Fail2ban
Fail2ban 基于iptable增加规则去在一定时间或永久屏蔽攻击者ip地址,出现威胁可以通过发送邮件方式进行提醒(需要相关插件)。
Fail2ban主要针对 SSH 攻击防御, 其他使用log文件的相关服务也有一定兼容性.
本文中指令如果出现权限不够请在指令前增加sudo
CentOS 7系统安装指南
1.确保系统更新并已经安装epel源:
yum update && yum install epel-release
2.安装fail2ban
yum install fail2ban
3.(可选项)fail2ban发送email功能相关软件:
yum install sendmail
4.启用相关功能:
systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail# 可选项
systemctl enable sendmail# 可选项
注意:
如果遇到报错“no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock”, 请手动创建相关文件夹:
mkdir /var/run/fail2ban
Debian系统安装指南
1.确保系统已更新
apt-get update && apt-get upgrade -y
2.安装 Fail2ban:
apt-get install fail2ban
该服务会自动启用
3.(可选项)发送邮件功能:
apt-get install sendmail-bin sendmail
注意
目前版本的发送邮箱功能在安装sendmail-bin时会有bug,等待几分钟后完成
Creating /etc/mail/sendmail.cf…
ERROR: FEATURE() should be before MAILER() MAILER(‘local’) must appear after FEATURE(‘always_add_domain’)
ERROR: FEATURE() should be before MAILER() MAILER(‘local’) must appear after FEATURE(‘allmasquerade’)
Fedora系统安装指南
1.更新系统
dnf update
2.安装 Fail2ban:
dnf install fail2ban
3.(可选项) 发送邮件功能:
dnf install sendmail
Start and enable Fail2ban and, if needed, Sendmail:
systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmail
Ubuntu安装指南
1.更新系统
apt-get update && apt-get upgrade -y
2.安装 Fail2ban:
apt-get install fail2ban
服务自动启用
3.(可选项)发送邮件:
apt-get install sendmail
4.防火墙启用相关功能:
ufw allow ssh
ufw enable
配置 Fail2ban
Fail2ban 任何配置变更都发生在.local文件内
配置fail2ban.local
fail2ban.conf 包含 默认配置文件可以复制并重命名fail2ban.conf为fail2ban.local.
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
以下几个配置可以进行变更:
loglevel: The level of detail that Fail2ban’s logs provide can be set to 1 (error), 2 (warn), 3 (info), or 4 (debug).
logtarget: log目标操作文件.默认为 /var/log/fail2ban.log 你可以更改该数值为:
STDOUT: output any data
STDERR: output any errors
SYSLOG: message-based logging
FILE: output to a file
socket: socket文件位置.
pidfile: PID文件位置.
配置 jail.local
Fail2ban的 jail.conf 默认为Debian和Ubuntu的SSH 启用,CentOS不启用。如果你想要更改相关配置,可以创建 jail.local文件 (Debian和Ubuntu系统):
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
如果使用CentOS 或者 Fedora 你需要更改 jail.local文件内的backend属性数值为systemd.
vim /etc/fail2ban/jail.local
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
. . .
backend = systemd
启用ssh服务去掉jail.local中的相关注释:
vim /etc/fail2ban/jail.local
[sshd]
enabled = true
设置白名单IP
使用以下方式配置白名单
vim /etc/fail2ban/jail.local
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# 白名单ip(ignoreip)可以为一个地址或者一个网段或者DNS用户fail2ban不会禁用相关匹配到的地址,不同的地址间用 空格隔开
ignoreip = 127.0.0.1/8 123.45.67.89 # 例子
设置禁用时间等
vim /etc/fail2ban/jail.local
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3
bantime: 禁用IP地址的时间,单位为秒,如果设置为负数则为永久禁用。默认为600秒
findtime: 登录尝试间隔时间例如该例子中10分钟内失败3次则开始禁用对应IP
maxretry: 最大尝试次数,默认为3次
Email提醒
destemail: 收件地址
sendername: 发件地址
sender: 发件人
注意:未收到邮件可以查看垃圾箱