最近我的vps总是被攻击,除了换换SSH端口,防御也做起来
网上很多教程,但是不一定适用centOS7,这里做个笔记
fail2ban安装
wget https://github.com/fail2ban/fail2ban/archive/0.8.14.tar.gz
tar -zxvf 0.8.14.tar.gz
cd fail2ban-0.8.14
python setup.py install
启动
systemctl start fail2ban
systemctl enable fail2ban
常用命令
请使用fail2ban-client --help
查阅
重启fail2ban服务的时候,我用systemctl restart fail2ban
会报错,不如干脆直接用fail2ban-client restart
通用配置
配置文件都在在/etc/fail2ban里,其中jail.conf里面提供了大量的jail配置方案,可以参考,最好不要修改他。个人推荐每个jail放到jail.d下独立的文件里
首先,vim /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 #
bantime = 964380 #放到jail里面的时间,以秒为单位
findtime = 3600 #在多少时间内达到一定的错误数量才会被ban
maxretry= 3 #尝试次数
vim /etc/fail2ban/jail.d/00-firewalld.conf
[DEFAULT]
banaction = firewallcmd-ipset
action = %(action_mwl)s
SSH
vim /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
filter = sshd
port = 22 #SSH 端口
action = %(action_mwl)s
logpath = /var/log/secure
fail2ban-client restart
vsftpd
编辑 /etc/vsftpd/vsftpd.conf
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
systemctl restart vsftpd
vim /etc/fail2ban/jail.d/vsftpd.local
[vsftpd]
enabled = true
filter = vsftpd
port = ftp,ftp-data,ftps,ftps-data
action = %(action_mwl)s
logpath = /var/log/vsftpd.log
fail2ban-client restart
nginx
nginx默认给的规则似乎没有合适的,自己写一个
首先查看/var/log/nginx/access.log,找到404的访问,大概长这样:
49.235.190.53 - - [18/Nov/2019:14:10:06 +0800] “GET /TP/public/index.php HTTP/1.1” 404 153 “-” “Mozilla/5.0 (Windows; U;
Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)” “-”
写一个规则:
vim /etc/fail2ban/filter.d/nginx.conf
[Definition]
failregex = <HOST> -.*- .*HTTP\/1.* 404 .*$
ignoreregex =
vim /etc/fail2ban/jail.d/nginx.local
[nginx]
enabled = true
filter = nginx
port = http,https
action = %(action_mwl)s
logpath = /var/log/nginx/access.log
findtime = 60
maxretry = 5
fail2ban-client restart
查看jail状态
fail2ban-client status sshd
fail2ban-client status nginx
fail2ban-client status vsftpd
firewall-cmd --direct --get-all-rules
ipset list f2b-sshd
ipset list f2b-nginx
ipset list f2b-vsftpd
如果jail为空,firewall-cmd --direct --get-all-rules不会输出结果