前言
一直以來,無論是自己還是公司的服務器都遭受着ssh暴力破解攻擊,就算是換了ssh端口,也
會很快就被nmap等工具掃描出來。用密鑰吧,經常更換終端又不是特別方便,於是就用fail2ban來解決強行爆破SSH問題。
原理
Fail2ban會通過檢查日誌來匹配錯誤信息,從而使用iptables來防止暴力破解。理論上只要是能夠在服務器本地輸出錯誤日誌和訪問日誌的程序都可以使用Fail2ban來保駕護航。
腳本介紹
一鍵安裝部署Fail2ban,自動配置防SSH爆破。可自定義ip封禁時間,最高重試次數。
安裝
[ root@node3 ~ ]# wget http://www.seeit.life/scripts/fail2ban.sh
[ root@node3 ~ ]# bash fail2ban.sh卸載
[ root@node3 ~ ]# wget http://www.seeit.life/scripts/uninstallfail2ban.sh
[ root@node3 ~ ]# bash uninstallfail2ban.sh
腳本運行截圖
腳本源代碼
clear
#CheckIfRoot
[ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; }
#ReadSSHPort
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`
#CheckOS
if [ -n "$(grep 'Aliyun Linux release' /etc/issue)" -o -e /etc/redhat-release ]; then
OS=CentOS
[ -n "$(grep ' 7\.' /etc/redhat-release)" ] && CentOS_RHEL_version=7
[ -n "$(grep ' 6\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release6 15' /etc/issue)" ] && CentOS_RHEL_version=6
[ -n "$(grep ' 5\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release5' /etc/issue)" ] && CentOS_RHEL_version=5
elif [ -n "$(grep 'Amazon Linux AMI release' /etc/issue)" -o -e /etc/system-release ]; then
OS=CentOS
CentOS_RHEL_version=6
elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'Deepin' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Deepin" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
# kali rolling
elif [ -n "$(grep 'Kali GNU/Linux Rolling' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Kali" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
if [ -n "$(grep 'VERSION="2016.*"' /etc/os-release)" ]; then
Debian_version=8
else
echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
kill -9 $$
fi
elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then
OS=Ubuntu
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Ubuntu_version=$(lsb_release -sr | awk -F. '{print $1}')
[ -n "$(grep 'Linux Mint 18' /etc/issue)" ] && Ubuntu_version=16
elif [ -n "$(grep 'elementary' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == 'elementary' ]; then
OS=Ubuntu
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Ubuntu_version=16
else
echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
kill -9 $$
fi
#Read Imformation From The User
echo "Welcome to Fail2ban!"
echo "--------------------"
echo "This Shell Script can protect your server from SSH attacks with the help of Fail2ban and iptables"
echo ""
while :; do echo
read -p "Do you want to change your SSH Port? [y/n]: " IfChangeSSHPort
if [ ${IfChangeSSHPort} == 'y' ]; then
if [ -e "/etc/ssh/sshd_config" ];then
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`
while :; do echo
read -p "Please input SSH port(Default: $ssh_port): " SSH_PORT
[ -z "$SSH_PORT" ] && SSH_PORT=$ssh_port
if [ $SSH_PORT -eq 22 >/dev/null 2>&1 -o $SSH_PORT -gt 1024 >/dev/null 2>&1 -a $SSH_PORT -lt 65535 >/dev/null 2>&1 ];then
break
else
echo "${CWARNING}input error! Input range: 22,1025~65534${CEND}"
fi
done
if [ -z "`grep ^Port /etc/ssh/sshd_config`" -a "$SSH_PORT" != '22' ];then
sed -i "s@^#Port.*@&\nPort $SSH_PORT@" /etc/ssh/sshd_config
elif [ -n "`grep ^Port /etc/ssh/sshd_config`" ];then
sed -i "s@^Port.*@Port $SSH_PORT@" /etc/ssh/sshd_config
fi
fi
break
elif [ ${IfChangeSSHPort} == 'n' ]; then
break
else
echo "${CWARNING}Input error! Please only input y or n!${CEND}"
fi
done
ssh_port=$SSH_PORT
echo ""
read -p "Input the maximun times for trying [2-10]: " maxretry
echo ""
read -p "Input the lasting time for blocking a IP [hours]: " bantime
if [ ${maxretry} == '' ]; then
maxretry=3
fi
if [ ${bantime} == '' ];then
bantime=24
fi
((bantime=$bantime*60*60))
#Install
if [ ${OS} == CentOS ]; then
yum -y install epel-release
yum -y install fail2ban
fi
if [ ${OS} == Ubuntu ] || [ ${OS} == Debian ];then
apt-get -y update
apt-get -y install fail2ban
fi
#Configure
rm -rf /etc/fail2ban/jail.local
touch /etc/fail2ban/jail.local
if [ ${OS} == CentOS ]; then
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
else
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = $maxretry
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
fi
#Start
if [ ${OS} == CentOS ]; then
if [ ${CentOS_RHEL_version} == 7 ]; then
systemctl restart fail2ban
systemctl enable fail2ban
else
service fail2ban restart
chkconfig fail2ban on
fi
fi
if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
service fail2ban restart
fi
#Finish
echo "Finish Installing ! Reboot the sshd now !"
if [ ${OS} == CentOS ]; then
if [ ${CentOS_RHEL_version} == 7 ]; then
systemctl restart sshd
else
service ssh restart
fi
fi
if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
service sshd restart
fi
echo ""
echo 'Github: https://github.com/FunctionClub'
echo 'http://seeit.life'
echo "Fail2ban is now runing on this server now!" 博客地址
www.seeit.life
ღ ღ ღ 如果覺得文章對您有用,不妨贊一下ღ ღ ღ