关于Fail2ban(ip自动屏蔽工具)
Fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的HTTP、SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!
Fail2ban由python语言开发,基于logwatch、gamin、iptables、tcp-wrapper、shorewall等。如果想要发送邮件通知道,那还需要安装postfix或sendmail。
在外网环境下,有很多的恶意扫描和密码猜测等恶意攻击行为,使用Fail2ban配合iptables,实现动态防火墙是一个很好的解决方案。
准备环境:
官网:www.fail2ban.org 下载好包
centos 6.5 :192.168.253.137
1.上传包进行安装安装
[root@localhost src]# tar xzf fail2ban-0.8.14.tar.gz
[root@localhost src]# cd fail2ban-0.8.14
[root@localhost fail2ban-0.8.14]# ls #README中有说明文档
ChangeLog COPYING fail2ban-regex files MANIFEST setup.cfg TODO
client DEVELOP fail2ban-server FILTERS README.md setup.py
common doc fail2ban-testcases kill-server README.Solaris testcases
config fail2ban-client fail2ban-testcases-all man server THANKS
[root@localhost fail2ban-0.8.14]# python setup.py install 安装
[root@localhost fail2ban-0.8.14]# ll /etc/fail2ban/
总用量 40
drwxr-xr-x. 2 root root 4096 4月 17 20:40 action.d 动作 调用防火墙 发文件 需要用
-rw-rw-r--. 1 root root 1525 8月 20 2014 fail2ban.conf 主配置文件定义了一些日志的文件位置
drwxr-xr-x. 2 root root 4096 4月 17 20:40 fail2ban.d 目录
drwxr-xr-x. 2 root root 4096 4月 17 20:40 filter.d
-rw-rw-r--. 1 root root 19316 8月 20 2014 jail.conf 主配置文件 定义阈值超过阈值就屏蔽掉
drwxr-xr-x. 2 root root 4096 4月 17 20:40 jail.d
2.改配置文件
[root@localhost fail2ban-0.8.14]# cd /etc/fail2ban/
[root@localhost fail2ban]# vim jail.conf
41 bantime = 60 屏蔽时间,屏蔽一个ip一分钟时间
45 findtime = 60 一分钟内超过3次就开始屏蔽一分钟
48 maxretry = 3 一分钟时间超过3次就屏蔽
94 [ssh-iptables] 调用防火墙规则
95
96 enabled = true 需要开始
97 filter = sshd
98 action = iptables[name=SSH, port=ssh, protocol=tcp]
99 sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fa il2Ban"]
100 logpath = /var/log/secure 需要改成var/log/secure
101 maxretry = 5
3.添加启动脚本
[root@localhost fail2ban]# cd /usr/local/src/fail2ban-0.8.14
[root@localhost fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban
[root@localhost fail2ban-0.8.14]# service fail2ban start
启动fail2ban: [确定]
4.测试
[root@localhost ~]# service iptables start
iptables:应用防火墙规则: [确定]
###在另一台服务器上测试
[root@hya ~]# ssh 192.168.253.137 输入三次不成功之后就屏蔽了
ssh: connect to host 192.168.253.137 port 22: Connection refused
在主机上查看状态
[root@localhost ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 1
| `- Total failed: 12
`- action
|- Currently banned: 1
| `- IP list: 192.168.253.130 ip已经被屏蔽
`- Total banned: 2
误操作把ip屏蔽错改如何操作
[root@localhost ~]# vim /var/log/secure 删掉这几行后重启fail2ban
Apr 17 21:19:18 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2
67 Apr 17 21:19:19 localhost unix_chkpwd[26467]: password check failed for user (root)
68 Apr 17 21:19:22 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2
69 Apr 17 21:19:22 localhost unix_chkpwd[26468]: password check failed for user (root)
70 Apr 17 21:19:24 localhost sshd[26464]: Failed password for root from 192.168.253.130 port 59798 ssh2
71 Apr 17 21:21:11 localhost sshd[26465]: Connection closed by 192.168.253.130
72 Apr 17 21:21:11 localhost sshd[26464]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty= ssh ruser= rhost=192.168.253.130 user=root