: Connection closed by invalid user lifei 106.10.122.53 port 58846 [preauth]
Aug 19 16:32:07 sv-techlog sshd[75565]: Connection closed by invalid user user 106.10.122.53 port 52446 [preauth]
Aug 19 16:32:48 sv-techlog sshd[75569]: Connection closed by invalid user user1 106.10.122.53 port 46014 [preauth]
Aug 19 16:33:29 sv-techlog sshd[75579]: Connection closed by invalid user admin 106.10.122.53 port 39564 [preauth]
Aug 19 16:34:10 sv-techlog sshd[75588]: Connection closed by invalid user tomcat 106.10.122.53 port 33188 [preauth]
Aug 19 16:36:58 sv-techlog sshd[75619]: Connection closed by invalid user user1 106.10.122.53 port 35734 [preauth]
Aug 19 16:37:39 sv-techlog sshd[75624]: Connection closed by invalid user nexus 106.10.122.53 port 57558 [preauth]
Aug 19 16:38:58 sv-techlog sshd[75642]: Connection closed by invalid user appltest 106.10.122.53 port 44530 [preauth]
Aug 19 16:39:38 sv-techlog sshd[75701]: Connection closed by invalid user zxd 106.10.122.53 port 37924 [preauth]
Aug 19 16:40:19 sv-techlog sshd[75710]: Connection closed by invalid user xjx 106.10.122.53 port 59698 [preauth]
Aug 19 16:41:42 sv-techlog sshd[75724]: Connection closed by invalid user litao 106.10.122.53 port 46838 [preauth]
Aug 19 16:43:06 sv-techlog sshd[75745]: Connection closed by invalid user hy 106.10.122.53 port 33720 [preauth]
Aug 19 16:43:47 sv-techlog sshd[75747]: Connection closed by invalid user user 106.10.122.53 port 55416 [preauth]
Aug 19 16:46:29 sv-techlog sshd[75788]: Connection closed by invalid user user 106.10.122.53 port 57414 [preauth]

oldboy, lsy, user1, user, oracle, test01, centos, gpuadmin, tomcat・・・・

これらアカン名前ですね・・・・。

証明書認証にしているので、大丈夫なのですが、非常に気持ち悪いですよね。。。

ということで、fail2banを導入し、BANしようと思います。

インストール
設定ファイル変更
サービス再起動
確認

インストール

sudo apt install fail2ban -y
sudo systemctl enable fail2ban --now

設定ファイル変更

まずは設定ファイルのテンプレートからjail.localにコピーします。

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo vim /etc/fail2ban/jail.local

必要があればこのあたりの条件を変更する。

101行目付近
# "bantime"ホスト 指定時間BAN 。　-1を指定すると永久
bantime = 24h

105行目付近
# 最後の "findtime "秒の間に "maxretry "をしてきたらBAN。
findtime  = 10m

108行目付近
# "maxretry "は、ホストがBANされるまでの失敗回数です。
maxretry = 5

サービス再起動

sudo systemctl restart fail2ban

確認

sudo fail2ban-client status sshd

↓

ubuntu@sv-techlog:~$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     549
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 183
   |- Total banned:     183
   `- Banned IP list:   1.117.104.158 1.117.76.111 1.15.182.191 101.43.129.20 101.43.245.245 101.43.64.94 101.43.83.130 103.71.66.50 106.52.234.69 108.173.208.195 114.117.166.139 114.92.195.10 115.227.19.195 116.205.230.173 116.88.144.85 117.145.189.3 118.193.59.59 119.28.142.77 120.48.37.84 120.53.234.127 123.149.21.144 124.221.211.141 124.222.224.5 124.222.56.136 124.222.85.162 128.14.232.100 128.199.168.83 152.32.154.27 152.32.157.116 159.203.178.0 159.65.153.9 167.86.96.195 173.18.47.127 178.128.125.205 178.244.221.97 178.62.19.132 178.73.215.171 18.142.201.156 18.178.5.211 180.100.202.210 185.137.172.42 188.103.124.138 188.166.119.146 188.95.231.66 193.108.118.79 193.183.247.216 195.96.137.6 196.74.125.184 203.23.199.236 207.138.39.146 211.159.225.150 211.237.4.134 213.218.204.46 218.159.246.97 218.209.155.19 221.163.103.143 31.173.24.246 31.223.26.231 34.132.231.49 34.159.123.153 34.67.25.38 34.89.191.126 35.185.58.173 35.198.185.138 35.221.29.242 36.106.141.33 36.110.228.254 37.245.58.168 42.192.143.227 43.142.189.75 43.226.53.166 50.68.66.222 51.68.225.19 64.62.197.107 64.62.197.137 64.62.197.182 64.62.197.197 64.62.197.227 64.62.197.32 64.62.197.77 64.62.197.92 65.49.20.66 66.240.192.82 78.28.58.208 78.70.114.29 81.170.189.14 81.68.160.142 81.68.197.19 85.208.253.226 88.173.201.66 89.26.166.107 92.255.85.113 93.231.3.209 93.31.14.114 94.107.43.42 94.154.80.195 95.103.220.225 101.43.211.36 124.222.176.134 66.70.176.28 124.223.183.97 81.254.4.39 115.231.10.3 101.33.218.153 128.199.10.193 119.160.12.31 178.176.229.18 82.157.66.91 57.128.11.38 191.12.115.96 124.221.104.90 65.49.20.69 101.43.252.152 143.198.191.172 121.4.118.67 82.66.59.170 90.153.71.161 89.109.32.143 43.142.251.67 64.62.197.47 202.44.106.19 93.209.247.45 220.71.14.93 20.214.225.190 79.225.243.56 178.219.118.14 45.33.64.33 200.32.54.14 104.218.164.12 109.196.255.77 172.6.4.26 43.251.255.9 177.36.70.182 180.211.137.9 181.127.76.73 186.200.128.78 187.189.24.141 209.14.70.249 103.164.160.66 90.66.27.160 41.215.220.242 116.86.185.190 222.228.122.114 113.253.60.147 80.217.241.220 187.50.97.30 223.22.233.92 1.15.90.240 178.219.121.134 151.30.253.216 20.55.41.231 106.12.153.12 20.25.83.189 162.55.48.173 14.229.196.52 195.96.137.3 96.39.192.242 65.49.20.67 83.24.3.88 51.89.252.75 185.209.179.41 175.178.238.82 210.202.61.2 124.222.35.191 34.168.209.215 52.183.129.64 94.156.175.57 162.19.25.213 34.148.16.217 116.203.205.112 182.254.201.23 104.40.215.53 20.194.27.235 176.126.166.60 162.14.123.151 119.91.110.25 109.224.31.68 75.90.49.160 45.131.109.140 203.210.16.68 189.40.73.120 43.143.42.75 118.193.59.5
ubuntu@sv-techlog:~$

Total banned 183 が BAN されたIP達です。