最近总有人在尝试非法登录服务器,每天都有上千次的登录尝试,于是在服务器上安装了fail2ban,现将安装、配置过程记录下来,以备日后查阅。
Fail2ban扫描/var/log/auth.log等日志文件,并禁止进行过多失败登录尝试的IP地址。它通过在可配置的时间量内更新系统防火墙规则以拒绝来自这些IP地址的新连接来实现这一点。Fail2ban开箱即用,可以读取许多标准的日志文件,比如那些用于sshd和apache的文件,并且可以很容易地配置以读取您选择的任何日志文件,以查找您需要的任何错误(翻译自fail2ban官网的介绍)。
fail2ban是用python开发的,需要python版本不低于3.5,而CentOS7默认安装的是python2,因此首先需要安装python3,这里采用源码编译的方式并将python3安装到/usr/local/python3目录下,切记不可能用python3替换掉系统自带的python2,因为yum等程序不兼容python3。
一、源码编译安装python3
wget https://www.python.org/ftp/python/3.7.17/Python-3.7.17.tgz tar zxvf Python-3.7.17.tgz cd Python-3.7.17 ./configure --prefix=/usr/local/python3 --enable-optimizationsmake-j4make install
二、安装fail2ban
git clone https://github.com/fail2ban/fail2ban.git cd fail2ban sudo python3 setup.py install #检查fail2ban是否安装成功fail2ban-client -h
fail2ban的配置文件会安装到/etc/fail2ban目录下,将build目录下fail2ban.service复制到/lib/systemd/system/目录下,可通过systemctl启停fail2ban。
cat /lib/systemd/system/fail2ban.service [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service [Service] Type=simple Environment="PYTHONNOUSERSITE=1"ExecStartPre=/bin/mkdir -p /run/fail2ban ExecStart=/usr/local/python3/bin/fail2ban-server -xfstart# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local# ExecStart=/usr/local/python3/bin/fail2ban-server -xf --logtarget=sysout startExecStop=/usr/local/python3/bin/fail2ban-client stopExecReload=/usr/local/python3/bin/fail2ban-client reload PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0255[Install] WantedBy=multi-user.target
三、简单配置
这里仅简单设置了对sshd进行保护,主要修改/etc/fail2ban/jail.conf同时添加/etc/fail2ban/jail.d/sshd,下面仅列出修改部分,其余的取默认值即可(配置文件里对每个选项都有详细说明,可自行查阅)。
# /etc/fail2ban/jail.conf[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local:# normal (default), ddos, extra or aggressive (combines all).# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.#mode = normalenabled =trueport =ssh#根据自己的sshd配置修改logpath = %(sshd_log)s backend = %(sshd_backend)s
cat /etc/fail2ban/jail.local [DEFAULT] ignoreip =192.168.2.105 bantime =86400findtime =300maxretry =3banaction = firewallcmd-rich-rules backend = systemd [sshd] enabled =true
# /etc/fail2ban/jail.d/sshd.conf# sshd的保护规则[sshd] enable =truemaxretry =5findtime = 10m bantime = 24h
四、运行及检查
systemctl enable fail2ban.service systemctl start fail2ban systemctl status fail2ban #如下提示说明已经正常启动● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-10-0418:37:48 CST; 5s ago Docs: man:fail2ban(1) Process: 30143ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 30146 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─30146 /usr/local/python3/bin/python3 /usr/local/python3/bin/fail2ban-server -xfstartOct 0418:37:48 ydapp1 systemd[1]: Starting Fail2Ban Service... Oct 0418:37:48 ydapp1 systemd[1]: Started Fail2Ban Service. Oct 0418:37:49 ydapp1 fail2ban-server[30146]: Server ready #可用fail2ban-client version查看版本号fail2ban-client version 1.1.0.dev1 #可通过fail2ban-client status查看状态fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0| |- Total failed: 0| `- File list:`- Actions |- Currently banned: 0 |- Total banned: 0`- Banned IP list:[root@ydapp1 fail2ban]# fail2ban-client status sshdStatus for the jail: sshd|- Filter| |- Currently failed: 0| |- Total failed: 0| `- File list: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
