fai2ban的介紹
fail2ban可以監視你的系統日誌,然後匹配日誌的錯誤資訊(正則式匹配)執行相應的遮蔽動作(一般情況下是呼叫防火牆遮蔽),如:當有人在試探你的SSH、SMTP、FTP密碼,只要達到你預設的次數,fail2ban就會呼叫防火牆遮蔽這個IP,而且可以傳送e-mail通知系統管理員,是一款很實用、很強大的軟體!
二、簡單來介紹一下fail2ban的功能和特性
1、支援大量服務。如sshd,apache,qmail,proftpd,sasl等等
2、支援多種動作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
3、在logpath選項中支援萬用字元
4、需要Gamin支援(注:Gamin是用於監視檔案和目錄是否更改的服務工具)
5、需要安裝python,iptables,tcp-wrapper,shorewall,Gamin。如果想要發郵件,那必需安裝postfix/sendmail
三、fail2ban安裝與配置操作例項
1:安裝epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban
# yum install gamin-python python-inotify python-ctypes # wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm # rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm
# yum install gamin-python python-inotify python-ctypes # wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm # rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:原始碼包安裝
# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0 # tar -xzvf fail2ban-0.9.0.tar.gz
/etc/fail2ban/action.d #動作資料夾,內含預設檔案。iptables以及mail等動作配置 /etc/fail2ban/fail2ban.conf #定義了fai2ban日誌級別、日誌位置及sock檔案位置 /etc/fail2ban/filter.d #條件資料夾,內含預設檔案。過濾日誌關鍵內容設定 /etc/fail2ban/jail.conf #主要配置檔案,模組化。主要設定啟用ban動作的服務及動作閥值 /etc/rc.d/init.d/fail2ban #啟動指令碼檔案 3. vi /etc/fail2ban/fail2ban.conf [Definition] loglevel =3 logtarget = SYSLOG #我們需要做的就是把這行改成/var/log/fail2ban.log,方便用來記錄日誌資訊 socket =/var/run/fail2ban/fail2ban.sock 4. vi /etc/fail2ban/jail.conf [DEFAULT] #全域性設定 ignoreip = 127.0.0.1 #忽略的IP列表,不受設定限制 bantime = 600 #遮蔽時間,單位:秒 findtime = 600 #這個時間段內超過規定次數會被ban掉 maxretry = 3 #最大嘗試次數 backend = auto #日誌修改檢測機制(gamin、polling和auto這三種) [sshd] #單個服務檢查設定,如設定bantime、findtime、maxretry和全域性衝突,服務優先順序大於全域性設定。 enabled = true #是否啟用此項(true/false) filter = sshd #過濾規則filter的名字,對應filter.d目錄下的sshd.conf action = iptables[name=SSH, port=ssh, protocol=tcp]#動作的相關引數,對應action.d/iptables.conf檔案 logpath = /var/log/secure #檢測的日誌檔案path bantime = 3600 findtime = 300 maxretry = 3 #最大嘗試次數 service fail2ban start 啟動服務
4.解除fail2ban繫結的IP
查詢限制列表
# iptables -L –line-numbers
Chain fail2ban-SSH (1references)
num target prot opt source destination
1 DROP all — 118.152.158.61.ha.cnc anywhere
2 RETURN all — anywhere anywhere
解除限制
# iptables -D fail2ban-SSH 1
我們主要編輯jail.conf這個配置檔案,其他的不要去管它
# vi /etc/fail2ban.conf
SSH防***規則
ssh-iptables]enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5 [ssh-ddos] enabled = true filter = sshd-ddos action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp] logpath = /var/log/messages maxretry = 2 [osx-ssh-ipfw] enabled = true filter = sshd action = osx-ipfw logpath = /var/log/secure.log maxretry = 5 [ssh-apf] enabled = true filter = sshd action = apf[name=SSH] logpath = /var/log/secure maxretry = 5 [osx-ssh-afctl] enabled = true filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log maxretry = 5 [selinux-ssh] enabled = true filter = selinux-ssh action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5
proftp防***規則 [proftpd-iptables] enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 郵件防***規則 [sasl-iptables] enabled = true filter = postfix-sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/mail.log [dovecot-auth] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/secure [perdition] enabled = true filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog [uwimap-auth] enabled = true filter = uwimap-auth action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"] logpath = /var/log/maillog apache防***規則 [apache-tcpwrapper] enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/httpd/error_log maxretry = 6 [apache-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/log/httpd/access_log bantime = 172800 maxretry = 1 [apache-shorewall] enabled = true filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/httpd/error_log nginx防***規則 [nginx-http-auth] enabled = true filter = nginx-http-auth action = iptables-multiport[name=nginx-http-auth,port="80,443"] logpath = /var/log/nginx/error.log lighttpd防規擊規則 [suhosin] enabled = true filter = suhosin action = iptables-multiport[name=suhosin, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 [lighttpd-auth] enabled = true filter = lighttpd-auth action = iptables-multiport[name=lighttpd-auth, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 vsftpd防***規則 [vsftpd-notification] enabled = true filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 pure-ftpd防***規則 [pure-ftpd] enabled = true filter = pure-ftpd action = iptables[name=pure-ftpd, port=ftp, protocol=tcp] logpath = /var/log/pureftpd.log maxretry = 2 bantime = 86400 mysql防***規則 [mysqld-iptables] enabled = true filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] logpath = /var/log/mysqld.log maxretry = 5 apache phpmyadmin 防***規則 [apache-phpmyadmin] enabled = true filter = apache-phpmyadmin action = iptables[name=phpmyadmin, port=http,https protocol=tcp] logpath = /var/log/httpd/error_log maxretry = 3 # /etc/fail2ban/filter.d/apache-phpmyadmin.conf 將以下內容貼上到apache-phpmyadmin.conf裡儲存即可以建立一個apache-phpmyadmin.conf檔案. # Fail2Ban configuration file # # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # # Author: Gina Haeussge # [Definition] docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = # service fail2ban restart 寫在最後,在安裝完fail2ban後請立即重啟一下fail2ban,看是不是能正常啟動,因為在後邊我們配置完規則後如果發生無法啟動的問題我們可以進行排查.如果安裝完後以預設規則能夠正常啟動,而配置完規則後卻不能夠正常啟動,請先檢查一下你 /var/log/ 目錄下有沒有規則裡的 logpath= 後邊的檔案,或者這個檔案的路徑與規則裡的是不是一致. 如果不一致請在 logpath 項那裡修改你的路徑, 如果你的快取目錄裡沒有這個檔案,那麼請你將該配置項的 enabled 專案的值設定為 false. 然後再進行重啟fail2ban,這樣一般不會有什麼錯誤了