Fail2ban可以通过日志监控操作防火墙规则,来达到屏蔽IP的功能,可以很好的避免SSH暴力破解和网站流量攻击。
安装Fail2ban前,可以先配置Nginx限制IP访问,具体操作请看我的另一篇博客:https://www.jianshu.com/p/3cb4c82633d1
安装Fail2ban:
yum -y install epel-release
yum repolist
yum -y install fail2ban
Fail2ban 结构
/etc/fail2ban ## fail2ban 服务配置目录
/etc/fail2ban/action.d ## iptables 、mail 等动作文件目录
/etc/fail2ban/filter.d ## 条件匹配文件目录,过滤日志关键内容
/etc/fail2ban/jail.conf ## fail2ban 防护配置文件
/etc/fail2ban/fail2ban.conf ## fail2ban 配置文件,定义日志级别、日志、sock 文件位置等
fail2ban.conf 默认配置(无需修改)
[Definition]
loglevel = 3 ## 定义日志级别,默认
logtarget = /var/log/fail2ban.log ## 定义 fail2ban 日志文件
socket = /var/run/fail2ban/fail2ban.sock ## sock 文件存放位置,默认
pidfile = /var/run/fail2ban/fail2ban.pid ## pid 文件存放位置,默认
jail.conf 防护配置(无需修改)
[DEFAULT] ## 全局设置,优先级最小
ignoreip = 127.0.0.1/8 ## 不受限制的 IP ,多组用空格分割
bantime = 600 ## 非法 IP 被屏蔽时间(秒),-1 代表永远封锁
findtime = 600 ## 设置多长时间(秒)内超过 maxretry 限制次数即被封锁
maxretry = 3 ## 最大尝试次数
backend = auto ## 日志修改检测机制(gamin 、polling 、auto 三种)
usedns = warn
[ssh-iptables] ## 分类设置(基于 SSHD 服务的防护)
enabled = true ## 是否开启防护,false 为关闭
filter = sshd ## 过滤规则 filter 名称,对应 filter.d 目录下的 sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] ## 动作参数
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] ## 邮件通知参数
## 收件人地址 ## 发件人地址
logpath = /var/log/secure ## 检测系统登陆日志文件
maxretry = 5 ## 最大尝试次数
filter.d目录下新建http-get-dos.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
编辑 vi jail.local
[DEFAULT]
# Ban hosts for one hour:
bantime = 600
findtime = 60
maxretry = 3
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
bantime = 60
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
# 此处引用刚才新建的http-get-dos.conf
[http-get-dos]
enabled = true
port = http
filter = http-get-dos
logpath = /home/wwwlogs/access.log
maxretry = 5
findtime = 60
bantime = 300
action = iptables[name=HTTP,port=http,protocol=tcp]
[sshd]
enabled = true
Fail2ban操作(如果重启 iptables ,必须重启 fail2ban):
# 如果配置出错,请用此条命令启动,可以看到错误日志
/usr/bin/fail2ban-client -x start
# 启动
service fail2ban start
# 重启
service fail2ban restart
# 停止
service fail2ban stop
# 查看状态
fail2ban-client status
# 以行数方式显示防火墙规则
iptables -L -n --line-numbers
# 删除指定规则
iptables -D INPUT 5
# 显示防火墙规则
iptables -nL
# 查看拦截日志
tail -1 /var/log/fail2ban.log
# 系统登陆日志
cat /var/log/secure
# centos7可以用如下命令重启服务
systemctl restart fail2ban.service
sudo systemctl restart fail2ban
如果提示拦截日志不存在,请修改日志路径:
vi fail2ban.conf
loglevel = WARNING
logtarget = /var/log/fail2ban.log
解除屏蔽:
# 显示防火墙规则列表,并显示行号
iptables -L -n --line-numbers
# 删除指定规则的某行
iptables -D f2b-sshd 1
# fail2ban删除屏蔽IP
iptables -D f2b-HTTP -s 117.174.26.150 -j REJECT
fail2ban-client set http-get-dos unbanip 117.174.26.150
定时清理日志:
vi /root/del_cc_log.sh
#! /bin/bash
cat /dev/null > /home/wwwlogs/access.log
cat /dev/null > /var/log/fail2ban.log
授权
chmod 755 del_cc_log.sh
定时任务:
crontab -e
30 3 * * 0 sh /root/del_cc_log.sh
开启crontab:
/etc/init.d/crond start
chkconfig --list|grep crond
配置用例:
--屏蔽ssh探测
vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 10
bantime = 144000
Copy其他规则:
cd /etc/fail2ban/filter.d
cp apache-badbots.conf nginx-badbots.conf
vim nginx-badbots.conf
规则校验:
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-badbots.conf
创建jail规则:
vim /etc/fail2ban/jail.d/nginx.local
例如:
例如:
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /home/wwwlogs/access.log
/home/wwwlogs/www.sijitao.net.log
maxretry = 3
邮件支持
yum install sendmail
启动
service sendmail start
如果遇到“ 没有目录/ var / run / fail2ban包含套接字文件/var/run/fail2ban/fail2ban.sock ”的错误,请手动创建目录:
mkdir /var/run/fail2ban
配置邮件:
vi jail.conf
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] ## 邮件通知参数
## 收件人地址 ## 发件人地址