在CentOS7上使用Fail2ban+Firewalld对SSH进行防护
Install Fail2ban On Centos 7 To Protect SSH Via Firewalld
在CentOS7上使用Fail2ban+Firewalld对SSH进行防护
Table Of Contents 目录
- Introduction 介绍
- Requirements 准备环境
- Install 安装
- Configure 配置
- Verify 验证
- Summary 总结
Introduction 介绍
If you are using password based authentication for SSH access to a server attached to the public internet, then this will look all too familiar.
使用SSH账号密码认证方式连接公网上的服务器,差不多都是下面的这种形式:
tutorial@<redacted>'s password:
Last failed login: Mon Mar 20 20:47:43 UTC 2017 from 116.31.116.37 on ssh:notty
There were 96619 failed login attempts since the last successful login.
Last login: Mon Mar 13 18:07:23 2017 from <redacted>
Did you notice the 96619 failed login attempts? The vast majority of those attempted connections are likely attempts to guess the credentials and gain access to your server!
注意到上面提示的有96619次登录失败的尝试吗?很有可能遇到攻击了(暴力破解密码)
One way to minimize the chances of such brute-force attempts actually working is to utilize Fail2ban. Fail2ban can be configured to keep an eye on various system logs and respond to failed login attempts using local firewall rules. In this tutorial we will briefly show how to get Fail2ban installed and configured to protect against SSH connection attempts.
使用Fail2ban可以有效的降低这些暴力破解的成功性.Fail2ban可以通过监控系统日志发现失败的登录尝试并将攻击源的IP地址加入到防火墙的屏蔽规则中.本文将向您介绍如果安装配置Fail2ban来保护SSH连接.
Requirements 准备环境
To follow along you will need access to: 需要准备如下环境:
- A server running CentOS 7. 运行CentOS7的服务器一台
- A public IP address. It can be dynamic or static. 一个公网IP(静态动态都行)
- A user configured with
sudoaccess. Our example username is:tutorial. 一个拥有sudo权限的Linux账户,下面例子中该账户名为tutorial
Install 安装
In order to easily install the fail2ban packages using yum, we need access to the EPEL repository. Add this to your system by running sudo yum install epel-release. You should see
使用yum命令可以很方便的安装fail2ban程序包,不过需要先安装EPEL软件库:
[tutorial@centos ~]$ sudo yum install epel-release
[sudo] password for tutorial:
base | 3.6 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
updates/7/x86_64/primary_db | 3.8 MB 00:03
Loading mirror speeds from cached hostfile
* base: mirror.lax.hugeserver.com
* extras: mirror.lax.hugeserver.com
* updates: mirror.sigmanet.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-9 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
epel-release noarch 7-9 extras 14 k
Transaction Summary
=====================================================================================================================================
Install 1 Package
Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-9.noarch.rpm | 14 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-9.noarch 1/1
Verifying : epel-release-7-9.noarch 1/1
Installed:
epel-release.noarch 0:7-9
Complete!
Once the new package is added, lets check to make sure that we have all available OS updates installed.
安装好EPEL软件库之后需要检查一下系统更新
sudo yum check-update
If the output indicates there are updates available and the packages listed look acceptable to you, then proceed to update the system.
如果输出结果中有可更新的包,那么更新一下
sudo yum update
Now we can install fail2ban-firewalld by running sudo yum install fail2ban-firewalld. The output returned should be similar to the following:
现在开始安装fail2ban-firewalld,输出结果应当如下:
[tutorial@centos ~]$ sudo yum install fail2ban-firewalld
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.lax.hugeserver.com
* epel: mirror.sfo12.us.leaseweb.net
* extras: mirror.lax.hugeserver.com
* updates: mirror.sigmanet.com
Resolving Dependencies
--> Running transaction check
---> Package fail2ban-firewalld.noarch 0:0.9.6-3.el7 will be installed
--> Processing Dependency: fail2ban-server = 0.9.6-3.el7 for package: fail2ban-firewalld-0.9.6-3.el7.noarch
--> Running transaction check
---> Package fail2ban-server.noarch 0:0.9.6-3.el7 will be installed
--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.6-3.el7.noarch
--> Running transaction check
---> Package systemd-python.x86_64 0:219-30.el7_3.7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
fail2ban-firewalld noarch 0.9.6-3.el7 epel 11 k
Installing for dependencies:
fail2ban-server noarch 0.9.6-3.el7 epel 286 k
systemd-python x86_64 219-30.el7_3.7 updates 109 k
Transaction Summary
=====================================================================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 407 k
Installed size: 1.1 M
Is this ok [y/d/N]:
Answer with y to accept the proposed package list and continue:
输入y继续安装包
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-firewalld-0.9.6-3.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fail2ban-firewalld-0.9.6-3.el7.noarch.rpm is not installed
(1/3): fail2ban-firewalld-0.9.6-3.el7.noarch.rpm | 11 kB 00:00:00
(2/3): fail2ban-server-0.9.6-3.el7.noarch.rpm | 286 kB 00:00:00
(3/3): systemd-python-219-30.el7_3.7.x86_64.rpm | 109 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
Total 310 kB/s | 407 kB 00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-9.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Answer with y to accept the GPG key and continue:
输入y接受GPG密钥继续:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : systemd-python-219-30.el7_3.7.x86_64 1/3
Installing : fail2ban-server-0.9.6-3.el7.noarch 2/3
Installing : fail2ban-firewalld-0.9.6-3.el7.noarch 3/3
Verifying : fail2ban-server-0.9.6-3.el7.noarch 1/3
Verifying : fail2ban-firewalld-0.9.6-3.el7.noarch 2/3
Verifying : systemd-python-219-30.el7_3.7.x86_64 3/3
Installed:
fail2ban-firewalld.noarch 0:0.9.6-3.el7
Dependency Installed:
fail2ban-server.noarch 0:0.9.6-3.el7 systemd-python.x86_64 0:219-30.el7_3.7
Complete!
Now we have fail2ban installed.
搞定,fail2ban安装完成.
Configure 配置
The configuration files for fail2ban are stored in /etc/fail2ban/. In order to avoid problems when updating fail2ban, lets add our local changes to a jail_ssh.local file located in that directory. Open a new text file /etc/fail2ban/jail_ssh.local using an editor you are comfortable with.
fail2ban的配置文件位于/etc/fail2ban/下面,为了防止fail2ban在更新的时候可能会覆盖默认的配置文件,我们将自定义的配置信息单独放在jail_ssh.local这个配置文件里面,并用你习惯使用的文本编辑器打开.
[tutorial@centos fail2ban]$ sudo vi /etc/fail2ban/jail_ssh.local
[sudo] password for tutorial:
Paste the following two lines into the file and save it.
在打开的这个配置文件中插入下面的这两行内容:
[sshd]
enabled = true
Start up the fail2ban.service using systemctl.
使用systemctl开启fail2ban服务
[tutorial@centos fail2ban]$ sudo systemctl start fail2ban.service
If you want to have it start on boot, then run the same command substituting enable for start.
使用下面的命令设置fail2ban服务开机自动开启
[tutorial@centos fail2ban]$ sudo systemctl enable fail2ban.service
Fail2ban is now running on our system.
fail2ban服务开启成功.
Verify 验证
We can utilize firewall-cmd to verify that a firewall rule is now in place to block these attempts.
使用firewall-cmd命令来验证防火墙是否成功加入了fail2ban的规则
[tutorial@centos fail2ban]$ sudo firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
As shown, we now have a list called fail2ban-sshd which will be populated with ip addresses that are generating failed login attempts.
如上显示,现在已经有一个名为fail2ban-sshd的规则列表,用来记录被封的ip地址
We can take a look at the current contents of that list using ipset.
我们可以使用ipset命令来查看这个列表中的内容.
[tutorial@centos fail2ban]$ sudo ipset list fail2ban-sshd
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16656
References: 1
Members:
186.61.255.155 timeout 336
116.31.116.37 timeout 569
We can see that there are now two IP addresses being blocked, along with the remaining timeout until they are removed from the list.
瞅见没,上面结果中有两个ip被封了,后面的timeout表示该地址还剩多长时间会从列表中移除
Summary 总结
This was a very brief introduction to getting fail2ban in place to help protect a server against brute-force SSH access attempts. Keep an eye out for additional tutorials regarding the configuration and use of this tool. You may also find more information on the Fail2ban website.
都是废话,懒得翻译了...
个人补充内容-常用命令
查看被封掉的IP地址
[root@localhost log]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 164
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 21
|- Total banned: 61
`- Banned IP list: 165.227.96.190 142.93.251.1 70.89.88.3 105.235.116.254 47.74.248.150 125.212.254.144 211.159.187.191 162.250.210.22 122.58.175.31 84.123.13.17 118.34.12.35 84.45.251.243 61.77.25.208 41.84.131.10 140.143.228.75 93.108.235.93 139.59.17.173 106.241.16.119 45.55.254.13 49.51.233.81 59.38.32.76
Raw link:
https://devops.ionos.com/tutorials/install-fail2ban-on-centos-7-to-protect-ssh-via-firewalld/