Linux 上Fail2ban阻止SSH暴力攻击 保护你的服务器不被暴力破解
查看尝试登录的IP和次数:
# ubuntu
cat /var/log/auth.log | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'
# centos
cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'
结果如下
95.99.151.150 = 2
96.116.62.121 = 2
96.126.108.130 = 1
96.234.157.43 = 1
96.239.137.66 = 2
96.242.27.57 = 1
96.255.29.134 = 1
96.30.68.34 = 6
96.45.70.192 = 21
96.53.113.134 = 1946
96.57.104.194 = 2
96.57.82.166 = 3
96.64.177.108 = 2
96.66.198.178 = 10
96.67.205.235 = 7
96.68.174.209 = 8
96.68.99.234 = 2
96.70.240.38 = 1
96.70.80.177 = 4
96.70.94.73 = 2
介绍:
fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作。
功能和特性编辑
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix或sendmail
官网:
http://www.fail2ban.org/
安装:
ubuntu
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban
centos
yum -y install epel-release
yum -y install fail2ban
文件结构
/etc/fail2ban ## fail2ban 服务配置目录
/etc/fail2ban/action.d ## iptables 、mail 等动作文件目录
/etc/fail2ban/filter.d ## 条件匹配文件目录,过滤日志关键内容
/etc/fail2ban/jail.conf ## fail2ban 防护配置文件
/etc/fail2ban/fail2ban.conf ## fail2ban 配置文件,定义日志级别、日志、sock 文件位置等
配置
1.打开配置文件
vim /etc/fail2ban/jail.conf
配置信息
[DEFAULT]
# 忽略的IP列表,不受设置限制
ignoreip = 127.0.0.1/8
# 被封IP禁止访问的时间,单位是秒
bantime = 86400
# 检测时间,在此时间内超过规定的次数会激活fail2ban,单位是秒
findtime = 300
# 允许错误登录的最大次数
maxretry = 3
# 日志修改检测机制(gamin、polling和auto这三种)
backend = auto
# 定义日志级别,默认
loglevel = 3
# 定义 fail2ban 日志文件
logtarget = /var/log/fail2ban.log
# sock 文件存放位置,默认
socket = /var/run/fail2ban/fail2ban.sock
# pid 文件存放位置,默认
pidfile = /var/run/fail2ban/fail2ban.pid
# 邮件通知参数
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
## 收件人地址 ## 发件人地址
[sshd]
# 激活
enabled = true
# 规律规则名,对应filter.d目录下的sshd.conf
filter = sshd
banaction = firewallcmd-new
# 检测的系统的登陆日志文件。这里要写sshd服务日志文件
logpath = /var/log/secure
# 禁止用户IP访问主机1小时
bantime = 3600
# 在5分钟内内出现规定次数就开始工作
findtime = 300
# 3次密码验证失败
maxretry = 3
[sshd-ddos]
enabled = true
port = 8888
fail2ban启动
>> service fail2ban start # 启动fail2ban服务
* Starting authentication failure monitor fail2ban [ OK ]
>> fail2ban-client status # 查看fail2ban服务
Status
|- Number of jail: 1
`- Jail list: ssh
>> service fail2ban restart # 重启
启动fail2ban并设置开机启动:
centos
systemctl enable fail2ban
systemctl start fail2ban
ubuntu
查看日志
tail -100 /var/log/fail2ban.log # 查看最近100条记录
查看SSH服务监护状态,能看到当前被禁IP。
>> fail2ban-client status ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 56
| `- Total failed: 6307
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
在SSH监护服务白名单中添加/删除IP:
fail2ban-client set sshd addignoreip 1.2.3.4
fail2ban-client set sshd delignoreip 1.2.3.4
网友评论