标签:fail2ban iptables debian centos
一、简介: fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作 (一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数, fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件! 二、Debian下安装fail2ban 1、当前版本 cat /etc/debian_version 6.0.10 2、查询下包并安装 apt-cache search fail2ban fail2ban - bans IPs that cause multiple authentication errors apt-get -y install fail2ban 3、通过dpkg命令来查看安装了那些文件和安装的路径 dpkg -L fail2ban 4、配置文件说明 /etc/fail2ban/action.d (这个目录下有一堆关于动作的配置) /etc/fail2ban/fail2ban.conf (配置日志等级、socket、日志路径) /etc/fail2ban/filter.d (过滤的一堆配置文件) /etc/fail2ban/jail.conf (主配置文件) 5、启服务 /etc/init.d/fail2ban start 6、查看相关日志 cat /var/log/fail2ban.log 2015-05-10 09:58:58,328 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2015-05-10 09:58:58,329 fail2ban.jail : INFO Creating new jail ‘ssh‘ 2015-05-10 09:58:58,329 fail2ban.jail : INFO Jail ‘ssh‘ uses poller 2015-05-10 09:58:58,361 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2015-05-10 09:58:58,362 fail2ban.filter : INFO Set maxRetry = 6 2015-05-10 09:58:58,364 fail2ban.filter : INFO Set findtime = 600 2015-05-10 09:58:58,365 fail2ban.actions: INFO Set banTime = 600 2015-05-10 09:58:58,442 fail2ban.jail : INFO Jail ‘ssh‘ started 7、查看iptables iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere 三、Centos下安装fail2ban 1、当前版本 cat /etc/redhat-release CentOS release 6.6 (Final) 2、查询下包并安装 yum list|grep fail2ban fail2ban.noarch 0.8.14-1.el6 epel yum -y install fail2ban 3、通过rpm命令来查看安装了那些文件和安装的路径 rpm -ql fail2ban 4、启服务 /etc/init.d/fail2ban start 5、查看相关日志 cat /var/log/fail2ban.log 2015-05-19 22:36:47,632 fail2ban.server [3471]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14 2015-05-19 22:36:47,635 fail2ban.jail [3471]: INFO Creating new jail ‘ssh-iptables‘ 2015-05-19 22:36:47,714 fail2ban.jail [3471]: INFO Jail ‘ssh-iptables‘ uses pyinotify 2015-05-19 22:36:47,745 fail2ban.jail [3471]: INFO Initiated ‘pyinotify‘ backend 2015-05-19 22:36:47,749 fail2ban.filter [3471]: INFO Added logfile = /var/log/secure 2015-05-19 22:36:47,752 fail2ban.filter [3471]: INFO Set maxRetry = 5 2015-05-19 22:36:47,756 fail2ban.filter [3471]: INFO Set findtime = 600 2015-05-19 22:36:47,757 fail2ban.actions[3471]: INFO Set banTime = 600 2015-05-19 22:36:47,907 fail2ban.jail [3471]: INFO Jail ‘ssh-iptables‘ started 2015-05-19 22:36:47,983 fail2ban.actions.action[3471]: ERROR printf %b "Subject: [Fail2Ban] SSH: started on `uname -n` Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"` From: Fail2Ban <fail2ban@example.com> To: you@example.com\n Hi,\n The jail SSH has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.com you@example.com returned 4b00 6、查看iptables iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere
本文出自 “7928217” 博客,请务必保留此出处http://7938217.blog.51cto.com/7928217/1652970
标签:fail2ban iptables debian centos
原文地址:http://7938217.blog.51cto.com/7928217/1652970
