fai2ban的介绍

 

fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSHSMTPFTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!

 

 

二、简单来介绍一下fail2ban的功能和特性

 

1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等

2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mailnotifications(邮件通知)等等。

3、在logpath选项中支持通配符

4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)

5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail

 

三、fail2ban安装与配置操作实例

1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn


# yum install shorewall gamin-pythonshorewall-shell shorewall-perl shorewall-common python-inotify python-ctypesfail2ban


# yum install gamin-python python-inotifypython-ctypes

# wgethttp://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm

# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

    

# yum install gamin-python python-inotifypython-ctypes

# wgethttp://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm

# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm

 

2:源码包安装

 

# wgethttps://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0

# tar -xzvf fail2ban-0.9.0.tar.gz

        

/etc/fail2ban/action.d            #动作文件夹,内含默认文件。iptables以及mail等动作配置

/etc/fail2ban/fail2ban.conf        #定义了fai2ban日志级别、日志位置及sock文件位置

/etc/fail2ban/filter.d            #条件文件夹,内含默认文件。过滤日志关键内容设置

/etc/fail2ban/jail.conf            #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值

/etc/rc.d/init.d/fail2ban          #启动脚本文件

 

3. vi /etc/fail2ban/fail2ban.conf

 

[Definition]

loglevel =3

logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息

socket =/var/run/fail2ban/fail2ban.sock

4. vi /etc/fail2ban/jail.conf

 

[DEFAULT]              #全局设置

ignoreip = 127.0.0.1      #忽略的IP列表,不受设置限制

bantime = 600            #屏蔽时间,单位:秒

findtime = 600           #这个时间段内超过规定次数会被ban

maxretry = 3              #最大尝试次数

backend = auto            #日志修改检测机制(gaminpollingauto这三种)

 

[sshd]                     #单个服务检查设置,如设置bantimefindtimemaxretry和全局冲突,服务优先级大于全局设置。

enabled = true               #是否激活此项(true/false

filter  = sshd               #过滤规则filter的名字,对应filter.d目录下的sshd.conf

action  = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件

logpath = /var/log/secure     #检测的日志文件path

bantime = 3600

findtime = 300

maxretry = 3                   #最大尝试次数 

       

service fail2ban start 启动服务

 

4.解除fail2ban绑定的IP

 

查询限制列表

 

# iptables -L--line-numbers

 

Chain fail2ban-SSH(1references)

 

num  target   prot opt source           destination

 

1    DROP     all  -- 118.152.158.61.ha.cncanywhere

 

2    RETURN   all  -- anywhere           anywhere

 

解除限制

 

# iptables -D fail2ban-SSH 1

 

 

我们主要编辑jail.conf这个配置文件,其他的不要去管它

 

 

 

# vi /etc/fail2ban.conf

 

SSH防***规则

ssh-iptables]enabled  = true

filter  = sshd

action  = iptables[name=SSH, port=ssh, protocol=tcp]

          sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com,sendername="Fail2Ban"]

logpath = /var/log/secure

maxretry = 5

[ssh-ddos]

enabled = true

filter = sshd-ddos

action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]

logpath = /var/log/messages

maxretry = 2

[osx-ssh-ipfw]

enabled = true

filter  = sshd

action  = osx-ipfw

logpath = /var/log/secure.log

maxretry = 5

[ssh-apf]

enabled = true

filter = sshd

action = apf[name=SSH]

logpath = /var/log/secure

maxretry = 5

[osx-ssh-afctl]

enabled = true

filter  = sshd

action  = osx-afctl[bantime=600]

logpath = /var/log/secure.log

maxretry = 5

[selinux-ssh]

enabled = true

filter = selinux-ssh

action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath = /var/log/audit/audit.log

maxretry = 5

        

proftp防***规则

 [proftpd-iptables]

enabled = true

filter  = proftpd

action  = iptables[name=ProFTPD, port=ftp, protocol=tcp]

          sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath = /var/log/proftpd/proftpd.log

maxretry = 6

 

邮件防***规则

 [sasl-iptables]

enabled = true

filter  = postfix-sasl

backend = polling

action  = iptables[name=sasl, port=smtp, protocol=tcp]

          sendmail-whois[name=sasl, dest=you@example.com]

logpath = /var/log/mail.log

[dovecot]

enabled = true

filter = dovecot

action = iptables-multiport[name=dovecot,port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath = /var/log/mail.log

[dovecot-auth]

enabled = true

filter = dovecot

action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve",protocol=tcp]

logpath = /var/log/secure

[perdition]

enabled = true

filter = perdition

action = iptables-multiport[name=perdition,port="110,143,993,995"]

logpath = /var/log/maillog

 

[uwimap-auth]

enabled = true

filter = uwimap-auth

action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath = /var/log/maillog

 

apache防***规则

 [apache-tcpwrapper]

enabled = true

filter = apache-auth

action  = hostsdeny

logpath = /var/log/httpd/error_log

maxretry = 6

[apache-badbots]

enabled = true

filter  = apache-badbots

action  = iptables-multiport[name=BadBots, port="http,https"]

          sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath = /var/log/httpd/access_log

bantime = 172800

maxretry = 1

[apache-shorewall]

enabled = true

filter  = apache-noscript

action  = shorewall

          sendmail[name=Postfix, dest=you@example.com]

logpath = /var/log/httpd/error_log

 

nginx防***规则

 [nginx-http-auth]

enabled = true

filter = nginx-http-auth

action = iptables-multiport[name=nginx-http-auth,port="80,443"]

logpath = /var/log/nginx/error.log

 

lighttpd防规击规则

 [suhosin]

enabled = true

filter  = suhosin

action  = iptables-multiport[name=suhosin, port="http,https"]

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

[lighttpd-auth]

enabled = true

filter  = lighttpd-auth

action  = iptables-multiport[name=lighttpd-auth, port="http,https"]

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

 

vsftpd防***规则

 [vsftpd-notification]

enabled = true

filter  = vsftpd

action  = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath = /var/log/vsftpd.log

maxretry = 5

bantime = 1800

[vsftpd-iptables]

enabled = true

filter  = vsftpd

action  = iptables[name=VSFTPD, port=ftp, protocol=tcp]

          sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath = /var/log/vsftpd.log

maxretry = 5

bantime = 1800

 

pure-ftpd防***规则

 [pure-ftpd]

enabled = true

filter  = pure-ftpd

action  = iptables[name=pure-ftpd, port=ftp, protocol=tcp]

logpath = /var/log/pureftpd.log

maxretry = 2

bantime = 86400

 

mysql防***规则

 [mysqld-iptables]

enabled = true

filter  = mysqld-auth

action  = iptables[name=mysql, port=3306, protocol=tcp]

          sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath = /var/log/mysqld.log

maxretry = 5

 

apache phpmyadmin 防***规则

[apache-phpmyadmin]

enabled = true

filter  = apache-phpmyadmin

action = iptables[name=phpmyadmin, port=http,https protocol=tcp]

logpath = /var/log/httpd/error_log

maxretry = 3

#/etc/fail2ban/filter.d/apache-phpmyadmin.conf

将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.

# Fail2Ban configuration file

#

# Bans bots scanning for non-existingphpMyAdmin installations on your webhost.

#

# Author: Gina Haeussge

#

 

[Definition]

 

docroot = /var/www

badadmin =PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

 

# Option: failregex

# Notes.: Regexp to match often probed and not available phpmyadmin paths.

# Values: TEXT

#

failregex = [[]client []] File does notexist: %(docroot)s/(?:%(badadmin)s)

 

# Option: ignoreregex

# Notes.: regex to ignore. If this regex matches, the line is ignored.

# Values: TEXT

#

ignoreregex =

# service fail2ban restart

 

写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径,如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了