fail2ban安装配置

最新推荐文章于 2024-07-24 14:58:41 发布

weixin_34348111

最新推荐文章于 2024-07-24 14:58:41 发布

阅读量206

点赞数

文章标签：运维 php 网络

原文链接：http://blog.51cto.com/taozijishu/1961316

版权

fail2ban安装配置

1 前言

fail2ban是一款实用软件，可以监视你的系统日志，然后匹配日志的错误信息（正则式匹配）执行相应的屏蔽动作。

l 支持大量服务。如sshd,apache,qmail,proftpd,sasl等等

l 支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。

l 在logpath选项中支持通配符

l 需要Gamin支持(注：Gamin是用于监视文件和目录是否更改的服务工具)

l 需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件，那必需安装postfix或sendmail

2 安装配置

2.1 yum安装

yum install fail2ban

2.2 配置

2.2.1 配置架构

/etc/fail2ban/fail2ban.conf 日志设定文档

/etc/fail2ban/jail.conf 阻挡设定文档

/etc/fail2ban/filter.d 具体阻挡内容设定目录

2.2.2 jail.conf配置

主要配置解释：

#此ip或者ip段为例外，不受以下条件影响
ignoreip = 127.0.0.1
# 封锁时间（如一天为：86400）
bantime = 600
# 在多长时间以内达到条件则开始执行封锁，如600秒达到3次则执行。 # 单位：秒 -1代表永久封锁
findtime = 600
# 在以上条件的出错次数，如600秒达到3次则执行。
# 单位：次
maxretry = 3

ssh配置示例解释：

[ssh-iptables]

enabled = false   #是否开启，开启则为true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp] #post为端口号
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
#上方红色字-you@mail.com，则为您的邮箱地址和发送人地址（建议一样）
#发信需要sendmail服务的支持，如果没有此服务或不需要发信可在sendmail前加#号注释掉。
logpath = /var/log/sshd.log    #相应错误日志，一般为：/var/log/secure
maxretry = 5    #尝试错误次数

apache配置：

# 检测密码认证失败
[apache-auth]
enabled = true
port     = http,https
filter = apache-auth
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 5
bantime = 3600

# 检测抓取邮件地址的爬虫
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
filter = apache-badbots
logpath = /var/log/httpd/*access*
#logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1

# 检测漏洞和 PHP 脆弱性扫描
[apache-noscript]
enabled = true
port     = http,https
filter = apache-noscript
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 5
bantime = 3600

# 检测 Apache 溢出***
[apache-overflows]
enabled = true
port     = http,https
filter = apache-overflows
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 2
bantime = 3600

# 检测在服务器寻找主目录的尝试
[apache-nohome]
enabled = true
port     = http,https
filter = apache-nohome
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 2
bantime = 3600

[apache-botsearch]
enabled = true
port     = http,https
filter = apache-botsearch
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 2
bantime = 3600

[apache-fakegooglebot]
enabled = true
port     = http,https
filter = apache-fakegooglebot
logpath = /var/log/httpd/*access*
#logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
bantime = 3600

[apache-modsecurity]
enabled = true
port     = http,https
filter = apache-modsecurity
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 2
bantime = 3600

[apache-shellshock]
enabled = true
port    = http,https
filter = apache-shellshock
logpath = /var/log/httpd/*error*
#logpath = %(apache_error_log)s
maxretry = 1
bantime = 3600

wordpress配置：

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/httpd/*access*
maxretry = 2
findtime = 60
bantime = 3600
port = http,https

2.2.3 fail2ban.conf配置

开启日志：

vi /etc/fail2ban/fail2ban.conf

logtarget = /var/log/fail2ban.log

2.2.4 过滤规则

过滤规则配置文件目录：

/etc/fail2ban/filter.d/

wordpress 过滤规则配置：

vi /etc/fail2ban/filter.d/wordpress.conf

# WP brute force attacks filter
[Definition]
failregex = <HOST> .*-.*-.*POST.*/wp-login.php .* .* .*$
ignoreregex =