1.安装

yum install fail2ban -y

2.使用

2.1 配置文件

[root@proxy ~]# vim /etc/fail2ban/jail.conf 
#忽略IP
ignoreip = 127.0.0.1/8 192.168.120.7
#名称 跟下面不重复
[nginx-v2ray]
enabled = true
#检查端口
port = 80
# /etc/fail2ban/filter.d/nginx.conf  跟这个名字一样 如果自带无法满足 必须写正则匹配
filter = nginx
#监督日志内容
logpath = /var/log/nginx/access.log
#检查 匹配正则的次数
maxretry = 2
#多少时间内检查有效 单位 秒
findtime = 60
#检查到封锁多久
bantime = 3600
#iptables 规则 检测到添加iptables规则 
action = iptables[name=HTTP_V2RAY, port=80, protocol=tcp]
#白名单
#ignoreip = 192.168.122.199 
[ssh-ip]
enabled = true
port = ssh
#sshd 自带的规则
filter = sshd
logpath = /var/log/secure
maxretry = 3
findtime = 60
bantime = 3600
action = iptables[name=ssh-ip, port=ssh, protocol=tcp]

2.2 匹配规则

[root@proxy ~]# cat /etc/fail2ban/filter.d/nginx.conf
[Definition]
#45.141.87.59 - - [06/Jul/2021:21:57:04 +0800] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 157 "-" "-" "-"
failregex = <HOST> - - .* 400 157 .* "-"$
#failregex = <HOST> - - .* 404 .* "-"$
ignoreregex =

2.3 启动检查

systemctl start fail2ban 
systemctl enable fail2ban 

#检查 正则匹配情况
[root@proxy ~]# fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx.conf
Running tests
=============

Use   failregex filter file : nginx, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/access.log
Use         encoding : UTF-8
Results
=======
Failregex: 37 total
|-  #) [# of hits] regular expression
|   1) [37] <HOST> - - .* 400 157 .* "-"$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
|  [125] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 125 lines, 0 ignored, 37 matched, 88 missed
[processed in 0.07 sec]
Missed line(s): too many to print.  Use --print-all-missed to print all 88 lines

#查看启动服务后匹配状态
[root@proxy ~]# fail2ban-client status ssh-ip
Status for the jail: ssh-ip
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  `- File list:    /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   192.168.120.18

#检查iptables规则
[root@proxy ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1326  103K f2b-ssh-ip  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 f2b-HTTP_V2RAY  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain f2b-HTTP_V2RAY (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-ssh-ip (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 REJECT     all  --  *      *       192.168.120.18       0.0.0.0/0            reject-with icmp-port-unreachable
 1324  103K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

# 解禁一个特定IP    主要set 后面是上面编辑的名称
[root@proxy ~]# fail2ban-client set ssh-ip unbanip 192.168.120.18
1
[root@proxy ~]# iptables -nvL
Chain f2b-ssh-ip (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1449  112K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
#手动添加黑名单IP
[root@proxy ~]# fail2ban-client set ssh-ip banip 192.168.120.7
1