centos 7 fail2ban安装与配置方法!防御暴力破解密码

作者: admin 分类: linux 发布时间: 2019-06-25 19:38
 

  fail2ban简介

  fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!  

       简单来介绍一下fail2ban的功能和特性

  1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等

  2、支持多种动作。如firewalld,tcp-wrapper,shorewall(firewalld第三方工具),mail notifications(邮件通知)等等。

  3、在logpath选项中支持通配符

  4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)

  5、需要安装python,firewalld,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail

  检查Firewalld是否启用

	  #如果您已经安装iptables建议先关闭
	  service iptables stop
	  #查看Firewalld状态
	  firewall-cmd --state
	  #启动firewalld
	  systemctl start firewalld
	  #设置开机启动
	  systemctl enable firewalld.service

  启用Firewalld后会禁止所有端口连接,因此请务必放行常用的端口,以免被阻挡在外,以下是放行SSH端口(22)示例,供参考:

	  #放行22端口
	  firewall-cmd --zone=public --add-port=80/tcp --permanent
	  #重载配置
	  firewall-cmd --reload
	  #查看已放行端口
	  firewall-cmd --zone=public --list-ports

  fail2ban安装与配置操作实例

	  安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
          . 代码如下:
          # yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban   or 
        . 代码如下:
          # yum install gamin-python python-inotify python-ctypes 
        # wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm 
         # rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm   or 
        . 代码如下:# yum install gamin-python python-inotify python-ctypes
          # wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm 
        # rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm 

  源码包安装


	  . 代码如下:
	  #安装fial2ban
	  yum -y install fail2ban
	  # wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
	  # tar -xzvf fail2ban-0.9.0.tar.gz
	  # cd
	  # ./setup.py
	  # cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
	  # chmod +x /lib/svc/method/svc-fail2ban

  安装路径

  . 代码如下:

	  /etc/fail2ban
	  action.d filter.d fail2ban.conf jail.conf

  安装成功后fail2ban配置文件位于/etc/fail2ban,其中jail.conf为主配置文件,相关的匹配规则位于filter.d目录,其它目录/文件一般很少用到,如果需要详细了解可自行搜索。

  .

  配置规则

  新建jail.local来覆盖fail2ban的一些默认规则:

  #新建配置


	  vi /etc/fail2ban/jail.local

  #默认配置


	  [DEFAULT]
	  ignoreip = 127.0.0.1/8 #IP白名单
	  bantime = 86400 # 禁止的时间,单位秒,我这里设置的是24小时.
	  findtime = 600 # 检测时间,超过600秒自动激活
	  maxretry = 5 # 允许最大的错误次数
	  banaction = firewallcmd-ipset
	  #这里banaction必须用firewallcmd-ipset,这是fiewalll支持的关键,如果是用Iptables请不要这样填写
	  action = %(action_mwl)s

  参数说明:

  ignoreip:IP白名单,白名单中的IP不会屏蔽,可填写多个以(,)分隔

  bantime:屏蔽时间,单位为秒(s)

  findtime:时间范围

  maxretry:最大次数

  banaction:屏蔽IP所使用的方法,上面使用firewalld屏蔽端口

  防止SSH爆破

  如果您还在使用默认SSH端口(22),可能每天都会被扫描,我们可以修改端口尽量避免被扫,ssh免密码登入加密或者可以使用fail2ban将恶意IP屏蔽。

  继续修改jail.local这个配置文件,在后面追加如下内容:


	  [sshd]
	  enabled = true
	  filter = sshd
	  port = 22
	  action = %(action_mwl)s
	  logpath = /var/log/secure

  参数说明:

  [sshd]:名称,可以随便填写

  enabled=true 是否启用

  filter:规则名称,必须填写位于filter.d目录里面的规则,sshd是fail2ban内置规则

  port:对应的端口

  action:采取的行动

  bantime: 封锁时间,单位:秒

  findtime: 统计时间范围,在规定时间内满足条件开始执行封锁,单位:秒

  maxretry:错误次数

  logpath:需要监视的日志路径

  到这一步,我们jail.local的规则看起来可能像下面这样子:

  方法一:

	  [DEFAULT]
	  ignoreip = 127.0.0.1/8
	  bantime = 86400
	  findtime = 600
	  maxretry = 5
	  banaction = firewallcmd-ipset
	  action = %(action_mwl)s
	  [sshd]
	  enabled = true
	  filter = sshd
	  port = 22
	  action = %(action_mwl)s
	  logpath = /var/log/secure

  上面的配置意思是如果同一个IP,在10分钟内,如果连续超过5次错误,则使用Firewalld将他IP ban了。输入systemctl start fail2ban启动fail2ban来试试效果。

  方法二

	  [DEFAULT]
	  bantime = 86400
	  findtime = 300
	  maxretry = 3
	  sender = fail2ban@ifshow.com
	  destemail = admin@ifshow.com
	  action = %(action_mwl)s
	  [sshd]
	  enabled = true
	  port = 2345
	  [sshd-ddos]
	  enabled = true
	  port = 2345

  bantime是被封IP禁止访问的时间,设定值为24小时,单位是秒。

  findtime是检测时间,在此时间内超过规定的次数会激活fail2ban,单位是秒。

  maxretry是允许错误登录的最大次数,和findtime配合使用。

  sender为邮件发送者,destemail为接收通知邮箱。

  action是触发fail2ban采取的动作,action_mwl为禁IP+发通知邮件+写入日志。

  sshd区块的enabled = true开启对SSH服务的防护,port为SSH的自定义端口。

  sshd-ddos区块的enabled = true开启SSH-DDOS防护,port为SSH的自定义端口。

  如果装有vsftpd,在配置文件最后加上以下内容(port为vsftpd的登录和数据端口)

  [vsftpd]

  enabled = true

  port = 2121,2122

  使用另一台服务器不断尝试连接SSH,并且不断的将密码输入错误,你会发现连续超过5次后直接连不上,说明IP被ban了,可以输入:fail2ban-client status sshd查看被ban的IP,如下截图。

  防止CC攻击

  这里仅以Nginx为例,使用fail2ban来监视nginx日志,匹配短时间内频繁请求的IP,并使用firewalld将其IP屏蔽,达到CC防护的作用。

  #需要先新建一个nginx日志匹配规则

	  vi /etc/fail2ban/filter.d/nginx-cc.conf

  #填写如下内容

	  [Definition]
	  failregex = -.*- .*HTTP/1.* .* .*$
	  ignoreregex =

  继续修改jail.local追加如下内容:

	  [nginx-cc]
	  enabled = true
	  port = http,https
	  filter = nginx-cc
	  action = %(action_mwl)s
	  maxretry = 20
	  findtime = 60
	  bantime = 3600
	  logpath = /usr/local/nginx/logs/access.log

  上面的配置意思是如果在60s内,同一IP达到20次请求,则将其IP ban 1小时,上面只是为了测试,请根据自己的实际情况修改。logpath为nginx日志路径。

  防止Wordpress爆破

  如果您经常分析日志会发现有大量机器人在扫描wordpress登录页面wp-login.php,虽然对方可能没成功,但是为了避免万一还是将他IP干掉为好。

  #需要先新建一个nginx日志匹配规则

	  vi /etc/fail2ban/filter.d/wordpress.conf

  #填写如下内容

	  [Definition]
	  failregex = ^ -.* /wp-login.php.* HTTP/1\.."
	  ignoreregex =

  继续修改jail.local追加如下内容:

	  [wordpress]
	  enabled = true
	  port = http,https
	  filter = wordpress
	  action = %(action_mwl)s
	  maxretry = 20
	  findtime = 60
	  bantime = 3600
	  logpath = /usr/local/nginx/logs/access.log

  当然,别忘记输入systemctl restart fail2ban重启fail2ban使其生效。

  邮件防攻击规则

	  [sasl-iptables]
	  enabled = true
	  filter = postfix-sasl
	  backend = polling
	  action = %(action_mwl)s
	  logpath = /var/log/mail.log

	  [dovecot]
	  enabled = true
	  filter = dovecot
	  action = %(action_mwl)s
	  logpath = /var/log/mail.log

	  [dovecot-auth]
	  enabled = true
	  filter = dovecot
	  action = %(action_mwl)s
	  logpath = /var/log/secure

	  [perdition]
	  enabled = true
	  filter = perdition
	  action = %(action_mwl)s
	  logpath = /var/log/maillog

	  [uwimap-auth]
	  enabled = true
	  filter = uwimap-auth
	  action = %(action_mwl)s
	  logpath = /var/log/maillog

  # vi /etc/fail2ban.conf

 

  SSH防攻击规则

  [ssh-iptables]

  enabled = true

  filter = sshd

  action = iptables[name=SSH, port=ssh, protocol=tcp]

  sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]

  logpath = /var/log/secure

  maxretry = 5
 

  [ssh-ddos]

  enabled = true

  filter = sshd-ddos

  action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]

  logpath = /var/log/messages

  maxretry = 2
 

  [osx-ssh-ipfw]

  enabled = true

  filter = sshd

  action = osx-ipfw

  logpath = /var/log/secure.log

  maxretry = 5
 

  [ssh-apf]

  enabled = true

  filter = sshd

  action = apf[name=SSH]

  logpath = /var/log/secure

  maxretry = 5
 

  [osx-ssh-afctl]

  enabled = true

  filter = sshd

  action = osx-afctl[bantime=600]

  logpath = /var/log/secure.log

  maxretry = 5
 

  [selinux-ssh]

  enabled = true

  filter = selinux-ssh

  action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

  logpath = /var/log/audit/audit.log

  maxretry = 5
 

  proftp防攻击规则

  [proftpd-iptables]

  enabled = true

  filter = proftpd

  action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

  sendmail-whois[name=ProFTPD, dest=you@example.com]

  logpath = /var/log/proftpd/proftpd.log

  maxretry = 6
 

  apache防攻击规则

  [apache-tcpwrapper]

  enabled = true

  filter = apache-auth

  action = hostsdeny

  logpath = /var/log/httpd/error_log

  maxretry = 6
 

  [apache-badbots]

  enabled = true

  filter = apache-badbots

  action = iptables-multiport[name=BadBots, port="http,https"]

  sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

  logpath = /var/log/httpd/access_log

  bantime = 172800

  maxretry = 1
 

  [apache-shorewall]

  enabled = true

  filter = apache-noscript

  action = shorewall

  sendmail[name=Postfix, dest=you@example.com]

  logpath = /var/log/httpd/error_log
 

  nginx防攻击规则

  [nginx-http-auth]

  enabled = true

  filter = nginx-http-auth

  action = iptables-multiport[name=nginx-http-auth,port="80,443"]

  logpath = /var/log/nginx/error.log
 

  lighttpd防规击规则

  [suhosin]

  enabled = true

  filter = suhosin

  action = iptables-multiport[name=suhosin, port="http,https"]

  # adapt the following two items as needed

  logpath = /var/log/lighttpd/error.log

  maxretry = 2
 

  [lighttpd-auth]

  enabled = true

  filter = lighttpd-auth

  action = iptables-multiport[name=lighttpd-auth, port="http,https"]

  # adapt the following two items as needed

  logpath = /var/log/lighttpd/error.log

  maxretry = 2
 

  vsftpd防攻击规则

  [vsftpd-notification]

  enabled = true

  filter = vsftpd

  action = sendmail-whois[name=VSFTPD, dest=you@example.com]

  logpath = /var/log/vsftpd.log

  maxretry = 5

  bantime = 1800
 

  [vsftpd-iptables]

  enabled = true

  filter = vsftpd

  action = iptables[name=VSFTPD, port=ftp, protocol=tcp]

  sendmail-whois[name=VSFTPD, dest=you@example.com]

  logpath = /var/log/vsftpd.log

  maxretry = 5

  bantime = 1800
 

  pure-ftpd防攻击规则

  [pure-ftpd]

  enabled = true

  filter = pure-ftpd

  action = iptables[name=pure-ftpd, port=ftp, protocol=tcp]

  logpath = /var/log/pureftpd.log

  maxretry = 2

  bantime = 86400
 

  mysql防攻击规则

  [mysqld-iptables]

  enabled = true

  filter = mysqld-auth

  action = iptables[name=mysql, port=3306, protocol=tcp]

  sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

  logpath = /var/log/mysqld.log

  maxretry = 5
 

  apache phpmyadmin防攻击规则

  [apache-phpmyadmin]

  enabled = true

  filter = apache-phpmyadmin

  action = iptables[name=phpmyadmin, port=http,https protocol=tcp]

  logpath = /var/log/httpd/error_log

  maxretry = 3

  # /etc/fail2ban/filter.d/apache-phpmyadmin.conf

  将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.

  # Fail2Ban configuration file

  #

  # Bans bots scanning for non-existing phpMyAdmin installations on your webhost.

  #

  # Author: Gina Haeussge

  #

  [Definition]

  docroot = /var/www

  badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

  # Option: failregex

  # Notes.: Regexp to match often probed and not available phpmyadmin paths.

  # Values: TEXT

  #

  failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)

  # Option: ignoreregex

  # Notes.: regex to ignore. If this regex matches, the line is ignored.

  # Values: TEXT

  #

  ignoreregex =

  # service fail2ban restart


     常用命令
	  #启动
	  systemctl start fail2ban
	  systemctl start fail2ban.service
	  #停止
	  systemctl stop fail2ban
	  #开机启动
	  systemctl enable fail2ban
	  #查看被ban IP,其中sshd为名称,比如上面的[wordpress]
	  fail2ban-client status sshd
	  #删除被ban IP
	  fail2ban-client set sshd delignoreip 192.168.111.111
	  #查看日志
	  tail /var/log/fail2ban.log
	  #默认配置
	  vim /etc/fail2ban/jail.conf
	  #确保防火墙已开起
	  systemctl enable firewalld
	  systemctl start firewalld
	  #更新 SELinux 策略
	  yum update -y selinux-policy*
	  #日志设定文档
	  /etc/fail2ban/fail2ban.conf
	  # 阻挡设定文档
	  /etc/fail2ban/jail.conf
	  #具体阻挡内容设定目录
	  /etc/fail2ban/filter.d
	  #查看登陆失败日志
	  cat /var/log/secure | grep 'Failed password'
	  #解锁ip
	  fail2ban-client set sshd unbanip IPADDRESS

  fail2ban已经内置很多匹配规则,位于filter.d目录下,包含了常见的SSH/FTP/Nginx/Apache等日志匹配,如果都还无法满足您的需求,您也可以自行新建规则来匹配异常IP。使用fail2ban+Firewalld来阻止恶意IP是行之有效的办法,可极大提高服务器安全。

Linux 命令大全

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!