fail2ban 介绍
Fail2ban 的主要作用是监控系统日志文件,检测恶意的登录尝试,并采取措施来防止进一步的攻击。它通过动态地更新防火墙规则或者调整其他服务的配置,来限制恶意 IP 的访问。fail2ban 部署
fail2ban 部署
sudo yum install epel-release
sudo yum install fail2banfail2ban 启动服务
# systemctl enable fail2ban --nowCreated symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.fail2ban 配置
Fail2ban 的配置文件位于 /etc/fail2ban 目录下。主要的配置文件是 fail2ban.conf 和 jail.conf。一般来说,你应该避免直接修改这些文件,而是创建一个新的配置文件或修改 jail.local 文件。Jail 针对 SSH 攻击的配置示例
这个示例配置了一个针对 SSH 服务的规则,如果一个 IP 在 5分钟内尝试登录超过 3 次失败,则会被禁止连接。cat >> /etc/fail2ban/jail.local << EOF
[sshd] # 针对 SSH 服务的规则
enabled = true # 启用或禁用该 jail 规则;
filter = sshd # 指定用于匹配日志文件的过滤器;
port = ssh # 监视的端口;
logpath = %(sshd_log)s # 监视的日志文件路径;
maxretry = 3 # 超过此次数的尝试将会导致封禁;
bantime = 600 # 封禁时间,单位为秒。
EOF重启 Fail2Ban 以使配置生效
sudo systemctl restart fail2banFail2Ban 测试
[root@localhost pam.d]# ssh [email protected] # 连续3次错误
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
dPermission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@localhost pam.d]# ssh [email protected] # 禁止连接
ssh: connect to host 192.168.174.129 port 22: Connection refusedFail2Ban 使用
查看 Fail2ban 状态
# fail2ban-client statusStatus
|- Number of jail: 1
`- Jail list: sshd查看特定监控项下的被禁止IP地址
# fail2ban-client status sshdStatus for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.174.130Fail2Ban 生成的 iptables 规则
# iptables -vnL IN_public_denyChain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
1 60 REJECT tcp -- * * 192.168.174.130 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED reject-with icmp-port-unreachableFail2Ban 解除禁用IP地址
Fail2Ban 解除禁用IP命令格式
sudo fail2ban-client set [监控项名称] unbanip [IP地址]解除SSH监控项下的IP地址禁用
# fail2ban-client set sshd unbanip 192.168.174.1301参考文档
https://github.com/fail2ban/fail2ban
标签:sshd,yunwei,部署,192.168,174.129,centos7,fail2ban,Fail2Ban From: https://www.cnblogs.com/wangguishe/p/18162744