fail2ban安装配置

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了fail2ban安装配置相关的知识,希望对你有一定的参考价值。

fail2ban安装配置

 

1      前言

fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作。

l  支持大量服务。如sshd,apache,qmail,proftpd,sasl等等

l  支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。

l  在logpath选项中支持通配符

l  需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)

l  需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix或sendmail

 

2      安装配置

2.1  yum安装

yum install fail2ban

2.2  配置

2.2.1      配置架构

/etc/fail2ban/fail2ban.conf 日志设定文档

/etc/fail2ban/jail.conf 阻挡设定文档

/etc/fail2ban/filter.d 具体阻挡内容设定目录

2.2.2      jail.conf配置

主要配置解释:

#此ip或者ip段为例外,不受以下条件影响
ignoreip = 127.0.0.1
# 封锁时间(如一天为:86400)
bantime  = 600
# 在多长时间以内达到条件则开始执行封锁,如600秒达到3次则执行。 # 单位:秒
findtime  = 600
# 在以上条件的出错次数,如600秒达到3次则执行。
# 单位:次
maxretry = 3

ssh配置示例解释:

[ssh-iptables]
 
enabled  = false   #是否开启,开启则为true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]  #post为端口号
           sendmail-whois[name=SSH, [email protected], [email protected]]
#上方红色字[email protected],则为您的邮箱地址和发送人地址(建议一样)
#发信需要sendmail服务的支持,如果没有此服务或不需要发信可在sendmail前加#号注释掉。
logpath  = /var/log/sshd.log    #相应错误日志,一般为:/var/log/secure
maxretry = 5    #尝试错误次数

apache配置:

# 检测密码认证失败
[apache-auth]
enabled = true
port     = http,https
filter = apache-auth
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 5
bantime = 3600
 
# 检测抓取邮件地址的爬虫
 [apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
filter = apache-badbots
logpath = /var/log/httpd/*access*
#logpath  = %(apache_access_log)s
bantime  = 172800
maxretry = 1
 
# 检测漏洞和 php 脆弱性扫描
 [apache-noscript]
enabled = true
port     = http,https
filter = apache-noscript
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 5
bantime = 3600
 
# 检测 Apache 溢出攻击
 [apache-overflows]
enabled = true
port     = http,https
filter = apache-overflows
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 2
bantime = 3600
 
# 检测在服务器寻找主目录的尝试
[apache-nohome]
enabled = true
port     = http,https
filter = apache-nohome
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 2
bantime = 3600
 
 
[apache-botsearch]
enabled = true
port     = http,https
filter = apache-botsearch
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 2
bantime = 3600
 
[apache-fakegooglebot]
enabled = true
port     = http,https
filter = apache-fakegooglebot
logpath = /var/log/httpd/*access*
#logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
bantime = 3600
 
[apache-modsecurity]
enabled = true
port     = http,https
filter = apache-modsecurity
logpath = /var/log/httpd/*error*
#logpath  = %(apache_error_log)s
maxretry = 2
bantime = 3600
 
[apache-shellshock]
enabled = true
port    = http,https
filter = apache-shellshock
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 1
bantime = 3600

wordpress配置:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/httpd/*access*
maxretry = 2
findtime = 60
bantime = 3600
port = http,https

2.2.3      fail2ban.conf配置

开启日志:

vi /etc/fail2ban/fail2ban.conf

logtarget = /var/log/fail2ban.log

2.2.4      过滤规则

过滤规则配置文件目录:

/etc/fail2ban/filter.d/

 

wordpress 过滤规则配置:

vi /etc/fail2ban/filter.d/wordpress.conf

# WP brute force attacks filter
[Definition]
failregex = <HOST> .*-.*-.*POST.*/wp-login.php .* .* .*$
ignoreregex =

 

其他apache规则文件默认已经存在

 

2.2.5      动作规则

默认动作是iptables-multiport(定义在/etc/fail2ban/jail.conf中[DEFAULT]字段下的“banaction”中)。这个措施使用iptable的多端口模块禁止一个IP地址。

 

动作规则目录:

/etc/fail2ban/action.d/

 

2.2.6      启动fail2ban

/etc/init.d/fail2ban start

 

2.3  检查和管理fail2ban禁止状态

监狱一旦激活后,你可以用fail2ban的客户端命令行工具来监测当前的禁止状态。

 

查看激活的监狱列表:

fail2ban-client status

查看特定监狱的状态(包含禁止的IP列表):

fail2ban-client status [监狱名]

技术分享

 

也可以手动禁止或者解禁IP地址:

要用制定监狱禁止IP:

fail2ban-client set [name-of-jail] banip [ip-address]

要解禁指定监狱屏蔽的IP:

fail2ban-client set [name-of-jail] unbanip [ip-address]


本文出自 “桃子技术” 博客,请务必保留此出处http://taozijishu.blog.51cto.com/11320335/1961316

以上是关于fail2ban安装配置的主要内容,如果未能解决你的问题,请参考以下文章

CentOS7安装Fail2Ban防止SSH被暴力破解

使用fail2ban屏蔽LINUX恶意暴力破解密码

在Ubuntu 22.04上使用Fail2Ban保护SSH

nginx下使用fail2ban防止网站被CC

实战 fail2ban 安装

CentOS 7安装fail2ban+Firewalld防止SSH爆破