fail2ban安裝配置
1 前言
fail2ban是一款實用軟件,可以監視你的系統日誌,然後匹配日誌的錯誤信息(正則式匹配)執行相應的屏蔽動作。
l 支持大量服務。如sshd,apache,qmail,proftpd,sasl等等
l 支持多種動作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
l 在logpath選項中支持通配符
l 需要Gamin支持(注:Gamin是用於監視文件和目錄是否更改的服務工具)
l 需要安裝python,iptables,tcp-wrapper,shorewall,Gamin。如果想要發郵件,那必需安裝postfix或sendmail
2 安裝配置
2.1 yum安裝
yum install fail2ban
2.2 配置
2.2.1 配置架構
/etc/fail2ban/fail2ban.conf 日誌設定文檔
/etc/fail2ban/jail.conf 阻擋設定文檔
/etc/fail2ban/filter.d 具體阻擋內容設定目錄
2.2.2 jail.conf配置
主要配置解釋:
| #此ip或者ip段爲例外,不受以下條件影響 ignoreip = 127.0.0.1 # 封鎖時間(如一天爲:86400) bantime = 600 # 在多長時間以內達到條件則開始執行封鎖,如600秒達到3次則執行。 # 單位:秒 -1代表永久封鎖 findtime = 600 # 在以上條件的出錯次數,如600秒達到3次則執行。 # 單位:次 maxretry = 3 |
ssh配置示例解釋:
| [ssh-iptables] enabled = false #是否開啓,開啓則爲true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #post爲端口號 sendmail-whois[name=SSH, [email protected], [email protected]] #上方紅色字[email protected],則爲您的郵箱地址和發送人地址(建議一樣) #發信需要sendmail服務的支持,如果沒有此服務或不需要發信可在sendmail前加#號註釋掉。 logpath = /var/log/sshd.log #相應錯誤日誌,一般爲:/var/log/secure maxretry = 5 #嘗試錯誤次數 |
apache配置:
| # 檢測密碼認證失敗 [apache-auth] enabled = true port = http,https filter = apache-auth logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 5 bantime = 3600 # 檢測抓取郵件地址的爬蟲 [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. enabled = true port = http,https filter = apache-badbots logpath = /var/log/httpd/*access* #logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 # 檢測漏洞和 PHP 脆弱性掃描 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 5 bantime = 3600 # 檢測 Apache 溢出*** [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 # 檢測在服務器尋找主目錄的嘗試 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-botsearch] enabled = true port = http,https filter = apache-botsearch logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-fakegooglebot] enabled = true port = http,https filter = apache-fakegooglebot logpath = /var/log/httpd/*access* #logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> bantime = 3600 [apache-modsecurity] enabled = true port = http,https filter = apache-modsecurity logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-shellshock] enabled = true port = http,https filter = apache-shellshock logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 1 bantime = 3600 |
wordpress配置:
| [wordpress] enabled = true filter = wordpress logpath = /var/log/httpd/*access* maxretry = 2 findtime = 60 bantime = 3600 port = http,https |
2.2.3 fail2ban.conf配置
開啓日誌:
vi /etc/fail2ban/fail2ban.conf
| logtarget = /var/log/fail2ban.log |
2.2.4 過濾規則
過濾規則配置文件目錄:
/etc/fail2ban/filter.d/
wordpress 過濾規則配置:
vi /etc/fail2ban/filter.d/wordpress.conf
| # WP brute force attacks filter [Definition] failregex = <HOST> .*-.*-.*POST.*/wp-login.php .* .* .*$ ignoreregex = |
其他apache規則文件默認已經存在
2.2.5 動作規則
默認動作是iptables-multiport(定義在/etc/fail2ban/jail.conf中[DEFAULT]字段下的“banaction”中)。這個措施使用iptable的多端口模塊禁止一個IP地址。
動作規則目錄:
/etc/fail2ban/action.d/
2.2.6 啓動fail2ban
/etc/init.d/fail2ban start
2.3 檢查和管理fail2ban禁止狀態
監獄一旦激活後,你可以用fail2ban的客戶端命令行工具來監測當前的禁止狀態。
查看激活的監獄列表:
fail2ban-client status
查看特定監獄的狀態(包含禁止的IP列表):
fail2ban-client status [監獄名]
也可以手動禁止或者解禁IP地址:
要用制定監獄禁止IP:
fail2ban-client set [name-of-jail] banip [ip-address]
要解禁指定監獄屏蔽的IP:
fail2ban-client set [name-of-jail] unbanip [ip-address]