1. Fail2Ban 简介
2. Fail2Ban 安装配置与日常维护
3. Fail2Ban 目录结构
4. jail.conf 配置项说明
5. sshd.local 自定义配置项
6. mail-whois.conf 自定义动作
Fail2Ban 是一款入侵防御软件,可以保护服务器免受暴力攻击。 它是用 Python 编程语言编写的。
Fail2Ban 基于auth 日志文件工作,默认情况下它会扫描所有 auth 日志文件,如 /var/log/auth.log、
/var/log/apache/access.log 等,并禁止带有恶意标志的IP,比如密码失败太多,寻找漏洞等等标志。
通常,Fail2Ban 用于更新防火墙规则,用于在指定的时间内拒绝 IP 地址。 它也会发送邮件通知。
Fail2Ban 为各种服务提供了许多过滤器,如 ssh、apache、nginx、squid、named、mysql、nagios 等。
Fail2Ban 能够降低错误认证尝试的速度,但是它不能消除弱认证带来的风险。
这只是服务器防止暴力攻击的安全手段之一。
返回目录
# yum install fail2ban ## 安装
以下配置实现:阻止 SSH 远程暴力攻击并通过 mail 通知管理员
# cat /etc/fail2ban/jail.conf ## 根据指引,修改配置应在 jail.d/ 下新建文件进行
# vim /etc/fail2ban/jail.d/sshd.local ## 修改配置
# cd /etc/fail2ban/jail.d
# mv 00-firewalld.conf 00-firewalld.conf.disabled ## 禁用 firewalld,使用 iptables
# vim /etc/fail2ban/action.d/mail-whois.conf ## 定义 action
# fail2ban-client reload ## 让配置生效
日常维护:
# systemctl enable fail2ban.service ## 开机启动
# systemctl start fail2ban.service ## 启动服务
# cat /var/log/fail2ban.log ## 日志文件
# fail2ban-client status ## 查看 fail2ban 的运行状态
# fail2ban-client status sshd ## 查看 jail 的详细信息,可以看到被封的 ip
# fail2ban-client set sshd unbanip 123.123.123.2 ## 解封 ip
/etc/fail2ban/
├── action.d
│ ├── dummy.conf
│ ├── hostsdeny.conf
│ ├── iptables.conf
│ ├── mail-whois.conf ## mail 动作配置
│ ├── mail.conf
│ └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│ ├── apache-auth.conf
│ ├── apache-noscript.conf
│ ├── couriersmtp.conf
│ ├── postfix.conf
│ ├── proftpd.conf
│ ├── qmail.conf
│ ├── sasl.conf
│ ├── sshd.conf
│ └── vsftpd.conf
├── jail.conf
├── jail.local
└─ jail.d
└── sshd.local ## SSH 相关配置
# cat /etc/fail2ban/jail.conf
1 #
2 # WARNING: heavily refactored in 0.9.0 release. Please review and
3 # customize settings for your setup.
4 #
5 # Changes: in most of the cases you should not modify this
6 # file, but provide customizations in jail.local file,
7 # or separate .conf files under jail.d/ directory, e.g.:
8 #
9 # HOW TO ACTIVATE JAILS:
10 #
11 # YOU SHOULD NOT MODIFY THIS FILE.
12 #
13 # It will probably be overwritten or improved in a distribution update.
14 #
15 # Provide customizations in a jail.local file or a jail.d/customisation.local.
16 # For example to change the default bantime for all jails and to enable the
17 # ssh-iptables jail the following (uncommented) would appear in the .local file.
18 # See man 5 jail.conf for details.
19 #
20 # [DEFAULT]
21 # bantime = 1h
22 #
23 # [sshd]
24 # enabled = true
25 #
26 # See jail.conf(5) man page for more information
[DEFAULT ]
ignorecommand =
bantime = 10m ## 禁止时长,默认10分钟
findtime = 10m ## 执行操作的窗口时长,默认10分钟
maxretry =5 ## 最大尝试次数
backend = auto ## 指定用于获取文件修改的后端
usedns = warn ##
logencoding = auto
enabled = false ## jails 默认关闭,在自定义的 .local 中打开需要用到的项
mode = normal ## 过滤器类型
filter = %( name )s [mode=%(mode)s ] ## 定义过滤器
destemail =root@localhost ## 通知将被发送到的电子邮件地址
sender = root@ ## 发件人姓名
mta =sendmail ## 邮件传输代理(默认是 sendmail,可以改成 mail)
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport ## 动作的捷径,用于定义动作参数
banaction_allports = iptables-allports
action_abuseipdb =abuseipdb
......
action = %(action_)s
# vim /etc/fail2ban/jail.d/sshd.local
3 [DEFAULT]
4
5 ignoreip = 127.0.0.1/8 ## 忽略本地 IP
6
7 bantime = 300 ## IP 禁止访问时间
8
9 findtime = 60 ## 密码输入时间限制
10
11 maxretry = 5 ## 最大允许试错次数
12
13 backend = auto
14
15 destemail = 123456@qq.com ## 邮件接收地址
16
17 sender = 654321@163.com ## 邮件发送地址(必需配置)
18
19 mta = mail ## 采用 mail 邮件服务
22
23 action = %(action_mw)s ## 动作模式 action_mw
24
25
26 [sshd]
27
28 enabled = true ## 开启 SSH 保护
29
30 port = 7777 ## SSH 端口号
# vim /etc/fail2ban/action.d/mail-whois.conf
1 # Fail2Ban configuration file
2 #
3 # Author: xiaobo
4 #
5 #
6
7 [INCLUDES]
8
9 before = mail-whois-common.conf
10
11 [Definition]
12
13 # Option: actionban
14 # Notes: command executed when banning an IP. Take care that the
15 # command is executed with Fail2Ban user rights.
16 # Tags: See jail.conf(5) man page
17 # Values: CMD
18 actionban = printf %%b "Hi:\n
19 Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
20 攻击者IP:<ip>\n
位置:`/usr/bin/curl -s http://www.cip.cc/<ip> | sed -n 2p | awk -F ': ' '{print $2}' `\n
21 被攻击机器名:`uname -n` \n
22 攻击次数:<failures> 次 \n
27 Fail2Ban提醒\n\n "|/usr/bin/mail -s "title" <dest>
28
29 [Init]
30
31 name = default
32
33 dest = root