SSHย ๊ด€๋ จย ๊ด€๋ จย ๋ณด์•ˆ์Šคํฌ๋ฆฝํŠธย ์ ์šฉย ๊ฐ€์ด๋“œ
Joon Park(Cloud Engineer)ย @ IBM Korea

1. Fail2ban ์†Œ๊ฐœ

ย  – Fail2ban ์€ ๋ฆฌ๋ˆ…์Šค ์šด์˜์ฒด์ œ ๋Œ€์ƒ์œผ๋กœ SSH Brute-force Attack(ํŒจ์Šค์›Œ๋“œ ๋ฌด์ฐจ๋ณ„ ๋Œ€์ž…๊ณต๊ฒฉ) ์— ๋Œ€ํ•œ ๋ณด์•ˆ ์„ค์ •์„ ์œ„ํ•œ ์ž๋™ ์„ค์น˜ ์Šคํฌ๋ฆฝํŠธ์ž…๋‹ˆ๋‹ค.
ย  – ๋™์ž‘์›๋ฆฌ๋Š” OS ๋‚ด๋ถ€ ์ ‘์† ๋กœ๊ทธ(/var/log/secure, /var/log/auth.log)์— ์‚ฌ์šฉ์ž๊ฐ€ ์ •ํ•œ ์ž„๊ณ„์น˜ ์ด์ƒ์˜ ๋กœ๊ทธ์ธ ์‹คํŒจ ์‹œ ํŠน์ • ์‹œ๊ฐ„๋งŒํผ ํ•ด๋‹น IP ์—์„œ ์ ‘์†์ด ๋ถˆ๊ฐ€๋Šฅ(iptables)ํ•˜๊ฒŒ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.
ย  – ์ ์šฉ ๊ฐ€๋Šฅ ์šด์˜์ฒด์ œ(์ œ์ž‘์‚ฌ ๋ฐœํ‘œ ๊ธฐ์ค€): CentOS, Ubuntu, Debian
ย  – IBM Cloud(ํ…Œ์ŠคํŠธ ์™„๋ฃŒ ๊ธฐ์ค€): CentOS 6.x, CentOS 7.x, Ubuntu 14.04, Ubuntu 16.04
ย  – ์ œ์ž‘์‚ฌ Github: https://github.com/FunctionClub/Fail2ban

2. Fail2ban ์„ค์น˜๋ฐฉ๋ฒ•

ย  – ํ•ด๋‹น ์Šคํฌ๋ฆฝํŠธ๋Š” ๋ฐ˜๋“œ์‹œRoot ๊ถŒํ•œ์œผ๋กœ ์‹คํ–‰์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.
ย  – ์ œ์ž‘์‚ฌ๊ฐ€ ์ œ๊ณตํ•˜๋Š” Github ์— ์กด์žฌํ•˜๋Š” ์ž๋™์„ค์น˜ ์Šคํฌ๋ฆฝํŠธ ํŒŒ์ผ์„ ์ด์šฉํ•ฉ๋‹ˆ๋‹ค.
# wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/fail2ban.sh && bash fail2ban.sh 2>&1 | tee fail2ban.log
์ œ์ž‘์‚ฌ์—์„œ ์ œ๊ณตํ•œ ์Šคํฌ๋ฆฝํŠธ ํŒŒ์ผ์ด ๋‹ค์šด๋กœ๋“œ ๋˜๋ฉด์„œ ์•„๋ž˜์™€ ๊ฐ™์ด ์„ค์น˜ ํ™”๋ฉด์œผ๋กœ ๋„˜์–ด๊ฐ‘๋‹ˆ๋‹ค.
– Do you want to change your SSH Port? [y/n]:
ย  => SSH ๊ธฐ๋ณธ ํฌํŠธ๋Š” TCP 22 ๋ฒˆ์ด๋ฉฐ, ๋ณ€๊ฒฝ์„ ์›ํ•˜๋ฉด โ€œ1025 โ€“ 65534โ€ ์‚ฌ์ด์˜ ํฌํŠธ๋ฒˆํ˜ธ๋ฅผ ์ž…๋ ฅ
– Input the maximum times for trying [2-10]:
ย  => SSH ๋กœ๊ทธ์ธ ์‹คํŒจ์— ๋Œ€ํ•˜์—ฌ ๋ช‡ ํšŒ๊นŒ์ง€ ํ—ˆ์šฉํ•˜๋Š”์ง€์— ๋Œ€ํ•œ ์ž„๊ณ„์น˜์ž…๋‹ˆ๋‹ค.
ย – Input the lasting time for blocking a IP [hours]:
ย ย => ๋กœ๊ทธ์ธ์„ 3ํšŒ ์‹คํŒจํ•œ IP ์— ๋Œ€ํ•˜์—ฌ ์–ด๋Š์ •๋„(โ€œ์‹œ๊ฐ„โ€) ์ฐจ๋‹จํ•  ๊ฒƒ์ธ๊ฐ€๋ฅผ ์ž…๋ ฅ ํ•ฉ๋‹ˆ๋‹ค.
ย  – ์ •์ƒ์ ์œผ ์„ค์น˜๊ฐ€ ๋˜๋ฉด โ€œFail2ban is now running on this server now!โ€ ๋ผ๋Š” ๋ฉ”์„ธ์ง€๊ฐ€ ๋ณด์ž…๋‹ˆ๋‹ค.
ย  – ๋˜ํ•œ, /etc/fail2ban ๋””๋ ‰ํ† ๋ฆฌ๊ฐ€ ์ƒ๊ธด ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.
ย  – ์„ค์น˜์‹œ ์ž…๋ ฅํ•œ ์ž„๊ณ„์น˜์— ๋Œ€ํ•˜์—ฌ /etc/fail2ban/jail.local ์— ์„ค์ •๋œ ๊ฒƒ์„ ํ™•์ธ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.
ย  => ๋กœ๊ทธ์ธ์‹คํŒจ ํšŸ์ˆ˜(maxretry = 3ํšŒ), ์ฐจ๋‹จ ์‹œ๊ฐ„(bantime = 3600์ดˆ)

3. Fail2ban ๋™์ž‘ ํ™•์ธ

ย – ์„ค์น˜๊ฐ€ ์™„๋ฃŒ ๋˜์—ˆ์œผ๋ฉด ์ด์ œ ์„œ๋ฒ„์— ์ ‘์†์„ ํ•ด๋ด…๋‹ˆ๋‹ค. ์„œ๋ฒ„IP: 10.10.10.10
ย – ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•˜์—ฌ ์ผ๋ถ€๋Ÿฌ ํŒจ์Šค์›Œ๋“œ๋ฅผ 3ํšŒ ํ‹€๋ฆฌ๋ฉด, ๊ทธ ํ›„๋กœ๋Š” ์ ‘์†์ด ์ฐจ๋‹จ๋ฉ๋‹ˆ๋‹ค.
ย ย  => ssh: connect to host 10.10.10.10 port 22: Connection refused
ย – /etc/var/log/fail2ban.log ๋ฅผ ์‚ดํŽด๋ณด๋ฉด ์ ‘์†์ž IP 192.168.1.1 ์—์„œ 3ํšŒ ์ ‘์† ์‹คํŒจโ€fail2ban.filterโ€ ํ›„์— ์ ‘์†์ด ์ฐจ๋‹จโ€œfail2ban.actionsโ€ ๋œ ๊ฒƒ์„ ๋ณด์‹ค ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.
ย – ํ•ด๋‹น IP์— ๋Œ€ํ•œ ์ฐจ๋‹จ์€ OS ๋ ˆ๋ฒจ์—์„œ iptable ๊ฐ€ ์ฐจ๋‹จ์„ ํ•˜๊ณ  ์žˆ๋Š” ๊ฒƒ์ด๋ฉฐ, ํ™•์ธ์„ ์œ„ํ•ด์„œ ์•„๋ž˜์™€ ๊ฐ™์ด ์ž…๋ ฅํ•˜๋ฉด ํ˜„์žฌ ์ฐจ๋‹จ๋œ IP ์— ๋Œ€ํ•˜์—ฌ ํ™•์ธ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

4. Fail2ban ์ œ๊ฑฐ

ย – ๋„คํŠธ์›Œํฌ ๋ ˆ๋ฒจ์˜ ๋ฐฉํ™”๋ฒฝ ์ ์šฉ๋“ฑ์˜ ์ด์œ ๋กœ ๋”์ด์ƒ ์„œ๋ฒ„๋ ˆ๋ฒจ์—์„œ โ€œfail2banโ€ ์ด ํ•„์š” ์—†์„ ๊ฒฝ์šฐ ์•„๋ž˜์™€ ๊ฐ™์ด ์ œ์ž‘์ž๊ฐ€ ์ œ๊ณตํ•˜๋Š” โ€œ์„ค์น˜ ์ œ๊ฑฐโ€ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ†ตํ•˜์—ฌ ์ œ๊ฑฐํ•  ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.
#wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/uninstall.sh && bash uninstall.sh
์œ„ ๊ทธ๋ฆผ๊ณผ ๊ฐ™์ด โ€œComplete!โ€ ๋ฉ”์„ธ์ง€๊ฐ€ ๋‚˜์˜จ ํ›„ /etc/log/fail2ban.log ๋ฅผ ํ™•์ธํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด ํ˜„์žฌ ์ฐจ๋‹จ๋œ IP 192.168.1.1์ด ์ฐจ๋‹จ ํ•ด์ œโ€Unbanโ€๊ฐ€ ๋˜๋ฉด์„œ fail2ban ์— ์ข…๋ฃŒโ€Exiting Fail2banโ€ ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

5. ์„œ๋ฒ„ ๋ฐฐํฌ์‹œ ์ž๋™์œผ๋กœ Fail2ban ์ ์šฉํ•˜๊ธฐ ย 

ย – IBM Cloud(IaaS)๋Š” ์„œ๋ฒ„ ์ฃผ๋ฌธ์‹œ์— โ€œPost Scripitโ€ ๊ธฐ๋Šฅ์„ ํ†ตํ•˜์—ฌ fail2ban ๊ณผ ๊ฐ™์€ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ž๋™์œผ๋กœ ์„ค์น˜ํ•˜์‹ค ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค
ย – ๋จผ์ €, Cloud Portal(http://control.softlayer.com)ํ™”๋ฉด์—์„œย  โ€œDevicesโ€ -> โ€œManageโ€ -> โ€œProvisioning Scriptโ€ ํ™”๋ฉด์œผ๋กœ ์ด๋™ํ•ฉ๋‹ˆ๋‹ค.

์Šคํฌ๋ฆฝํŠธ(Name)๊ณผ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ์žˆ๋Š” URL ์„ ์ž…๋ ฅํ›„์— โ€œAddโ€ ๋ฒ„ํŠผ์„ ๋ˆ„๋ฆ…๋‹ˆ๋‹ค.
ย  => https://raw.githubusercontent.com/joonp/sl_fail2ban/master/sl_fail2ban.sh
ย – ์„œ๋ฒ„ ์ฃผ๋ฌธ์‹œ ์•„๋ž˜์™€ ๊ฐ™์ด ์ž…๋ ฅํ•œ โ€œProvisioning Scriptโ€๋ฅผ ์„ ํƒํ•˜์‹ค ์ˆ˜๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.
ย –ย  ์„œ๋ฒ„๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ๋ฐฐํฌ๋œ ํ›„์—๋Š” ์„œ๋ฒ„์— ์ ‘์†ํ•˜์—ฌ ๋ณธ ๊ฐ€์ด๋“œ ๋‚ด์šฉ์„ ์ฐธ์กฐํ•˜์—ฌ ์ •์ƒ์ ์œผ๋กœ fail2ban ์„œ๋น„์Šค๊ฐ€ ๋™์ž‘ํ•˜๋Š”์ง€ ํ™•์ธํ•˜์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค.
ย – 2017๋…„ 8์›” 14์ผ ๊ธฐ์ค€ ์ง€์› ํ˜„ํ™ฉ
ย ย  . ์ œ์ž‘์‚ฌ ์Šคํฌ๋ฆฝํŠธ๋Š” CentOS 6.x, 7.x, Ubuntu 14.04, 16.04 ์ง€์› ํ™•์ธ
ย ย  . Provision Script ๋Š” CentOS 6.x, 7.x, Ubuntu 14.04 ์ง€์› ํ™•์ธ

์— ๋Œ€ํ•œ ๋Œ“๊ธ€์ด 1๊ฑด ์žˆ์Šต๋‹ˆ๋‹ค"SSH ๊ด€๋ จ ๋ณด์•ˆ์Šคํฌ๋ฆฝํŠธ ์ ์šฉ ๊ฐ€์ด๋“œ"

  1. ์ •๋ณด ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค.

ํ† ๋ก  ์ฐธ๊ฐ€

์ด๋ฉ”์ผ์€ ๊ณต๊ฐœ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ํ•„์ˆ˜ ์ž…๋ ฅ์ฐฝ์€ * ๋กœ ํ‘œ์‹œ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.