不正ログイン攻撃対策としての Fail2Ban の利用
Confluence includes a rate-limiting mechanism that allows you to control how many requests automation scripts can make and how often they can make them.
External tools like Fail2Ban can be used in addition to this, to help address specific scenarios like blocking IPs with excessive failed login attempts.
Fail2Ban とは
We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application that trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.
Prerequisites
- Python 2.4 以上のインストールが必要
- Apache リバース プロキシのインストールが必要
- フォローする特定のファイルが必要です。つまり、Apache インスタンスは Confluence アクセスを既知のログファイルに記録する必要があります。以下の設定を正しく調節する必要があります。
セットアップ方法
このリストは説明の骨組みバージョンです
- There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually.
- この設定ファイルは
/etc/fail2ban
に保存されます。 - 汎用的な既定設定は
.conf
ファイル (fail2ban.conf
およびjail.conf
) に保存されます。アップグレードが困難になるため、これらのファイルは変更しないでください。 - Overrides to the generic configuration go into
.local
files corresponding to the.conf
files. These only need to contain the specific settings you want to be overridden, which helps maintainability. - Filters go into
filter.d
— this is where you define regexps, each going into its own file. - Actions go into
action.d
— you probably won't need to add one, but it's handy to know what's available. - "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds).
- Jails は
jail.conf
およびjail.local
で設定されます。それぞれに対してenabled
を設定する必要があります — 誤った設定が有効化されている場合も、正しい設定が無効化されている場合も同様に影響があります。
Fail2Ban の実行
- Use
/etc/init.d/fail2ban {start|stop|status}
for the obvious operations - 現在の設定を STDOUT にダンプするには
fail2ban-client -d
を使用します。これはトラブルシューティングに非常に便利です。 - Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp.
- It can log either to syslog or a file, whichever suits your needs better.
共通設定
jail.local
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = false
[apache-shorewall]
enabled = true
filter = cac-login
action = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling
Confluence 向け設定
以下は設定例を示したもので、実際にはお客様のサイトに合わせて設定を行ってください。
filter.d/confluence-login.conf
[Definition]
failregex = <HOST>.*"GET /login.action
ignoreregex =