Table of Contents
本文将手动安装fail2ban,并使用tcpwrapper(hosts.deny)的方式来封禁主机,项目地址github
系统和依赖要求
必须
Python2 >= 2.6 或 Python >= 3.2 或 PyPy
可选
pyinotify >= 0.8.3 可能要求Linux内核 >= 2.6.13
gamin >= 0.0.21
systemd >= 204 以及python绑定 python-systemd package
dnspython
安装
git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
python setup.py install
检查是否正确安装,如果有帮助信息输出就可以了
fail2ban-client -h
配置服务
centos7
在fail2ban的git克隆目录里执行
cp build/fail2ban.service /usr/lib/systemd/system/fail2ban.service
centos6
把下面的脚本保存到/etc/init.d/fail2ban
vi /etc/init.d/fail2ban
#!/bin/bash
#
# chkconfig: - 92 08
# processname: fail2ban-server
# config: /etc/fail2ban/fail2ban.conf
# pidfile: /var/run/fail2ban/fail2ban.pid
# description: fail2ban is a daemon to ban hosts that cause multiple authentication errors
#
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $time $network $syslog iptables firehol shorewall ferm
# Should-Stop: $network $syslog iptables firehol shorewall ferm
# Default-Start: 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/Stop fail2ban
# Description: Start/Stop fail2ban, a daemon to ban hosts that cause multiple authentication errors
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
# Check that the config file exists
[ -f /etc/fail2ban/fail2ban.conf ] || exit 0
FAIL2BAN="/usr/local/bin/fail2ban-client"
prog=fail2ban-server
lockfile=${LOCKFILE-/var/lock/subsys/fail2ban}
socket=${SOCKET-/var/run/fail2ban/fail2ban.sock}
pidfile=${PIDFILE-/var/run/fail2ban/fail2ban.pid}
RETVAL=0
start() {
echo -n $"Starting fail2ban: "
${FAIL2BAN} -x start > /dev/null
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch ${lockfile}
echo_success
else
echo_failure
fi
echo
return $RETVAL
}
stop() {
echo -n $"Stopping fail2ban: "
${FAIL2BAN} stop > /dev/null
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -f ${lockfile} ${pidfile}
echo_success
else
echo_failure
fi
echo
return $RETVAL
}
reload() {
echo "Reloading fail2ban: "
${FAIL2BAN} reload
RETVAL=$?
echo
return $RETVAL
}
# See how we were called.
case "$1" in
start)
status -p ${pidfile} ${prog} >/dev/null 2>&1 && exit 0
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
stop
start
;;
status)
status -p ${pidfile} ${prog}
RETVAL=$?
[ $RETVAL = 0 ] && ${FAIL2BAN} status
;;
*)
echo $"Usage: fail2ban {start|stop|restart|reload|status}"
RETVAL=2
esac
exit $RETVAL
给予相关权限
chmod a+x /etc/init.d/fail2ban
配置fail2ban
配置文件位于/etc/fail2ban/目录下,原始的配置文件不建议修改,而是在相同目录下新建一个文件名一样,后缀名为.local的文件,再写入自己的配置,比如/etc/fail2ban/jail.local。.local文件里相同的字段将会覆盖掉默认配置。
下面是一个范例配置
vi /etc/fail2ban/jail.local
#全局参数
[DEFAULT]
# 忽略检测的IP
ignoreip = 127.0.0.1
# findtime的时间内(秒)允许失败尝试maxretry次
findtime = 600
maxretry = 5
# 触发规则封禁时长(秒)
bantime = 3600
# 以上配置,如果10分钟内输入了超过5次错误密码,就会封禁IP一小时
[ssh-tcpwrapper]
enabled = true
filter = sshd
#动作方式为tcpwrapper(既使用hosts.deny文件)
action = hostsdeny
logpath = /var/log/secure
如果要使用防火墙的方式,则将action = hostsdeny修改为action = iptables-allports(centos6)或action = firewallcmd-allports(centos7)。这种模式下要求防火墙服务工作正常。
检查配置文件
fail2ban-client -d
检查输出,确认是否正确读取了配置文件,没有报错
启动服务
centos7
systemctl start fail2ban.service
centos6
service fail2ban start
检查服务运行状态
可以通过自带的命令来检查服务状态,如服务正常,会响应pong
fail2ban-client ping
还可以通过以下命令查看版本。此命令只有服务正常运行时才可以使用
fail2ban-client version
查看fail2ban日志
日志的路径为/var/log/fail2ban.log
开机自动启动
centos7
systemctl enable fail2ban.service
centos6
chkconfig fail2ban on
附录
其实fail2ban除了可以过滤ssh登陆日志,还可以过滤很多其他常见的服务日志(如apache),并根据相关阈值配置,使用指定的动作封禁尝试暴力攻击的IP。相关服务日志过滤器配置文件位于/etc/fail2ban/filter.d/目录,相关动作配置文件位于/etc/fail2ban/action.d/目录。感兴趣的读者请参阅相关官方文档。
发表回复