https://linux.cn/article-5067-1.html
http://www.361way.com/fail2ban-nginx/1825.html
https://www.cnblogs.com/justdba/p/7231903.html
http://blog.iyunv.com/564.html
http://idc.wanyunshuju.com/li/8.html
https://www.nginx.com/blog/dynamic-ip-blacklisting-with-nginx-plus-and-fail2ban/
fail2ban简介
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!
简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如firewalld,tcp-wrapper,shorewall(firewalld第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,firewalld,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
检查Firewalld是否启用
#如果您已经安装iptables建议先关闭 service iptables stop #查看Firewalld状态 firewall-cmd --state #启动firewalld systemctl start firewalld #设置开机启动 systemctl enable firewalld.service
启用Firewalld后会禁止所有端口连接,因此请务必放行常用的端口,以免被阻挡在外,以下是放行SSH端口(22)示例,供参考:
#放行22端口 firewall-cmd --zone=public --add-port=80/tcp --permanent #重载配置 firewall-cmd --reload #查看已放行端口 firewall-cmd --zone=public --list-ports
fail2ban安装与配置操作实例
安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn . 代码如下: # yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban or . 代码如下: # yum install gamin-python python-inotify python-ctypes # wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm # rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm or . 代码如下:# yum install gamin-python python-inotify python-ctypes # wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm # rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
源码包安装
. 代码如下: #安装fial2ban yum -y install fail2ban # wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0 # tar -xzvf fail2ban-0.9.0.tar.gz # cd # ./setup.py # cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban # chmod +x /lib/svc/method/svc-fail2ban
安装路径
. 代码如下:
/etc/fail2ban action.d filter.d fail2ban.conf jail.conf
安装成功后fail2ban配置文件位于/etc/fail2ban,其中jail.conf为主配置文件,相关的匹配规则位于filter.d目录,其它目录/文件一般很少用到,如果需要详细了解可自行搜索。
.
配置规则
新建jail.local来覆盖fail2ban的一些默认规则:
#新建配置
vi /etc/fail2ban/jail.local
#默认配置
[DEFAULT] ignoreip = 127.0.0.1/8 #IP白名单 bantime = 86400 # 禁止的时间,单位秒,我这里设置的是24小时. findtime = 600 # 检测时间,超过600秒自动激活 maxretry = 5 # 允许最大的错误次数 banaction = firewallcmd-ipset #这里banaction必须用firewallcmd-ipset,这是fiewalll支持的关键,如果是用Iptables请不要这样填写 action = %(action_mwl)s
参数说明:
ignoreip:IP白名单,白名单中的IP不会屏蔽,可填写多个以(,)分隔
bantime:屏蔽时间,单位为秒(s)
findtime:时间范围
maxretry:最大次数
banaction:屏蔽IP所使用的方法,上面使用firewalld屏蔽端口
防止SSH爆破
如果您还在使用默认SSH端口(22),可能每天都会被扫描,我们可以修改端口尽量避免被扫,ssh免密码登入加密或者可以使用fail2ban将恶意IP屏蔽。
继续修改jail.local这个配置文件,在后面追加如下内容:
[sshd] enabled = true filter = sshd port = 22 action = %(action_mwl)s logpath = /var/log/secure
参数说明:
[sshd]:名称,可以随便填写
enabled=true 是否启用
filter:规则名称,必须填写位于filter.d目录里面的规则,sshd是fail2ban内置规则
port:对应的端口
action:采取的行动
bantime: 封锁时间,单位:秒
findtime: 统计时间范围,在规定时间内满足条件开始执行封锁,单位:秒
maxretry:错误次数
logpath:需要监视的日志路径
到这一步,我们jail.local的规则看起来可能像下面这样子:
方法一:
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 86400 findtime = 600 maxretry = 5 banaction = firewallcmd-ipset action = %(action_mwl)s [sshd] enabled = true filter = sshd port = 22 action = %(action_mwl)s logpath = /var/log/secure
上面的配置意思是如果同一个IP,在10分钟内,如果连续超过5次错误,则使用Firewalld将他IP ban了。输入systemctl start fail2ban启动fail2ban来试试效果。
方法二:
[DEFAULT] bantime = 86400 findtime = 300 maxretry = 3 sender = fail2ban@ifshow.com destemail = admin@ifshow.com action = %(action_mwl)s [sshd] enabled = true port = 2345 [sshd-ddos] enabled = true port = 2345
bantime是被封IP禁止访问的时间,设定值为24小时,单位是秒。
findtime是检测时间,在此时间内超过规定的次数会激活fail2ban,单位是秒。
maxretry是允许错误登录的最大次数,和findtime配合使用。
sender为邮件发送者,destemail为接收通知邮箱。
action是触发fail2ban采取的动作,action_mwl为禁IP+发通知邮件+写入日志。
sshd区块的enabled = true开启对SSH服务的防护,port为SSH的自定义端口。
sshd-ddos区块的enabled = true开启SSH-DDOS防护,port为SSH的自定义端口。
如果装有vsftpd,在配置文件最后加上以下内容(port为vsftpd的登录和数据端口)
[vsftpd]
enabled = true
port = 2121,2122
使用另一台服务器不断尝试连接SSH,并且不断的将密码输入错误,你会发现连续超过5次后直接连不上,说明IP被ban了,可以输入:fail2ban-client status sshd查看被ban的IP,如下截图。
防止CC攻击
这里仅以Nginx为例,使用fail2ban来监视nginx日志,匹配短时间内频繁请求的IP,并使用firewalld将其IP屏蔽,达到CC防护的作用。
#需要先新建一个nginx日志匹配规则
vi /etc/fail2ban/filter.d/nginx-cc.conf
#填写如下内容
[Definition] failregex = -.*- .*HTTP/1.* .* .*$ ignoreregex =
继续修改jail.local追加如下内容:
[nginx-cc] enabled = true port = http,https filter = nginx-cc action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
上面的配置意思是如果在60s内,同一IP达到20次请求,则将其IP ban 1小时,上面只是为了测试,请根据自己的实际情况修改。logpath为nginx日志路径。
防止Wordpress爆破
如果您经常分析日志会发现有大量机器人在扫描wordpress登录页面wp-login.php,虽然对方可能没成功,但是为了避免万一还是将他IP干掉为好。
#需要先新建一个nginx日志匹配规则
vi /etc/fail2ban/filter.d/wordpress.conf
#填写如下内容
[Definition] failregex = ^ -.* /wp-login.php.* HTTP/1\.." ignoreregex =
继续修改jail.local追加如下内容:
[wordpress] enabled = true port = http,https filter = wordpress action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
当然,别忘记输入systemctl restart fail2ban重启fail2ban使其生效。
邮件防攻击规则
[sasl-iptables] enabled = true filter = postfix-sasl backend = polling action = %(action_mwl)s logpath = /var/log/mail.log [dovecot] enabled = true filter = dovecot action = %(action_mwl)s logpath = /var/log/mail.log [dovecot-auth] enabled = true filter = dovecot action = %(action_mwl)s logpath = /var/log/secure [perdition] enabled = true filter = perdition action = %(action_mwl)s logpath = /var/log/maillog [uwimap-auth] enabled = true filter = uwimap-auth action = %(action_mwl)s logpath = /var/log/maillog
# vi /etc/fail2ban.conf
SSH防攻击规则
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
[ssh-ddos]
enabled = true
filter = sshd-ddos
action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath = /var/log/messages
maxretry = 2
[osx-ssh-ipfw]
enabled = true
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
maxretry = 5
[ssh-apf]
enabled = true
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
[osx-ssh-afctl]
enabled = true
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5
[selinux-ssh]
enabled = true
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5
proftp防攻击规则
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
apache防攻击规则
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/error_log
maxretry = 6
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1
[apache-shorewall]
enabled = true
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/httpd/error_log
nginx防攻击规则
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
lighttpd防规击规则
[suhosin]
enabled = true
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled = true
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
vsftpd防攻击规则
[vsftpd-notification]
enabled = true
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
pure-ftpd防攻击规则
[pure-ftpd]
enabled = true
filter = pure-ftpd
action = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 2
bantime = 86400
mysql防攻击规则
[mysqld-iptables]
enabled = true
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath = /var/log/mysqld.log
maxretry = 5
apache phpmyadmin防攻击规则
[apache-phpmyadmin]
enabled = true
filter = apache-phpmyadmin
action = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
[Definition]
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# service fail2ban restart
常用命令
#启动 systemctl start fail2ban systemctl start fail2ban.service #停止 systemctl stop fail2ban #开机启动 systemctl enable fail2ban #查看被ban IP,其中sshd为名称,比如上面的[wordpress] fail2ban-client status sshd #删除被ban IP fail2ban-client set sshd delignoreip 192.168.111.111 #查看日志 tail /var/log/fail2ban.log #默认配置 vim /etc/fail2ban/jail.conf #确保防火墙已开起 systemctl enable firewalld systemctl start firewalld #更新 SELinux 策略 yum update -y selinux-policy* #日志设定文档 /etc/fail2ban/fail2ban.conf # 阻挡设定文档 /etc/fail2ban/jail.conf #具体阻挡内容设定目录 /etc/fail2ban/filter.d #查看登陆失败日志 cat /var/log/secure | grep 'Failed password' #解锁ip fail2ban-client set sshd unbanip IPADDRESS
fail2ban已经内置很多匹配规则,位于filter.d目录下,包含了常见的SSH/FTP/Nginx/Apache等日志匹配,如果都还无法满足您的需求,您也可以自行新建规则来匹配异常IP。使用fail2ban+Firewalld来阻止恶意IP是行之有效的办法,可极大提高服务器安全。
