一、fail2ban简介
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等 2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。 3、在logpath选项中支持通配符 4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具) 5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装epel更新源:
yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban
or
yum install gamin-python python-inotify python-ctypes
wget
rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm
or
yum install gamin-python python-inotify python-ctypes
wget
rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源码包安装
wget
tar -xzvf fail2ban-0.9.0.tar.gz
cd
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置 /etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置 /etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置 /etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值 /etc/rc.d/init.d/fail2ban #启动脚本文件
- vi /etc/fail2ban/fail2ban.conf [Definition] loglevel =3 logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息 socket =/var/run/fail2ban/fail2ban.sock
- vi /etc/fail2ban/jail.conf
[DEFAULT] #全局设置 ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制 bantime = 600 #屏蔽时间,单位:秒 findtime = 600 #这个时间段内超过规定次数会被ban掉 maxretry = 3 #最大尝试次数 backend = auto #日志修改检测机制(gamin、polling和auto这三种)
[sshd] #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。 enabled = true #是否激活此项(true/false) filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.conf action = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件 logpath = /var/log/secure #检测的日志文件path bantime = 3600 findtime = 300 maxretry = 3
servicefail2ban start 启动服务 4.解除fail2ban绑定的IP 查询限制列表
iptables -L --line-numbers
Chain fail2ban-SSH (1references) num target prot opt source destination 1 DROP all -- 118.152.158.61.ha.cnc anywhere 2 RETURN all -- anywhere anywhere 解除限制
iptables -D fail2ban-SSH 1
我们主要编辑jail.conf这个配置文件,其他的不要去管它.
vi /etc/fail2ban.conf
SSH防攻击规则
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, , sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
[ssh-ddos] enabled = true filter = sshd-ddos action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp] logpath = /var/log/messages maxretry = 2
[osx-ssh-ipfw]
enabled = true filter = sshd action = osx-ipfw logpath = /var/log/secure.log maxretry = 5
[ssh-apf]
enabled = true filter = sshd action = apf[name=SSH] logpath = /var/log/secure maxretry = 5
[osx-ssh-afctl]
enabled = true filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log maxretry = 5
[selinux-ssh] enabled = true filter = selinux-ssh action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5
proftp防攻击规则
[proftpd-iptables]
enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, ] logpath = /var/log/proftpd/proftpd.log maxretry = 6
邮件防攻击规则
[sasl-iptables]
enabled = true filter = postfix-sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, ] logpath = /var/log/mail.log
[dovecot]
enabled = true filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/mail.log
[dovecot-auth]
enabled = true filter = dovecot action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/secure
[perdition]
enabled = true filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog
[uwimap-auth]
enabled = true filter = uwimap-auth action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"] logpath = /var/log/maillog
apache防攻击规则
[apache-tcpwrapper]
enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/httpd/error_log maxretry = 6
[apache-badbots]
enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, ] logpath = /var/log/httpd/access_log bantime = 172800 maxretry = 1
[apache-shorewall]
enabled = true filter = apache-noscript action = shorewall sendmail[name=Postfix, ] logpath = /var/log/httpd/error_log
nginx防攻击规则
[nginx-http-auth]
enabled = true filter = nginx-http-auth action = iptables-multiport[name=nginx-http-auth,port="80,443"] logpath = /var/log/nginx/error.log
lighttpd防规击规则
[suhosin]
enabled = true filter = suhosin action = iptables-multiport[name=suhosin, port="http,https"]
adapt the following two items as needed
logpath = /var/log/lighttpd/error.log maxretry = 2
[lighttpd-auth]
enabled = true filter = lighttpd-auth action = iptables-multiport[name=lighttpd-auth, port="http,https"]
adapt the following two items as needed
logpath = /var/log/lighttpd/error.log maxretry = 2
vsftpd防攻击规则
[vsftpd-notification]
enabled = true filter = vsftpd action = sendmail-whois[name=VSFTPD, ] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
[vsftpd-iptables]
enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, ] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
pure-ftpd防攻击规则
[pure-ftpd] enabled = true filter = pure-ftpd action = iptables[name=pure-ftpd, port=ftp, protocol=tcp] logpath = /var/log/pureftpd.log maxretry = 2 bantime = 86400
mysql防攻击规则
[mysqld-iptables]
enabled = true filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, ] logpath = /var/log/mysqld.log maxretry = 5
apache phpmyadmin防攻击规则
[apache-phpmyadmin] enabled = true filter = apache-phpmyadmin action = iptables[name=phpmyadmin, port=http,https protocol=tcp] logpath = /var/log/httpd/error_log maxretry = 3
/etc/fail2ban/filter.d/apache-phpmyadmin.conf
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
Fail2Ban configuration file
Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
Author: Gina Haeussge
[Definition]
docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
Option: failregex
Notes.: Regexp to match often probed and not available phpmyadmin paths.
Values: TEXT
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =
service fail2ban restart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.