fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!其实fail2ban就是用来监控,具体是调用iptables来实现动作!
介绍:
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值
/etc/rc.d/init.d/fail2ban #启动脚本文件
[DEFAULT]为默认的配置配置参数很多,主要介绍几个常用的吧:
ignoreip = 127.0.0.1/8 白名单地址,支持网段,多个地址之间用空格隔开。此地址段的地址不会被封堵。
我们用默认的[ssh]服务来介绍针对于某一个服务的配置:
enabled = true 是否启用,没什么好说的
port = ssh 封堵端口,支持端口号和协议名两种方式,多个端口用逗号隔开
filter = sshd 过滤器名称,默认的过滤器在/etc/fail2ban/filter.d目录下,以.conf结尾,本例中针对/etc/fail2ban/filter.d/sshd.conf
logpath = /var/log/auth.log 日志路径
failregex = reject: RCPT from (.*)[]: 554 过滤的正则表达式,可以通过多行表示多个规则
2.修改配置
在/etc/fail2ban/jail.conf最后一行增加以下内容:
[nginx-get-dos]
enabled = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=nginx, port=http, protocol=tcp]
sendmail-whois[name=nginx, [email protected], sender=root] #配置禁止IP后通知邮件,多个人以空格隔开
logpath = /var/log/nginx/access.log #设置nginx访问日志
maxretry = 300 #测试可设置小一点,例如:3
findtime = 60
bantime = 3600 #测试可设置小一点,例如:120
在上面的配置中,我们对每60秒有超过300次访问的ip,封禁1小时
然后创建文件/etc/fail2ban/filter.d/nginx-bansniffer.conf,内容如下:
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
最后重启fail2ban服务即可(/etc/init.d/fail2ban restart)
3.配置发送邮件功能
apt-get install sendmail -y
apt-get install mailutils -y
启动服务
4.测试fail2ban的效果
curl http://www.***.com/ #设置maxretry = 3后,执行3次后可以看/var/log/fail2ban.log 日志
2018-06-20 11:08:41,886 fail2ban.server [558]: INFO Exiting Fail2ban
2018-06-20 11:08:42,371 fail2ban.server [29515]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2018-06-20 11:08:42,372 fail2ban.jail [29515]: INFO Creating new jail 'ssh'
2018-06-20 11:08:42,415 fail2ban.jail [29515]: INFO Jail 'ssh' uses pyinotify
2018-06-20 11:08:42,433 fail2ban.jail [29515]: INFO Initiated 'pyinotify' backend
2018-06-20 11:08:42,434 fail2ban.filter [29515]: INFO Added logfile = /var/log/auth.log
2018-06-20 11:08:42,434 fail2ban.filter [29515]: INFO Set maxRetry = 6
2018-06-20 11:08:42,435 fail2ban.filter [29515]: INFO Set findtime = 600
2018-06-20 11:08:42,436 fail2ban.actions[29515]: INFO Set banTime = 600
2018-06-20 11:08:42,467 fail2ban.jail [29515]: INFO Creating new jail 'nginx-get-dos'
2018-06-20 11:08:42,467 fail2ban.jail [29515]: INFO Jail 'nginx-get-dos' uses pyinotify
2018-06-20 11:08:42,470 fail2ban.jail [29515]: INFO Initiated 'pyinotify' backend
2018-06-20 11:08:42,472 fail2ban.filter [29515]: INFO Added logfile = /var/log/nginx/study-admin-access.log
2018-06-20 11:08:42,472 fail2ban.filter [29515]: INFO Set maxRetry = 10
2018-06-20 11:08:42,473 fail2ban.filter [29515]: INFO Set findtime = 5
2018-06-20 11:08:42,473 fail2ban.actions[29515]: INFO Set banTime = 600
2018-06-20 11:08:42,480 fail2ban.jail [29515]: INFO Jail 'ssh' started
2018-06-20 11:08:42,482 fail2ban.jail [29515]: INFO Jail 'nginx-get-dos' started
2018-06-20 11:09:10,545 fail2ban.actions[29515]: WARNING [nginx-get-dos] Ban 221.226.186.102
2018-06-20 11:09:44,599 fail2ban.actions[29515]: WARNING [nginx-get-dos] Ban 47.90.42.218
2018-06-20 11:10:27,536 fail2ban.server [29515]: INFO Stopping all jails
2018-06-20 11:10:27,587 fail2ban.jail [29515]: INFO Jail 'ssh' stopped
2018-06-20 11:10:27,664 fail2ban.actions[29515]: WARNING [nginx-get-dos] Unban 221.226.186.102
2018-06-20 11:10:27,668 fail2ban.actions[29515]: WARNING [nginx-get-dos] Unban 47.90.42.218
2018-06-20 11:10:30,694 fail2ban.jail [29515]: INFO Jail 'nginx-get-dos' stopped
2018-06-20 11:10:30,698 fail2ban.server [29515]: INFO Exiting Fail2ban
2018-06-20 11:10:31,142 fail2ban.server [29724]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
#设置的bantime = 120,可以看到2分钟后解禁了
2018-06-20 11:12:40,103 fail2ban.actions: WARNING [nginx-get-dos] Unban *.* .*.*
用iptables命令看fail2ban添加的IP封禁规则:
# iptables -nL
没有评论