Come posso automaticamente bloccare il pacchetto breve UDP con Fail2Ban?

Questo file /var/log/kern.log registro contiene alcuni indirizzi IP, che vorrei che il sistema automaticamente vietasse / bloccasse.

Basically, un pacchetto è dal protocollo UDP ed è un pacchetto corto, quindi vorrei che l'host per quel pacchetto venisse bandito da IPTables via Fail2Ban.

  • Inoltro della connessione MySQL con le interfacce di networking iptables e differents
  • Come impedire il process di conoscere la networking è in su?
  • Come faccio a utilizzare iptables per rifiutare tutto il traffico a port localhost 80 ma permettere a quella che viene dalla macchina locale?
  • Quante iptables bloccano le regole sono troppi
  • Iptables Linux rifiutato - Come posso abilitare indietro?
  • Come trasformare iptables senza stato di stato?
  •  03-serv:~# cat /var/log/kern.log | grep ' UDP: short packet: From ' Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to xxxx:27015 Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to xxxx:27015 Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to xxxx:27015 Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to xxxx:27015 Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to xxxx:27015 Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to xxxx:27015 Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to xxxx:27015 Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to xxxx:27015 Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to xxxx:27015 

    Ecco il mio ultimo carcere jail.conf in jail.conf :

     [ddos] enabled = true port = 27015 protocol = udp filter = ddos logpath = /var/log/kern.log maxretry = 3 bantime = 6000 

    E qui è la mia configuration UDP anti corta in /etc/fail2ban/filter.d/ddos.conf :

     [Definition] # Option: failregex # Notes.: Auto block short UDP. # Values: TEXT # failregex = ^.*kernel: UDP: short packet: From <HOST>:.*$ ignoreregex = 

    One Solution collect form web for “Come posso automaticamente bloccare il pacchetto breve UDP con Fail2Ban?”

    Il failregex deve corrispondere all'output completo e può assumere la forma di un'espressione regolare completa, quindi qualcosa di simile:

     '^.*kernel: UDP: short packet: From <HOST>:.*$' 

    È ansible testare le tue espressioni regolari utilizzando ( documentazione ):

     fail2ban-regex -v /var/log/kern.log /etc/fail2ban/filter.d/ddos.conf 

    Testati e verificati qui di seguito:

     cwatson@loki:~$ cat ./kern.log Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to xxxx:27015 Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to xxxx:27015 Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to xxxx:27015 Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to xxxx:27015 Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to xxxx:27015 Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to xxxx:27015 Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to xxxx:27015 Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to xxxx:27015 Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to xxxx:27015 cwatson@loki:~$ fail2ban-regex -v ./kern.log "^.*kernel: UDP: short packet: From <HOST>:.*$" Running tests ============= Use failregex line : ^.*kernel: UDP: short packet: From <HOST>:.*$ Use log file : ./kern.log Results ======= Failregex: 9 total |- #) [# of hits] regular expression | 1) [9] ^.*kernel: UDP: short packet: From <HOST>:.*$ | 74.60.6.213 Fri Dec 19 16:05:12 2014 | 1.215.252.130 Fri Dec 19 16:05:57 2014 | 184.0.249.136 Fri Dec 19 16:08:17 2014 | 1.214.66.49 Fri Dec 19 16:09:54 2014 | 1.214.214.2 Fri Dec 19 16:11:28 2014 | 74.60.171.197 Fri Dec 19 18:00:45 2014 | 112.155.240.24 Fri Dec 19 18:00:59 2014 | 1.220.200.162 Sat Dec 20 16:02:07 2014 | 1.215.123.171 Sat Dec 20 16:02:30 2014 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [9] MONTH Day Hour:Minute:Second | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year | [0] WEEKDAY MONTH Day Hour:Minute:Second Year | [0] WEEKDAY MONTH Day Hour:Minute:Second | [0] Year/Month/Day Hour:Minute:Second | [0] Day/Month/Year Hour:Minute:Second | [0] Day/Month/Year2 Hour:Minute:Second | [0] Day/MONTH/Year:Hour:Minute:Second | [0] Month/Day/Year:Hour:Minute:Second | [0] Year-Month-Day Hour:Minute:Second[,subsecond] | [0] Year-Month-Day Hour:Minute:Second | [0] Year.Month.Day Hour:Minute:Second | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond] | [0] Day-Month-Year Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second[.Millisecond] | [0] TAI64N | [0] Epoch | [0] ISO 8601 | [0] Hour:Minute:Second | [0] <Month/Day/Year@Hour:Minute:Second> | [0] YearMonthDay Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second `- Lines: 9 lines, 0 ignored, 9 matched, 0 missed 
    Suggerimenti per Linux e Windows Server, quali Ubuntu, Centos, Apache, Nginx, Debian e argomenti di rete.