sshdへの総当たり攻撃を自動的にブロックするためにblacklistdを使用します。
前提
- ipfw
blacklistdの有効化
Ansible Playbook
freebsd.yaml
---
- hosts: all
gather_facts: false
become: true
roles:
- freebsd
roles/freebsd/tasks/main.yml
- name: blacklistd import_tasks: blacklistd.yaml - name: sshd import_tasks: sshd.yaml
roles/freebsd/tasks/blacklistd.yaml
- name: Activate blacklistd
community.general.sysrc:
name: blacklistd_enable
value: "YES"
notify:
- restart_blacklistd
- name: Update blacklistd flags
community.general.sysrc:
name: blacklistd_flags
value: "-r"
notify:
- restart_blacklistd
- name: Create /etc/ipfw-blacklist.rc
copy:
dest: /etc/ipfw-blacklist.rc
owner: root
group: wheel
mode: "0644"
content: |
ipfw_offset=2000
notify:
- restart_blacklistd
roles/freebsd/tasks/sshd.yaml
- name: Append Include
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Include /etc/ssh/sshd_config.d/*.conf$'
line: Include /etc/ssh/sshd_config.d/*.conf
notify:
- reload_sshd
- name: Ensure /etc/ssh/sshd_config.d exists
file:
path: /etc/ssh/sshd_config.d
owner: root
group: wheel
mode: "0700"
state: directory
- name: Add UseBlacklist to auth.conf
lineinfile:
path: /etc/ssh/sshd_config.d/auth.conf
create: true
owner: root
group: wheel
mode: "0600"
regexp: '^UseBlacklist'
line: UseBlacklist yes
notify:
- reload_sshd
roles/freebsd/handlers/main.yml
- name: Reload sshd service
service:
name: sshd
state: reloaded
listen:
- reload_sshd
- name: Restart blacklistd service
service:
name: blacklistd
state: restarted
listen:
- restart_blacklistd
Ansible Playbookの実行
ansible-playbook -i hosts freebsd.yaml
結果
ルールはblacklistdによって自動的に作成されます。
# ipfw list | grep port22 02022 deny tcp from table(port22) to any 22
blacklistdが攻撃的なふるまいを検知すると自動的にIPアドレスをリスト化します。
# blacklistctl dump -a
address/ma:port id nfail last access
XX.79.45.243/32:22 OK 20/3 XXXX/XX/XX XX:XX:XX
XX.248.35.30/32:22 OK 345/3 XXXX/XX/XX XX:XX:XX
XX.94.92.168/32:22 OK 4/3 XXXX/XX/XX XX:XX:XX
...
リスト化されたIPアドレスはblacklistdによって自動的にtable(port22)に追加されます。
# ipfw table port22 list XX.79.45.243/32 0 XX.248.35.30/32 0 XX.94.92.168/32 0 ...