1.安裝fail2ban原因
本人的網站自從搭建好一段時間後被問候了無數次,阿里雲安全團隊真敬業,夜裏都給我發異常通知短信,感謝!!!(給他做個廣告)
[root@Lnmp logs]# awk '{print $1}' access.log|sort|uniq -c|sort -rn|head -10
18559 121.42.0.38
16353 121.42.0.39
15351 222.186.34.249
15350 222.186.160.94
15341 222.186.21.35
13870 121.42.0.36
13172 121.42.0.17
12393 121.42.0.31
12302 121.42.0.37
11843 121.42.0.30
所以決定安裝fail2ban 來限制訪問。
1.1 軟件介紹
fail2ban是一款實用軟件,可以監視你的日誌,然後匹配日誌的信息(正則式匹配)執行相應的屏蔽動作。
1.2 安裝環境
[root@Lnmp logs]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@Lnmp logs]# uname -r
2.6.32-642.6.1.el6.x86_64
2.實戰 fail2ban 搭建
#上傳fail2ban-0.8.14.tar.gz到安裝目錄,解壓安裝
[root@Lnmp tools]# tar xf fail2ban-0.8.14.tar.gz
[root@Lnmp tools]# cd fail2ban-0.8.14
[root@Lnmp fail2ban-0.8.14]# ll
total 236
-rw-rw-r-- 1 root root 46255 Aug 20 2014 ChangeLog
drwxrwxr-x 2 root root 4096 Aug 20 2014 client
drwxrwxr-x 2 root root 4096 Aug 20 2014 common
drwxrwxr-x 4 root root 4096 Aug 20 2014 config
-rw-rw-r-- 1 root root 19296 Aug 20 2014 COPYING
-rw-rw-r-- 1 root root 13329 Aug 20 2014 DEVELOP
drwxrwxr-x 2 root root 4096 Aug 20 2014 doc
-rwxrwxr-x 1 root root 12699 Aug 20 2014 fail2ban-client
-rwxrwxr-x 1 root root 13570 Aug 20 2014 fail2ban-regex
-rwxrwxr-x 1 root root 4502 Aug 20 2014 fail2ban-server
-rwxrwxr-x 1 root root 8242 Aug 20 2014 fail2ban-testcases
-rwxrwxr-x 1 root root 397 Aug 20 2014 fail2ban-testcases-all
drwxrwxr-x 4 root root 4096 Aug 20 2014 files
-rw-rw-r-- 1 root root 18972 Aug 20 2014 FILTERS
-rwxrwxr-x 1 root root 69 Aug 20 2014 kill-server
drwxrwxr-x 2 root root 4096 Aug 20 2014 man
-rw-rw-r-- 1 root root 8268 Aug 20 2014 MANIFEST
-rw-rw-r-- 1 root root 3992 Aug 20 2014 README.md
-rw-rw-r-- 1 root root 4189 Aug 20 2014 README.Solaris
drwxrwxr-x 2 root root 4096 Aug 20 2014 server
-rw-rw-r-- 1 root root 291 Aug 20 2014 setup.cfg
-rwxrwxr-x 1 root root 3337 Aug 20 2014 setup.py
drwxrwxr-x 4 root root 4096 Aug 20 2014 testcases
-rw-rw-r-- 1 root root 1733 Aug 20 2014 THANKS
-rw-rw-r-- 1 root root 1827 Aug 20 2014 TODO
#安裝fail2ban,注:沒有安裝python,需要先安裝一下
[root@Lnmp fail2ban-0.8.14]#python setup.py install
#檢查啓動文件
[root@Lnmp fail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:# chkconfig: - 92 08
#把啓動文件複製到 /etc/init.d下做開機自啓動
[root@Lnmp fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --add fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --list fail2ban
fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off
#修改配置文件,修改前備份配置文件
[root@Lnmp fail2ban-0.8.14]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.ori
[root@Lnmp fail2ban-0.8.14]# ls /etc/fail2ban/
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.ori jail.d
#定位到94行[ssh-iptables]修改參數
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf +94
#預防暴力破解
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 3 #設定訪問頻率,單位"次"
bantime = 3600 #限制1小時內不能登錄,單位"秒"
findtime = 300 #設定訪問時間,十分鐘(300s)內
#以上表示十分鐘內,3次輸錯登錄密碼,關禁閉1小時。
[root@Lnmp fail2ban-0.8.14]# service fail2ban start
Starting fail2ban: [ OK ]
#查看fail2ban規則是否生效
[root@Lnmp fail2ban-0.8.14]# service fail2ban status
fail2ban-server (pid 6723) is running...
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
#限制用戶頻繁訪問網站,禁止非法ip
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf
#按大寫G定位到最後,添加如下代碼
#nginx access control
[access-get-dos]
enables = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IT300,port=http,portocol=tcp]
sendmail-whois[name=IT300,[email protected],[email protected]]
#訪問日誌路徑
logpath = /application/nginx/logs/access.log
#限制規則
findtime = 60 #設定訪問時間,一分鐘(60s)內
maxretry = 30 #設定訪問頻率,單位"次"
bantime = 3600 #限制1小時內不能登錄,單位"秒"
#以上表示1分鐘內,30次訪問,關禁閉1小時
#創建規則文件
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/filter.d/nginx-bansniffer.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
#重新啓動fail2ban
[root@Lnmp fail2ban-0.8.14]# service fail2ban reload
#查看fail2ban生效的規則狀態
[root@Lnmp fail2ban-0.8.14]# service fail2ban status
fail2ban-server (pid 7013) is running...
Status
|- Number of jail: 2
`- Jail list: access-get-dos, ssh-iptables
#查看生效後訪問情況,注:訪問日誌做了切割
[root@Lnmp logs]#awk '{print $1}' 20161101_access_www.log|sort|uniq -c|sort -rn|head -10
11 121.42.0.16
9 198.52.119.97
8 61.158.152.132
6 112.97.63.104
5 42.48.70.245
5 36.57.226.54
5 221.225.2.214
5 180.114.17.26
5 171.105.144.226
5 123.11.115.223
#uniq -c 表示合併相鄰的重複記錄,並統計重複數
#sort -n 表示按從小到大進行排序
#sort -r 表示逆序,即按照從大到小的順序進行排序。
#head -10 表示取前10位
總結:自從fail2ban安裝後每天不再接到阿里安全團隊的問候短信了,設置成功。