1. Fail2Ban 简介
mportant;">Fail2Ban 是一款入侵防御软件,可以保护服务器免受暴力攻击。 它是用 Python 编程语言编写的。
Fail2Ban 基于auth 日志文件工作,默认情况下它会扫描所有 auth 日志文件,如 /var/log/auth.log、
/var/log/apache/access.log 等,并禁止带有恶意标志的IP,比如密码失败太多,寻找漏洞等等标志。
通常,Fail2Ban 用于更新防火墙规则,用于在指定的时间内拒绝 IP 地址。 它也会发送邮件通知。
Fail2Ban 为各种服务提供了许多过滤器,如 ssh、apache、nginx、squid、named、mysql、nagios 等。
Fail2Ban 能够降低错误认证尝试的速度,但是它不能消除弱认证带来的风险。
这只是服务器防止暴力攻击的安全手段之一。
2. Fail2Ban 安装配
yum install fail2ban ## 安装
以下配置实现:阻止 SSH 远程暴力攻击并通过 mail 通知管理员
cat /etc/fail2ban/jail.conf ## 根据指引,修改配置应在jail.d/ 下新建文件进行 vim /etc/fail2ban/jail.d/sshd.local ## 修改配置 cd /etc/fail2ban/jail.d mv 00-firewalld.conf 00-firewalld.conf.disabled ## 禁用 firewalld,使用iptables vim /etc/fail2ban/action.d/mail-whois.conf ## 定义 action fail2ban-client reload ## 让配置生效
日常维护:
systemctl enable fail2ban.service # 开机启动 systemctl start fail2ban.service # 启动服务 cat /var/log/fail2ban.log # 日志文件 fail2ban-client status # 查看 fail2ban 的运行状态 fail2ban-client status sshd # 查看 jail 的详细信息,可以看到被封的 ip fail2ban-client set sshd unbanip 123.123.123.2 # 解封 ip
3. Fail2Ban 目录结构
/etc/fail2ban/ ├── action.d │ ├── dummy.conf │ ├── hostsdeny.conf │ ├── iptables.conf │ ├── mail-whois.conf ## mail 动作配置 │ ├── mail.conf │ └── shorewall.conf ├── fail2ban.conf ├── fail2ban.local ├── filter.d │ ├── apache-auth.conf │ ├── apache-noscript.conf │ ├── couriersmtp.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── qmail.conf │ ├── sasl.conf │ ├── sshd.conf │ └── vsftpd.conf ├── jail.conf |── jail.local |—— jail.d └── └── sshd.local ## SSH 相关配置
4. jail.conf 配置项说明
cat /etc/fail2ban/jail.conf [DEFAULT ] ignorecommand = ## bantime = 10m ## 禁止时长,默认10分钟 findtime = 10m ## 执行操作的窗口时长,默认10分钟 maxretry =5 ## 最大尝试次数 backend = auto ## 指定用于获取文件修改的后端 usedns = warn ## logencoding = auto enabled = false ## jails 默认关闭,在自定义的 .local 中打开需要用到的项 mode = normal ## 过滤器类型 filter = %( name )s [mode=%(mode)s ] ## 定义过滤器 destemail =root@localhost ## 通知将被发送到的电子邮件地址 sender = root@ ## 发件人姓名 mta =sendmail ## 邮件传输代理(默认是 sendmail,可以改成 mail) protocol = tcp chain = <known/chain> port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = iptables-multiport ## 动作的捷径,用于定义动作参数 banaction_allports = iptables-allports action_abuseipdb =abuseipdb ...... action = %(action_)s
5. sshd.local 自定义配置项
vim /etc/fail2ban/jail.d/sshd.local [DEFAULT] ignoreip = 127.0.0.1/8 ## 忽略本地 IP bantime = 300 ## IP 禁止访问时间 findtime = 60 ## 密码输入时间限制 maxretry = 5 ## 最大允许试错次数 backend = auto destemail = 123456@qq.com ## 邮件接收地址 sender = 654321@163.com ## 邮件发送地址(必需配置) mta = mail ## 采用 mail 邮件服务 action = %(action_mw)s ## 动作模式 action_mw [sshd] enabled = true ## 开启 SSH 保护 port = 7777 ## SSH 端口号
6. mail-whois.conf 自定义动作
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Hi:\n
Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
攻击者IP:<ip>\n
位置:`/usr/bin/curl -s http://www.cip.cc/<ip> | sed -n 2p | awk -F ': ' '{print $2}' `\n
被攻击机器名:`uname -n` \n
攻击次数:<failures> 次 \n
Fail2Ban提醒\n\n "|/usr/bin/mail -s "title" <dest>
[Init]
# Default name of the chain
#
name = default7. fail2banAuto.sh
#!/usr/bin/env bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#=================================================
# System Required: CentOS 6+/Debian 6+/Ubuntu 14.04+
# Description: Manager Fail2ban
# Author: Hoothin
#=================================================
filepath=$(cd "$(dirname "$0")"; pwd) # 获取当前文件$0所在的目录,进入该目录,输出路径
jail_local_file="/etc/fail2ban/jail.local"
Green_font_prefix="\033[32m" && Red_font_prefix="\033[31m" && Green_background_prefix="\033[42;37m" && Red_background_prefix="\033[41;37m" && Font_color_suffix="\033[0m"
Info="${Green_font_prefix}[信息]${Font_color_suffix}"
Error="${Red_font_prefix}[错误]${Font_color_suffix}"
Tip="${Green_font_prefix}[注意]${Font_color_suffix}"
Separator_1="——————————————————————————————"
[[ $EUID != 0 ]] && echo -e "${Error} 当前账号非ROOT(或没有ROOT权限),无法继续操作,请使用${Green_background_prefix} sudo su ${Font_color_suffix}来获取临时ROOT权限。" && exit 1
menu_status(){
if [[ -e ${jail_local_file} ]]; then
PID=`ps -ef |grep -v grep | grep fail2ban |awk '{print $2}'` # 列出所有程序->查找不包含grep的行->查找包含fail2ban的行->每行按空格或TAB分割,输出文本中的第2项
if [[ ! -z "${PID}" ]]; then
echo -e " 当前状态: ${Green_font_prefix}已安装${Font_color_suffix} 并 ${Green_font_prefix}已启动${Font_color_suffix}"
else
echo -e " 当前状态: ${Green_font_prefix}已安装${Font_color_suffix} 但 ${Red_font_prefix}未启动${Font_color_suffix}"
fi
else
echo -e " 当前状态: ${Red_font_prefix}未安装${Font_color_suffix}"
fi
}
Install_Fail2ban(){
yum install -y epel-release
yum install -y fail2ban
}
Update_Fail2ban(){
yum update -y fail2ban
}
Uninstall_Fail2ban(){
yum remove -y fail2ban
}
View_Jail(){
jails=`fail2ban-client status | grep "Jail list" | awk -F "Jail list:\t" '{print $2}' | tr "," " "`
PS3="选择要查看的监禁: "
select Jail in ALL $jails QUIT
do
if [[ $Jail = "ALL" ]]
then
fail2ban-client status
elif [[ $Jail = "QUIT" ]]
then
break
else
fail2ban-client status "$Jail"
fi
done
}
Start_Jail(){
jails=`fail2ban-client status | grep "Jail list" | awk -F "Jail list:\t" '{print $2}' | tr "," " "`
PS3="选择要启动的监禁: "
select Jail in ALL $jails QUIT
do
if [[ $Jail = "ALL" ]]
then
fail2ban-client start
elif [[ $Jail = "QUIT" ]]
then
break
else
fail2ban-client start "$Jail"
fi
done
}
Stop_Jail(){
jails=`fail2ban-client status | grep "Jail list" | awk -F "Jail list:\t" '{print $2}' | tr "," " "`
PS3="选择要停止的监禁: "
select Jail in ALL $jails QUIT
do
if [[ $Jail = "ALL" ]]
then
fail2ban-client stop
elif [[ $Jail = "QUIT" ]]
then
break
else
fail2ban-client stop "$Jail"
fi
done
}
Modify_Filter_Config(){
read -p "输入过滤配置名称,如【nginx】 > " filterName
if [[ ! -e /etc/fail2ban/filter.d/${filterName}.conf ]]
then
read -p "该配置不存在,是否创建?【Y/N】" create
if [[ $create = "Y" || $create = "y" ]]
then
echo -e "###\n# 包含配置\n###\n[INCLUDES]\nbefore = common.conf\n# 还包含其他文件中的配置,在加载本配置文件中配置之前先加载common.conf文件中的配置。\n\n###\n# 定义过滤器\n###\n[Definition]\n_daemon = sshd\n# 定义一个变量,用于描述要过滤的服务名称。\nfailregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$\n# 使用正则表达式定义要监禁的主机(登录失败的主机),用<HOST>标识主机IP地址部分。\nignoreregex = \n# 使用正则表达式定义忽略的主机。\n\n### \n# 初始化过滤器\n###\n[Init]\nmaxlines = 10\n# 设置过滤器每次读取日志的行数,每次读取10行做匹配。\n# 过滤器每次从日志中缓冲多少行,进行匹配处理,如果一次读取大量的行,程序会崩溃,系统内存将会不够用。\njournalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd\n# 当在监禁(jail)的配置中定义要使用的后端监视器是systemd时,此项则生效,定义一个服务名,从journa日志\n# 中获取IP地址。">/etc/fail2ban/filter.d/${filterName}.conf
fi
fi
vim /etc/fail2ban/filter.d/${filterName}.conf
}
Modify_Jail_Local_Config(){
vim /etc/fail2ban/jail.local
}
Start_Fail2ban(){
systemctl start fail2ban
systemctl enable fail2ban
}
Reload_Fail2ban(){
fail2ban-client reload
}
Stop_Fail2ban(){
systemctl stop fail2ban
}
Restart_Fail2ban(){
systemctl restart fail2ban
}
UnBan(){
fail2ban-client set ssh-iptables unbanip 192.168.1.1
jails=`fail2ban-client status | grep "Jail list" | awk -F "Jail list:\t" '{print $2}' | tr "," " "`
PS3="选择封禁IP的监禁: "
select Jail in $jails QUIT
do
if [[ $Jail = "QUIT" ]]
then
break
else
ips=`fail2ban-client status "$Jail" | grep "Banned IP list:" | awk -F "Banned IP list:\t" '{print $2}'`
PS3="选择要解封的IP: "
select ip in $ips QUIT
do
if [[ $ip = "QUIT" ]]
then
break
else
fail2ban-client set "$Jail" unbanip "$ip"
fi
done
fi
done
}
echo -e " Fail2ban 一键管理脚本
---- Hoothin ----
---- fail2ban-regex /var/log/nginx/access.log \"<HOST> -.*- .*HTTP/1.* .* .*$\" ----
---- fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-cc.conf ----
${Green_font_prefix}1.${Font_color_suffix} 安装 Fail2ban
${Green_font_prefix}2.${Font_color_suffix} 更新 Fail2ban
${Green_font_prefix}3.${Font_color_suffix} 卸载 Fail2ban
————————————
${Green_font_prefix}4.${Font_color_suffix} 查看 jail 信息
${Green_font_prefix}5.${Font_color_suffix} 启动 jail
${Green_font_prefix}6.${Font_color_suffix} 停止 jail
${Green_font_prefix}7.${Font_color_suffix} 编辑 filter 配置
${Green_font_prefix}8.${Font_color_suffix} 编辑 jail.local
————————————
${Green_font_prefix} 9.${Font_color_suffix} 启动服务端
${Green_font_prefix}10.${Font_color_suffix} 重载配置
${Green_font_prefix}11.${Font_color_suffix} 停止服务端和所有监禁
${Green_font_prefix}12.${Font_color_suffix} 重启 Fail2ban
${Green_font_prefix}13.${Font_color_suffix} 解封 IP
"
menu_status
echo && read -e -p "请输入数字 [1-13]:" num
case "$num" in
1)
Install_Fail2ban
;;
2)
Update_Fail2ban
;;
3)
Uninstall_Fail2ban
;;
4)
View_Jail
;;
5)
Start_Jail
;;
6)
Stop_Jail
;;
7)
Modify_Filter_Config
;;
8)
Modify_Jail_Local_Config
;;
9)
Start_Fail2ban
;;
10)
Reload_Fail2ban
;;
11)
Stop_Fail2ban
;;
12)
Restart_Fail2ban
;;
13)
UnBan
;;
*)
echo -e "${Error} 请输入正确的数字 [1-13]"
;;
esac参考链接 - Fail2Ban 官方用户手册
参考链接 - 5.配置 mail 邮件服务
支付宝微信扫一扫,打赏作者吧~本文链接:https://www.kinber.cn/post/4363.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
您阅读本篇文章共花了: 
![边缘计算-使用多adsl账号做捆绑上网[单网卡多账号多拨]](https://www.kinber.cn/zb_users/theme/Zit/style/bg.jpg)