python 防破解_防暴力破解 Fail2Ban之python

fai2ban的介绍

fail2ban可以监视你的系统日志，然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽)，如:当有人在试探你的SSH、SMTP、FTP密码，只要达到你预设的次数，fail2ban就会调用防火墙屏蔽这个IP，而且可以发送e-mail通知系统管理员，是一款很实用、很强大的软件！

二、简单来介绍一下fail2ban的功能和特性

1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等

2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail

notifications(邮件通知)等等。

3、在logpath选项中支持通配符

4、需要Gamin支持(注：Gamin是用于监视文件和目录是否更改的服务工具)

5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件，那必需安装postfix/sendmail

三、fail2ban安装与配置操作实例

1:安装epel更新源：http://fedoraproject.org/wiki/EPEL/zh-cn

#yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban

#yum install gamin-python python-inotify python-ctypes#wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm#rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

#yum install gamin-python python-inotify python-ctypes#wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm#rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm

2:源码包安装

#wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0#tar -xzvf fail2ban-0.9.0.tar.gz

12345678910111213141516171819202122232425262728293031 /etc/fail2ban/action.d #动作文件夹，内含默认文件。iptables以及mail等动作配置

/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置

/etc/fail2ban/filter.d #条件文件夹，内含默认文件。过滤日志关键内容设置

/etc/fail2ban/jail.conf #主要配置文件，模块化。主要设置启用ban动作的服务及动作阀值

/etc/rc.d/init.d/fail2ban #启动脚本文件

3. vi /etc/fail2ban/fail2ban.conf

[Definition]

loglevel=3logtarget= SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log，方便用来记录日志信息

socket =/var/run/fail2ban/fail2ban.sock4. vi /etc/fail2ban/jail.conf

[DEFAULT]#全局设置

ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制

bantime = 600 #屏蔽时间，单位：秒

findtime = 600 #这个时间段内超过规定次数会被ban掉

maxretry = 3 #最大尝试次数

backend = auto #日志修改检测机制(gamin、polling和auto这三种)

[sshd]#单个服务检查设置，如设置bantime、findtime、maxretry和全局冲突，服务优先级大于全局设置。

enabled = true #是否激活此项(true/false)

filter = sshd #过滤规则filter的名字，对应filter.d目录下的sshd.conf

action = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数，对应action.d/iptables.conf文件

logpath = /var/log/secure #检测的日志文件path

bantime = 3600findtime= 300maxretry= 3 #最大尝试次数

service fail2ban start 启动服务

4.解除fail2ban绑定的IP

查询限制列表

# iptables -L --line-numbers

Chain fail2ban-SSH (1references)

num  target    prot opt source            destination

1    DROP      all  -- 118.152.158.61.ha.cnc anywhere

2    RETURN    all  -- anywhere           anywhere

解除限制

# iptables -D fail2ban-SSH 我们主要编辑jail.conf这个配置文件，其他的不要去管它

# vi /etc/fail2ban.conf

SSH防攻击规则

ssh-iptables]enabled =true

filter=sshd

action= iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]

logpath= /var/log/secure

maxretry= 5[ssh-ddos]

enabled=true

filter= sshd-ddos

action= iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]

logpath= /var/log/messages

maxretry= 2[osx-ssh-ipfw]

enabled=true

filter=sshd

action= osx-ipfw

logpath= /var/log/secure.log

maxretry= 5[ssh-apf]

enabled=true

filter=sshd

action= apf[name=SSH]

logpath= /var/log/secure

maxretry= 5[osx-ssh-afctl]

enabled=true

filter=sshd

action= osx-afctl[bantime=600]

logpath= /var/log/secure.log

maxretry= 5[selinux-ssh]

enabled=true

filter= selinux-ssh

action= iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath= /var/log/audit/audit.log

maxretry= 5

1

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171proftp防攻击规则

[proftpd-iptables]

enabled=true

filter=proftpd

action= iptables[name=ProFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath= /var/log/proftpd/proftpd.log

maxretry= 6邮件防攻击规则

[sasl-iptables]

enabled=true

filter= postfix-sasl

backend=polling

action= iptables[name=sasl, port=smtp, protocol=tcp]

sendmail-whois[name=sasl, dest=you@example.com]

logpath= /var/log/mail.log

[dovecot]

enabled=true

filter=dovecot

action= iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath= /var/log/mail.log

[dovecot-auth]

enabled=true

filter=dovecot

action= iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath= /var/log/secure

[perdition]

enabled=true

filter=perdition

action= iptables-multiport[name=perdition,port="110,143,993,995"]

logpath= /var/log/maillog

[uwimap-auth]

enabled=true

filter= uwimap-auth

action= iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath= /var/log/maillog

apache防攻击规则

[apache-tcpwrapper]

enabled=true

filter= apache-auth

action=hostsdeny

logpath= /var/log/httpd/error_log

maxretry= 6[apache-badbots]

enabled=true

filter= apache-badbots

action= iptables-multiport[name=BadBots, port="http,https"]

sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath= /var/log/httpd/access_log

bantime= 172800maxretry= 1[apache-shorewall]

enabled=true

filter= apache-noscript

action=shorewall

sendmail[name=Postfix, dest=you@example.com]

logpath= /var/log/httpd/error_log

nginx防攻击规则

[nginx-http-auth]

enabled=true

filter= nginx-http-auth

action= iptables-multiport[name=nginx-http-auth,port="80,443"]

logpath= /var/log/nginx/error.log

lighttpd防规击规则

[suhosin]

enabled=true

filter=suhosin

action= iptables-multiport[name=suhosin, port="http,https"]#adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry= 2[lighttpd-auth]

enabled=true

filter= lighttpd-auth

action= iptables-multiport[name=lighttpd-auth, port="http,https"]#adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry= 2vsftpd防攻击规则

[vsftpd-notification]

enabled=true

filter=vsftpd

action= sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath= /var/log/vsftpd.log

maxretry= 5bantime= 1800[vsftpd-iptables]

enabled=true

filter=vsftpd

action= iptables[name=VSFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath= /var/log/vsftpd.log

maxretry= 5bantime= 1800pure-ftpd防攻击规则

[pure-ftpd]

enabled=true

filter= pure-ftpd

action= iptables[name=pure-ftpd, port=ftp, protocol=tcp]

logpath= /var/log/pureftpd.log

maxretry= 2bantime= 86400mysql防攻击规则

[mysqld-iptables]

enabled=true

filter= mysqld-auth

action= iptables[name=mysql, port=3306, protocol=tcp]

sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath= /var/log/mysqld.log

maxretry= 5apache phpmyadmin 防攻击规则

[apache-phpmyadmin]

enabled=true

filter= apache-phpmyadmin

action= iptables[name=phpmyadmin, port=http,https protocol=tcp]

logpath= /var/log/httpd/error_log

maxretry= 3

#/etc/fail2ban/filter.d/apache-phpmyadmin.conf

将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.#Fail2Ban configuration file# #Bans bots scanning for non-existing phpMyAdmin installations on your webhost.# #Author: Gina Haeussge#

[Definition]

docroot= /var/www

badadmin= PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2#Option: failregex#Notes.: Regexp to match often probed and not available phpmyadmin paths.#Values: TEXT#

failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)#Option: ignoreregex#Notes.: regex to ignore. If this regex matches, the line is ignored.#Values: TEXT#

ignoreregex =

#service fail2ban restart

写在最后，在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动，因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动，而配置完规则后却不能够正常启动，请先检查一下你/var/log/ 目录下有没有规则里的 logpath= 后边的文件，或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径， 如果你的缓存目录里没有这个文件，那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban，这样一般不会有什么错误了