一、安装并配置fail2ban
1.安装
yum -y install epel-release
yum -y install fail2ban
2.启动fail2ban和firewall
systemctl enable fail2ban
systemctl start fail2ban
systemctl start firewall
3.编辑封禁规则
vim /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
#sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@email.com]
logpath = /var/log/secure
maxretry = 3
findtime = 24h
bantime = 48h
maxretry = 3 //最多试三次
findtime = 5h //5小时内只能试三次
bantime = 48h //三次不对,封禁48小时
4.重新加载配置文件
fail2ban-client reload
systemctl restart fail2ban
二、fail2ban常用命令(均省略fail2ban-client前缀)
1.简单命令
命令 | 作用 |
---|---|
start | 启动fail2ban server和监狱 |
reload | 重新加载配置文件 |
stop | 暂停fail2ban和监狱 |
status | 查看运行的监控服务数量和列表 |
set loglevel | 设置日志等级,有CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG |
get loglevel | 获取当前日志的等级 |
set <JAIL> idle on/off | 设置某个监狱(监控)的状态 |
set <JAIL> addignoreip <IP> | 添加某个监控(监狱)可以忽略的ip (即加入白名单) |
set <JAIL> delignoreip <IP> | 删除某个监控(监狱)可以忽略的ip (即移出白名单) |
set <JAIL> banip <IP> | 将ip加入监控(监狱) (即加入黑名单) |
set <JAIL> unbanip <IP> | 将ip从监控(将于)删除 (即移出黑名单) |
2.查看监狱状态
查看监狱名称
fail2ban-client status
返回结果
查看被拉进黑名单的ip
fail2ban-client status ssh-iptables
返回结果(不知道哪个大哥闲的没事,非要暴力破解我)
三、常见错误
1.主机ssh密钥更改
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:HDjXJvu0VYXWF+SKMZjSGn4FQmg/+w6eV9ljJvIXpx0.
Please contact your system administrator.
Add correct host key in /Users/wangdong/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/wangdong/.ssh/known_hosts:46
ECDSA host key for 108.61.163.242 has changed and you have requested strict checking.
Host key verification failed.
解决办法
ssh-keygen -R 0.0.0.0(服务器ip)
文末
本人是个新手,在做这个的时候发现,就算把自己加入了白名单,输入错误密码10次,也不能再登陆,而且不知道怎么解除,只能重新安装系统,如果哪位大佬知道是怎么回事,请留言,感激不尽