fail2ban安裝與配置操作實例

一、fail2ban簡介
fail2ban可以監視你的系統日志，然后匹配日志的錯誤信息（正則式匹配）執行相應的屏蔽動作（一般情況下是防火牆），而且可以發送e-mail通知系統管理員，是不是很好、很實用、很強大！

二、簡單來介紹一下fail2ban的功能和特性

1、支持大量服務。如sshd,apache,qmail,proftpd,sasl等等
2、支持多種動作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
3、在logpath選項中支持通配符
4、需要Gamin支持(注：Gamin是用於監視文件和目錄是否更改的服務工具)
5、需要安裝python,iptables,tcp-wrapper,shorewall,Gamin。如果想要發郵件，那必需安裝postfix/sendmail

三、fail2ban安裝與配置操作實例

1:安裝epel更新源：http://fedoraproject.org/wiki/EPEL/zh-cn
復制代碼 代碼如下:
# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban

or
復制代碼 代碼如下:
# yum install gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

or
復制代碼 代碼如下:
# yum install gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源碼包安裝
復制代碼 代碼如下:

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
# cd

/etc/fail2ban/action.d #動作文件夾，內含默認文件。iptables以及mail等動作配置
/etc/fail2ban/fail2ban.conf #定義了fai2ban日志級別、日志位置及sock文件位置
/etc/fail2ban/filter.d #條件文件夾，內含默認文件。過濾日志關鍵內容設置
/etc/fail2ban/jail.conf #主要配置文件，模塊化。主要設置啟用ban動作的服務及動作閥值
/etc/rc.d/init.d/fail2ban #啟動腳本文件

3. vi /etc/fail2ban/fail2ban.conf
[Definition]
loglevel =3
logtarget = SYSLOG #我們需要做的就是把這行改成/var/log/fail2ban.log，方便用來記錄日志信息
socket =/var/run/fail2ban/fail2ban.sock
4. vi /etc/fail2ban/jail.conf
[DEFAULT] #全局設置
ignoreip = 127.0.0.1 #忽略的IP列表,不受設置限制
bantime = 600 #屏蔽時間，單位：秒
findtime = 600 #這個時間段內超過規定次數會被ban掉
maxretry = 3 #最大嘗試次數
backend = auto #日志修改檢測機制（gamin、polling和auto這三種）

[sshd] #單個服務檢查設置，如設置bantime、findtime、maxretry和全局沖突，服務優先級大於全局設置。
enabled = true #是否激活此項（true/false）
filter = sshd #過濾規則filter的名字，對應filter.d目錄下的sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp]#動作的相關參數，對應action.d/iptables.conf文件
logpath = /var/log/secure #檢測的日志文件path
bantime = 3600
findtime = 300
maxretry = 3
servicefail2ban start 啟動服務
4.解除fail2ban綁定的IP

 

 

查詢限制列表
# iptables -L --line-numbers
Chain fail2ban-SSH (1references)
num target prot opt source destination
1 DROP all -- 118.152.158.61.ha.cnc anywhere
2 RETURN all -- anywhere anywhere
解除限制
# iptables -D fail2ban-SSH 1

我們主要編輯jail.conf這個配置文件，其他的不要去管它.
復制代碼 代碼如下:

# vi /etc/fail2ban.conf
SSH防攻擊規則
復制代碼 代碼如下:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5

[ssh-ddos]
enabled = true
filter = sshd-ddos
action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath = /var/log/messages
maxretry = 2

[osx-ssh-ipfw]

enabled = true
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
maxretry = 5

[ssh-apf]

enabled = true
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

[osx-ssh-afctl]

enabled = true
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5

[selinux-ssh]
enabled = true
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5

proftp防攻擊規則
復制代碼 代碼如下:

[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

郵件防攻擊規則
復制代碼 代碼如下:

[sasl-iptables]
enabled = true
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log

[dovecot-auth]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure

[perdition]

enabled = true
filter = perdition
action = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog

[uwimap-auth]

enabled = true
filter = uwimap-auth
action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog

apache防攻擊規則
復制代碼 代碼如下:

[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/error_log
maxretry = 6

[apache-badbots]

enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1

[apache-shorewall]

enabled = true
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/httpd/error_log

nginx防攻擊規則
復制代碼 代碼如下:

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log

lighttpd防規擊規則
復制代碼 代碼如下:

[suhosin]
enabled = true
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

[lighttpd-auth]

enabled = true
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

vsftpd防攻擊規則
復制代碼 代碼如下:

[vsftpd-notification]
enabled = true
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

pure-ftpd防攻擊規則
復制代碼 代碼如下:

[pure-ftpd]
enabled = true
filter = pure-ftpd
action = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 2
bantime = 86400

mysql防攻擊規則
復制代碼 代碼如下:

[mysqld-iptables]
enabled = true
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath = /var/log/mysqld.log
maxretry = 5

apache phpmyadmin防攻擊規則
復制代碼 代碼如下:

[apache-phpmyadmin]
enabled = true
filter = apache-phpmyadmin
action = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf
將以下內容粘貼到apache-phpmyadmin.conf里保存即可以創建一個apache-phpmyadmin.conf文件.
# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#

[Definition]

docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# service fail2ban restart

寫在最后，在安裝完fail2ban后請立即重啟一下fail2ban,看是不是能正常啟動，因為在后邊我們配置完規則后如果發生無法啟動的問題我們可以進行排查.如果安裝完后以默認規則能夠正常啟動，而配置完規則后卻不能夠正常啟動，請先檢查一下你 /var/log/ 目錄下有沒有規則里的 logpath= 后邊的文件，或者這個文件的路徑與規則里的是不是一致. 如果不一致請在 logpath 項那里修改你的路徑， 如果你的緩存目錄里沒有這個文件，那么請你將該配置項的 enabled 項目的值設置為 false. 然后再進行重啟fail2ban，這樣一般不會有什么錯誤了.
————————————————
版權聲明：本文為CSDN博主「紫沐星」的原創文章，遵循CC 4.0 BY-SA版權協議，轉載請附上原文出處鏈接及本聲明。
原文鏈接：https://blog.csdn.net/zimuxin/article/details/45742999