安装fail2ban
apt install -y fail2ban sendmail mailutils
/etc/init.d/sendmail start
配置fail2ban
增加以下内容到配置文件/etc/fail2ban/jail.conf :
[opensips]
enabled = true
filter = opensips
action = iptables-allports[name=opensips, protocol=all]
sendmail-whois[name=opensips, dest=xx@xx, sender=xx@xx]
logpath = /var/log/opensips/opensips.log
maxretry = 5
bantime = 3600
注:5次失败后将IP加入黑名单1个小时
新增/etc/fail2ban/filter.d/opensips.conf 配置文件
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = opensips
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
#failregex = Auth error for .* from <HOST> cause -[0-9]
failregex = Authentication failed for .* from <HOST> cause -[0-9]
Inivte failed for .* from <HOST> .* cause -[0-9] #indent with 4 spaces
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
重启fail2ban:/etc/init.d/fail2ban restart
常用命令
fail2ban-client status opensips
root@Develop01:/var/log/opensips# fail2ban-client status opensips
Status for the jail: opensips
|- filter
| |- File list: /var/log/opensips/opensips.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
比如增加屏蔽时间为一天
fail2ban-client set opensips bantime 86400
重新读入配置文件
fail2ban-client reload
解禁IP
fail2ban-client set opensips unbanip 8.8.8.8
• 黑名单操作 (注意,黑名单测试时,不要把自己的IP加到黑名单里做测试,否则就连不上机器了)
• IP加入黑名单:fail2ban-client set opensips banip 192.168.1.8
• IP解锁:fail2ban-client set opensips unbanip 192.168.1.8
• 白名单操作
• IP加入白名单:fail2ban-client set opensips addignoreip 192.168.1.8
• IP从白名单中移除:fail2ban-client set opensips delignoreip 192.168.1.8
• 在所有监狱中加入IP白名单:fail2ban-clien unban 192.168.1.8
测试正则表达式:fail2ban-regex /var/log/opensips/opensips.log
root@Develop01:/bin# fail2ban-regex /var/log/opensips/opensips.log /etc/fail2ban/filter.d/opensips.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/opensips.conf
Use log file : /var/log/opensips/opensips.log
Results
=======
Failregex: 9 total
|- #) [# of hits] regular expression
| 1) [9] Authentication failed for .* from <HOST> cause -[0-9]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [110422] MONTH Day Hour:Minute:Second
`-
Lines: 110422 lines, 0 ignored, 9 matched, 110413 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 110413 lines