fail2ban: 使用firewalld的富规则rich rule

一，fail2ban中的时间设置:

m:分钟

h:小时

d: 天

w: 周

y: 年

 -1：永久

二，安装:

1，通过yum安装

用yum 安装:

[root@blog ~]# yum install fail2ban

安装后查看状态:未启动

[root@blog ~]# systemctl status fail2ban.service
○ fail2ban.service - Fail2Ban Service
     Loaded: loaded (;;file://blog/usr/lib/systemd/system/fail2ban.service/usr/lib/systemd/system/
     fail2ban.service;;; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: ;;man:fail2ban(1)man:fail2ban(1);;

2, 安装后查看版本:

[root@blog ~]# fail2ban-server --version
Fail2Ban v1.0.2

三，配置

在/etc/fail2ban目录下创建文件:

[root@blog fail2ban]# vi jail.local

内容:

[root@blog fail2ban]# more jail.local
[DEFAULT]
ignoreip = 192.168.46.2/24
bantime  = 21600
findtime  = 300
maxretry = 3
backend = systemd

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

ignoreip：IP白名单，白名单中的IP不会屏蔽，可填写多个以（,）分隔
bantime：屏蔽时间，单位为秒（s）
findtime：时间范围
maxretry：最大次数
banaction：屏蔽IP所使用的方法，未指定时，则使用firewallcmd-rich-rules,
                 指定时，需指定位于/etc/fail2ban/action.d目录下的action

[sshd]：名称，可以随便填写
filter：规则名称，必须填写位于filter.d目录里面的规则，sshd是fail2ban内置规则
port：对应的端口
action：采取的行动
logpath：需要监视的日志路径

四，测试效果:

1，启动

[root@blog jail.d]# systemctl start fail2ban.service

2，启动后查看效果:

[root@blog jail.d]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2024-08-26 09:49:18 CST; 2s ago
     Docs: man:fail2ban(1)
  Process: 16499 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 16502 (fail2ban-server)
    Tasks: 3 (limit: 26213)
   Memory: 11.1M
   CGroup: /system.slice/fail2ban.service
           └─16502 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Aug 26 09:49:18 blog systemd[1]: Starting Fail2Ban Service...
Aug 26 09:49:18 blog systemd[1]: Started Fail2Ban Service.
Aug 26 09:49:18 blog fail2ban-server[16502]: Server ready

3,从一个ip故意输错3次密码,再次查看:

[root@blog fail2ban]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     2
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 2
   |- Total banned:     3
   `- Banned IP list:   134.122.14.15

从firewalld查看：

[root@blog action.d]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services:
  ports: 80/tcp
  protocols:
  masquerade: yes
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="134.122.14.15" port port="22" protocol="tcp" reject type="icmp-port-unreachable"

五，fail2ban把ip地址保存在哪里?

[root@blog fail2ban]# ls /var/lib/fail2ban/fail2ban.sqlite3
/var/lib/fail2ban/fail2ban.sqlite3