fail2ban安装配置
1 前言
fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作。
l 支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
l 支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
l 在logpath选项中支持通配符
l 需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
l 需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix或sendmail
2 安装配置
2.1 yum安装
yum install fail2ban
2.2 配置
2.2.1 配置架构
/etc/fail2ban/fail2ban.conf 日志设定文档
/etc/fail2ban/jail.conf 阻挡设定文档
/etc/fail2ban/filter.d 具体阻挡内容设定目录
2.2.2 jail.conf配置
主要配置解释:
| #此ip或者ip段为例外,不受以下条件影响 ignoreip = 127.0.0.1 # 封锁时间(如一天为:86400) bantime = 600 # 在多长时间以内达到条件则开始执行封锁,如600秒达到3次则执行。 # 单位:秒 findtime = 600 # 在以上条件的出错次数,如600秒达到3次则执行。 # 单位:次 maxretry = 3 |
ssh配置示例解释:
| [ssh-iptables] enabled = false #是否开启,开启则为true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #post为端口号 sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com] #上方红色字-you@mail.com,则为您的邮箱地址和发送人地址(建议一样) #发信需要sendmail服务的支持,如果没有此服务或不需要发信可在sendmail前加#号注释掉。 logpath = /var/log/sshd.log #相应错误日志,一般为:/var/log/secure maxretry = 5 #尝试错误次数 |
apache配置:
| # 检测密码认证失败 [apache-auth] enabled = true port = http,https filter = apache-auth logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 5 bantime = 3600 # 检测抓取邮件地址的爬虫 [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. enabled = true port = http,https filter = apache-badbots logpath = /var/log/httpd/*access* #logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 # 检测漏洞和 PHP 脆弱性扫描 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 5 bantime = 3600 # 检测 Apache 溢出攻击 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 # 检测在服务器寻找主目录的尝试 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-botsearch] enabled = true port = http,https filter = apache-botsearch logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-fakegooglebot] enabled = true port = http,https filter = apache-fakegooglebot logpath = /var/log/httpd/*access* #logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> bantime = 3600 [apache-modsecurity] enabled = true port = http,https filter = apache-modsecurity logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 2 bantime = 3600 [apache-shellshock] enabled = true port = http,https filter = apache-shellshock logpath = /var/log/httpd/*error* #logpath = %(apache_error_log)s maxretry = 1 bantime = 3600 |
wordpress配置:
| [wordpress] enabled = true filter = wordpress logpath = /var/log/httpd/*access* maxretry = 2 findtime = 60 bantime = 3600 port = http,https |
2.2.3 fail2ban.conf配置
开启日志:
vi /etc/fail2ban/fail2ban.conf
| logtarget = /var/log/fail2ban.log |
2.2.4 过滤规则
过滤规则配置文件目录:
/etc/fail2ban/filter.d/
wordpress 过滤规则配置:
vi /etc/fail2ban/filter.d/wordpress.conf
| # WP brute force attacks filter [Definition] failregex = <HOST> .*-.*-.*POST.*/wp-login.php .* .* .*$ ignoreregex = |
其他apache规则文件默认已经存在
2.2.5 动作规则
默认动作是iptables-multiport(定义在/etc/fail2ban/jail.conf中[DEFAULT]字段下的“banaction”中)。这个措施使用iptable的多端口模块禁止一个IP地址。
动作规则目录:
/etc/fail2ban/action.d/
2.2.6 启动fail2ban
/etc/init.d/fail2ban start
2.3 检查和管理fail2ban禁止状态
监狱一旦激活后,你可以用fail2ban的客户端命令行工具来监测当前的禁止状态。
查看激活的监狱列表:
fail2ban-client status
查看特定监狱的状态(包含禁止的IP列表):
fail2ban-client status [监狱名]
也可以手动禁止或者解禁IP地址:
要用制定监狱禁止IP:
fail2ban-client set [name-of-jail] banip [ip-address]
要解禁指定监狱屏蔽的IP:
fail2ban-client set [name-of-jail] unbanip [ip-address]
本文出自 “桃子技术” 博客,请务必保留此出处http://taozijishu.blog.51cto.com/11320335/1961316
原文地址:http://taozijishu.blog.51cto.com/11320335/1961316
