Fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的HTTP、SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!
Fail2ban由python语言开发,基于logwatch、gamin、iptables、tcp-wrapper、shorewall等。如果想要发送邮件通知道,那还需要安装postfix或sendmail。
在外网环境下,有很多的恶意扫描和密码猜测等恶意攻击行为,使用Fail2ban配合iptables,实现动态防火墙是一个很好的解决方案。
准备环境:
官网:www.fail2ban.org 下载好包
centos 6.5 :192.168.253.137
1.上传包进行安装安装
[root@localhost src]# tar xzf fail2ban-0.8.14.tar.gz [root@localhost src]# cd fail2ban-0.8.14 [root@localhost fail2ban-0.8.14]# ls #README中有说明文档 ChangeLog COPYING fail2ban-regex files MANIFEST setup.cfg TODO client DEVELOP fail2ban-server FILTERS README.md setup.py common doc fail2ban-testcases kill-server README.Solaris testcases config fail2ban-client fail2ban-testcases-all man server THANKS [root@localhost fail2ban-0.8.14]# python setup.py install 安装 [root@localhost fail2ban-0.8.14]# ll /etc/fail2ban/ 总用量 40 drwxr-xr-x. 2 root root 4096 4月 17 20:40 action.d 动作 调用防火墙 发文件 需要用 -rw-rw-r--. 1 root root 1525 8月 20 2014 fail2ban.conf 主配置文件定义了一些日志的文件位置 drwxr-xr-x. 2 root root 4096 4月 17 20:40 fail2ban.d 目录 drwxr-xr-x. 2 root root 4096 4月 17 20:40 filter.d -rw-rw-r--. 1 root root 19316 8月 20 2014 jail.conf 主配置文件 定义阈值超过阈值就屏蔽掉 drwxr-xr-x. 2 root root 4096 4月 17 20:40 jail.d
2.改配置文件
[root@localhost fail2ban-0.8.14]# cd /etc/fail2ban/ [root@localhost fail2ban]# vim jail.conf 41 bantime = 60 屏蔽时间,屏蔽一个ip一分钟时间 45 findtime = 60 一分钟内超过3次就开始屏蔽一分钟 48 maxretry = 3 一分钟时间超过3次就屏蔽 94 [ssh-iptables] 调用防火墙规则 95 96 enabled = true 需要开始 97 filter = sshd 98 action = iptables[name=SSH, port=ssh, protocol=tcp] 99 sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fa il2Ban"] 100 logpath = /var/log/secure 需要改成var/log/secure 101 maxretry = 5
3.添加启动脚本
[root@localhost fail2ban]# cd /usr/local/src/fail2ban-0.8.14 [root@localhost fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban [root@localhost fail2ban-0.8.14]# service fail2ban start 启动fail2ban: [确定]
4.测试
[root@localhost ~]# service iptables start iptables:应用防火墙规则: [确定] ###在另一台服务器上测试 [root@hya ~]# ssh 192.168.253.137 输入三次不成功之后就屏蔽了 ssh: connect to host 192.168.253.137 port 22: Connection refused 在主机上查看状态 [root@localhost ~]# fail2ban-client status ssh-iptables Status for the jail: ssh-iptables |- filter | |- File list: /var/log/secure | |- Currently failed: 1 | `- Total failed: 12 `- action |- Currently banned: 1 | `- IP list: 192.168.253.130 ip已经被屏蔽 `- Total banned: 2 误操作把ip屏蔽错改如何操作 [root@localhost ~]# vim /var/log/secure 删掉这几行后重启fail2ban Apr 17 21:19:18 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2 67 Apr 17 21:19:19 localhost unix_chkpwd[26467]: password check failed for user (root) 68 Apr 17 21:19:22 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2 69 Apr 17 21:19:22 localhost unix_chkpwd[26468]: password check failed for user (root) 70 Apr 17 21:19:24 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2 71 Apr 17 21:21:11 localhost sshd[26465]: Connection closed by 192.168.253.130 72 Apr 17 21:21:11 localhost sshd[26464]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty= ssh ruser= rhost=192.168.253.130 user=root
转载自:CSDN 作者:Hya、
原文链接:https://blog.csdn.net/yeyslspi59/article/details/108054856