码迷,mamicode.com
首页 > 编程语言 > 详细

防暴力破解 Fail2Ban之python

时间:2016-06-11 10:34:21      阅读:276      评论:0      收藏:0      [点我收藏+]

标签:

fai2ban的介绍

fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!

二、简单来介绍一下fail2ban的功能和特性

1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail

三、fail2ban安装与配置操作实例

1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn

# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban 

# yum install gamin-python python-inotify python-ctypes 
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm 
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm 

# yum install gamin-python python-inotify python-ctypes 
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm 
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm 

2:源码包安装

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0 
# tar -xzvf fail2ban-0.9.0.tar.gz 

12345678910111213141516171819202122232425262728293031 /etc/fail2ban/action.d            #动作文件夹,内含默认文件。iptables以及mail等动作配置 
/etc/fail2ban/fail2ban.conf        #定义了fai2ban日志级别、日志位置及sock文件位置 
/etc/fail2ban/filter.d            #条件文件夹,内含默认文件。过滤日志关键内容设置 
/etc/fail2ban/jail.conf            #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值 
/etc/rc.d/init.d/fail2ban          #启动脚本文件 
  
3. vi /etc/fail2ban/fail2ban.conf 
  
[Definition]  
loglevel =3  
logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息  
socket =/var/run/fail2ban/fail2ban.sock 
4. vi /etc/fail2ban/jail.conf 
  
[DEFAULT]              #全局设置 
ignoreip = 127.0.0.1      #忽略的IP列表,不受设置限制 
bantime  = 600            #屏蔽时间,单位:秒 
findtime  = 600           #这个时间段内超过规定次数会被ban掉 
maxretry = 3              #最大尝试次数 
backend = auto            #日志修改检测机制(gamin、polling和auto这三种) 
  
[sshd]                     #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。 
enabled  = true               #是否激活此项(true/false) 
filter   = sshd               #过滤规则filter的名字,对应filter.d目录下的sshd.conf 
action   = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件 
logpath  = /var/log/secure     #检测的日志文件path 
bantime  = 3600 
findtime  = 300  
maxretry = 3                   #最大尝试次数   
         
service fail2ban start 启动服务 

4.解除fail2ban绑定的IP 

查询限制列表

# iptables -L --line-numbers

Chain fail2ban-SSH (1references)

num  target    prot opt source            destination

1    DROP      all  -- 118.152.158.61.ha.cnc anywhere

2    RETURN    all  -- anywhere           anywhere

解除限制

# iptables -D fail2ban-SSH 我们主要编辑jail.conf这个配置文件,其他的不要去管它

# vi /etc/fail2ban.conf

SSH防攻击规则

ssh-iptables]enabled  = true
filter   = sshd 
action   = iptables[name=SSH, port=ssh, protocol=tcp] 
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] 
logpath  = /var/log/secure 
maxretry = 5
[ssh-ddos] 
enabled = true
filter  = sshd-ddos 
action  = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp] 
logpath  = /var/log/messages 
maxretry = 2
[osx-ssh-ipfw] 
enabled  = true
filter   = sshd 
action   = osx-ipfw 
logpath  = /var/log/secure.log 
maxretry = 5
[ssh-apf] 
enabled = true
filter  = sshd 
action  = apf[name=SSH] 
logpath = /var/log/secure 
maxretry = 5
[osx-ssh-afctl] 
enabled  = true
filter   = sshd 
action   = osx-afctl[bantime=600] 
logpath  = /var/log/secure.log 
maxretry = 5
[selinux-ssh] 
enabled = true
filter  = selinux-ssh 
action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] 
logpath  = /var/log/audit/audit.log 
maxretry = 5 

1 <BR> 

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171 proftp防攻击规则 
   
  
[proftpd-iptables] 
enabled  = true
filter   = proftpd 
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp] 
           sendmail-whois[name=ProFTPD, dest=you@example.com] 
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6 
  
邮件防攻击规则 
   
  
[sasl-iptables] 
enabled  = true
filter   = postfix-sasl 
backend  = polling 
action   = iptables[name=sasl, port=smtp, protocol=tcp] 
           sendmail-whois[name=sasl, dest=you@example.com] 
logpath  = /var/log/mail.log
[dovecot] 
enabled = true
filter  = dovecot 
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] 
logpath = /var/log/mail.log
[dovecot-auth] 
enabled = true
filter  = dovecot 
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] 
logpath = /var/log/secure 
[perdition] 
enabled = true
filter  = perdition 
action  = iptables-multiport[name=perdition,port="110,143,993,995"] 
logpath = /var/log/maillog 
  
[uwimap-auth] 
enabled = true
filter  = uwimap-auth 
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"] 
logpath = /var/log/maillog 
  
apache防攻击规则 
   
  
[apache-tcpwrapper] 
enabled  = true
filter  = apache-auth 
action   = hostsdeny 
logpath  = /var/log/httpd/error_log 
maxretry = 6 
[apache-badbots] 
enabled  = true
filter   = apache-badbots 
action   = iptables-multiport[name=BadBots, port="http,https"] 
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] 
logpath  = /var/log/httpd/access_log 
bantime  = 172800 
maxretry = 1 
[apache-shorewall] 
enabled  = true
filter   = apache-noscript 
action   = shorewall 
           sendmail[name=Postfix, dest=you@example.com] 
logpath  = /var/log/httpd/error_log 
  
nginx防攻击规则 
   
  
[nginx-http-auth] 
enabled = true
filter  = nginx-http-auth 
action  = iptables-multiport[name=nginx-http-auth,port="80,443"] 
logpath = /var/log/nginx/error.log
  
lighttpd防规击规则 
   
  
[suhosin] 
enabled  = true
filter   = suhosin 
action   = iptables-multiport[name=suhosin, port="http,https"] 
# adapt the following two items as needed 
logpath  = /var/log/lighttpd/error.log
maxretry = 2 
[lighttpd-auth] 
enabled  = true
filter   = lighttpd-auth 
action   = iptables-multiport[name=lighttpd-auth, port="http,https"] 
# adapt the following two items as needed 
logpath  = /var/log/lighttpd/error.log
maxretry = 2 
  
vsftpd防攻击规则 
   
  
[vsftpd-notification] 
enabled  = true
filter   = vsftpd 
action   = sendmail-whois[name=VSFTPD, dest=you@example.com] 
logpath  = /var/log/vsftpd.log
maxretry = 5 
bantime  = 1800 
[vsftpd-iptables] 
enabled  = true
filter   = vsftpd 
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp] 
           sendmail-whois[name=VSFTPD, dest=you@example.com] 
logpath  = /var/log/vsftpd.log
maxretry = 5 
bantime  = 1800 
  
pure-ftpd防攻击规则 
   
  
[pure-ftpd] 
enabled  = true
filter   = pure-ftpd 
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp] 
logpath  = /var/log/pureftpd.log
maxretry = 2 
bantime  = 86400 
  
mysql防攻击规则 
   
  
[mysqld-iptables] 
enabled  = true
filter   = mysqld-auth 
action   = iptables[name=mysql, port=3306, protocol=tcp] 
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] 
logpath  = /var/log/mysqld.log
maxretry = 5 
  
apache phpmyadmin 防攻击规则 
  
[apache-phpmyadmin] 
enabled  = true
filter   = apache-phpmyadmin 
action  = iptables[name=phpmyadmin, port=http,https protocol=tcp] 
logpath  = /var/log/httpd/error_log 
maxretry = 3 
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf 
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件. 
# Fail2Ban configuration file 
# 
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost. 
# 
# Author: Gina Haeussge 
# 
  
[Definition] 
  
docroot = /var/www 
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 
  
# Option:  failregex 
# Notes.:  Regexp to match often probed and not available phpmyadmin paths. 
# Values:  TEXT 
# 
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s) 
  
# Option:  ignoreregex 
# Notes.:  regex to ignore. If this regex matches, the line is ignored. 
# Values:  TEXT 
# 
ignoreregex = 
# service fail2ban restart 
  
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了 

 

防暴力破解 Fail2Ban之python

标签:

原文地址:http://www.cnblogs.com/IPYQ/p/5574772.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!