1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
我的博客已迁移到xdoujiang.com请去那边和我交流
一、基础环境
1、fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作
(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,
fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!
2、版本
cat
/etc/debian_version
7.4
3、ip
10.131.172.202
二、安装fail2ban
1、apt或dpkg安装
apt-get -y
install
fail2ban
或
dpkg -i fail2ban_0.8.6-3wheezy3_all.deb
PS:下载地址
http:
//ftp
.cn.debian.org
/debian/pool/main/f/fail2ban/fail2ban_0
.8.6-3wheezy3_all.deb
2、查看配置
ll
/etc/fail2ban/
drwxr-xr-x 2 root root 4096 Jun 19 14:15 action.d
-rw-r--r-- 1 root root 853 Nov 29 2011 fail2ban.conf
drwxr-xr-x 2 root root 4096 Jun 19 15:43 filter.d
-rw-r--r-- 1 root root 7347 Jun 19 15:51 jail.conf
3、修改配置支持
ssh
和apache
cat
/etc/fail2ban/jail
.
local
(PS:这个配置文件一定是以.
local
结尾的)
[DEFAULT]
ignoreip = 127.0.0.1
/8
172.31.0.0
/24
10.0.0.0
/8
192.168.0.0
/24
bantime = 86400
maxretry = 10
findtime = 600
[
ssh
-iptables]
enabled =
true
port = 55000
filter = sshd
logpath =
/var/log/auth
.log
maxretry = 5
[apache]
enabled =
true
port = 80,443
filter = apache-auth
logpath =
/var/log/apache
*/*error.log
maxretry = 6
[apache-noscript]
enabled =
true
port = 80,443
filter = apache-noscript
logpath =
/var/log/apache
*/*error.log
maxretry = 6
[apache-overflows]
enabled =
true
port = 80,443
filter = apache-overflows
logpath =
/var/log/apache
*/*error.log
maxretry = 2
[apache-nohome]
enabled =
true
port = 80,443
filter = apache-nohome
logpath =
/var/log/apache
*/*error.log
maxretry = 2
PS:我这里
ssh
端口是55000 apache是80
netstat
-tupnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 29921
/sshd
tcp 0 0 127.0.0.1:9898 0.0.0.0:* LISTEN 30949
/barad_agent
tcp6 0 0 :::80 :::* LISTEN 3964
/apache2
tcp6 0 0 :::55000 :::* LISTEN 29921
/sshd
4、重启服务
/etc/init
.d
/fail2ban
restart
[ ok ] Restarting authentication failure monitor: fail2ban.
5、查看日志
2015-06-19 22:06:37,139 fail2ban.server : INFO Changed logging target to
/var/log/fail2ban
.log
for
Fail2ban v0.8.6
2015-06-19 22:06:37,140 fail2ban.jail : INFO Creating new jail
'apache'
2015-06-19 22:06:37,140 fail2ban.jail : INFO Jail
'apache'
uses Gamin
2015-06-19 22:06:37,149 fail2ban.filter : INFO Added logfile =
/var/log/apache2/svn_error
.log
2015-06-19 22:06:37,150 fail2ban.filter : INFO Set maxRetry = 6
2015-06-19 22:06:37,151 fail2ban.filter : INFO Set findtime = 600
2015-06-19 22:06:37,151 fail2ban.actions: INFO Set banTime = 86400
2015-06-19 22:06:37,154 fail2ban.jail : INFO Creating new jail
'apache-noscript'
2015-06-19 22:06:37,154 fail2ban.jail : INFO Jail
'apache-noscript'
uses Gamin
2015-06-19 22:06:37,155 fail2ban.filter : INFO Added logfile =
/var/log/apache2/svn_error
.log
2015-06-19 22:06:37,155 fail2ban.filter : INFO Set maxRetry = 6
2015-06-19 22:06:37,156 fail2ban.filter : INFO Set findtime = 600
2015-06-19 22:06:37,157 fail2ban.actions: INFO Set banTime = 86400
2015-06-19 22:06:37,161 fail2ban.jail : INFO Creating new jail
'apache-overflows'
2015-06-19 22:06:37,161 fail2ban.jail : INFO Jail
'apache-overflows'
uses Gamin
2015-06-19 22:06:37,161 fail2ban.filter : INFO Added logfile =
/var/log/apache2/svn_error
.log
2015-06-19 22:06:37,162 fail2ban.filter : INFO Set maxRetry = 2
2015-06-19 22:06:37,163 fail2ban.filter : INFO Set findtime = 600
2015-06-19 22:06:37,163 fail2ban.actions: INFO Set banTime = 86400
2015-06-19 22:06:37,166 fail2ban.jail : INFO Creating new jail
'ssh-iptables'
2015-06-19 22:06:37,167 fail2ban.jail : INFO Jail
'ssh-iptables'
uses Gamin
2015-06-19 22:06:37,167 fail2ban.filter : INFO Added logfile =
/var/log/auth
.log
2015-06-19 22:06:37,167 fail2ban.filter : INFO Set maxRetry = 5
2015-06-19 22:06:37,169 fail2ban.filter : INFO Set findtime = 600
2015-06-19 22:06:37,169 fail2ban.actions: INFO Set banTime = 86400
2015-06-19 22:06:37,188 fail2ban.jail : INFO Creating new jail
'apache-nohome'
2015-06-19 22:06:37,188 fail2ban.jail : INFO Jail
'apache-nohome'
uses Gamin
2015-06-19 22:06:37,189 fail2ban.filter : INFO Added logfile =
/var/log/apache2/svn_error
.log
2015-06-19 22:06:37,189 fail2ban.filter : INFO Set maxRetry = 2
2015-06-19 22:06:37,190 fail2ban.filter : INFO Set findtime = 600
2015-06-19 22:06:37,191 fail2ban.actions: INFO Set banTime = 86400
2015-06-19 22:06:37,194 fail2ban.jail : INFO Jail
'apache'
started
2015-06-19 22:06:37,196 fail2ban.jail : INFO Jail
'apache-noscript'
started
2015-06-19 22:06:37,197 fail2ban.jail : INFO Jail
'apache-overflows'
started
2015-06-19 22:06:37,198 fail2ban.jail : INFO Jail
'ssh-iptables'
started
2015-06-19 22:06:37,200 fail2ban.jail : INFO Jail
'apache-nohome'
started
6、查看iptables已经生效了
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt
source
destination
fail2ban-apache-nohome tcp -- 0.0.0.0
/0
0.0.0.0
/0
multiport dports 80,443
fail2ban-
ssh
-iptables tcp -- 0.0.0.0
/0
0.0.0.0
/0
multiport dports 55000
fail2ban-apache-overflows tcp -- 0.0.0.0
/0
0.0.0.0
/0
multiport dports 80,443
fail2ban-apache-noscript tcp -- 0.0.0.0
/0
0.0.0.0
/0
multiport dports 80,443
fail2ban-apache tcp -- 0.0.0.0
/0
0.0.0.0
/0
multiport dports 80,443
Chain FORWARD (policy ACCEPT)
target prot opt
source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt
source
destination
Chain fail2ban-apache (1 references)
target prot opt
source
destination
RETURN all -- 0.0.0.0
/0
0.0.0.0
/0
Chain fail2ban-apache-nohome (1 references)
target prot opt
source
destination
RETURN all -- 0.0.0.0
/0
0.0.0.0
/0
Chain fail2ban-apache-noscript (1 references)
target prot opt
source
destination
RETURN all -- 0.0.0.0
/0
0.0.0.0
/0
Chain fail2ban-apache-overflows (1 references)
target prot opt
source
destination
RETURN all -- 0.0.0.0
/0
0.0.0.0
/0
Chain fail2ban-
ssh
-iptables (1 references)
target prot opt
source
destination
RETURN all -- 0.0.0.0
/0
0.0.0.0
/0
7、使用fail2ban-client命令查看状态
fail2ban-client status
Status
|- Number of jail: 5
- Jail list: apache, apache-overflows, apache-nohome, apache-noscript,
ssh
-iptables
8、更细致的查看某个项
fail2ban-client status
ssh
-iptables
Status
for
the jail:
ssh
-iptables
|- filter
| |- File list:
/var/log/auth
.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
9、将服务加入到开机启动
update-rc.d fail2ban defaults
update-rc.d: using dependency based boot sequencing
10、查看下日志轮询信息
cat
/etc/logrotate
.d
/fail2ban
/var/log/fail2ban
.log {
weekly
rotate 4
compress
delaycompress
missingok
postrotate
fail2ban-client
set
logtarget
/var/log/fail2ban
.log >
/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}
三、参考文章
http:
//xmodulo
.com
/how-to-protect-ssh-server-from-brute-force-attacks-using-fail2ban
.html
https:
//linux
.cn
/article-5068-qqmail
.html
|
本文转自 xdoujiang 51CTO博客,原文链接:http://blog.51cto.com/7938217/1652970,如需转载请自行联系原作者