知识的荒漠

不积跬步无以至千里,不积小流无以成江海;千里之行,始于足下!

用户工具

站点工具


服务器:nas:fail2ban

github:https://github.com/fail2ban/fail2ban
参考1(主要):https://ubuntu.tutorials24x7.com/blog/how-to-install-fail2ban-on-ubuntu-20-04-lts
参考2:https://sysadminjournal.com/how-to-install-fail2ban-on-ubuntu-20-04/
ps:还是用谷歌搜索比较好用
Fail2ban的默认配置目录位于/etc/fail2ban。Fail2ban的默认配置在fail2ban.conf和jail.conf中指定。我们不应该更新这些文件,因为Fail2ban会扫描默认配置文件的本地版本,即fail2ban.local和jail.local以覆盖或更新配置。

  • ignoreip–输入的ip地址(CIDR,DNS)不被Fail2ban禁止
  • bantime–Fail2ban禁止主机访问服务器的时间,-1则为永久屏蔽,支持3600(3600秒),10m,1h
  • findtime–此选项确定哪些主机将被禁止。如果主机在“findtime”的最后一次生成“maxretry”,则该IP将被禁止
  • maxretry–IP地址被禁止之前的最大失败次数
  • backend–特定于后端服务,Ubuntu20.04使用systemd作为后端
  • openssh的服务端:sshd;openssh的客户端:ssh

安装fail2ban及ssh监控

sudo apt install fail2ban -y
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban #查看fail2ban服务状态
sudo nano /etc/fail2ban/fail2ban.local
#添加新文件fail2ban.local,内容如下
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log
#通过按Ctrl+o->Enter保存并退出编辑器->Ctrl+x
sudo nano /etc/fail2ban/jail.local #创建jail.local,它将覆盖jail.conf中的任何类似设置sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
#加入以下内容,如果有人试图通过SSH登录您的Ubuntu服务器,并且失败了三次,那么将通过iptables阻止其IP地址阻止它们进入
[DEFAULT]
bantime = 1800
findtime = 600
maxretry = 3
backend = systemd
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
#保存并关闭该文件。使用以下命令重新启动fail2ban
sudo systemctl reload fail2ban
sudo service fail2ban restart
sudo fail2ban-client ping #返回Server replied: pong为正常运行
sudo iptables -L #检查防火墙查看禁止的IP地址的状态
tail -f /var/log/fail2ban.log #另一种方法是检查Fail2ban的日志
sudo fail2ban-client status #查看所有fail2ban状态
sudo fail2ban-client status sshd #查看一个特定的的状态(例如上面sshd)
sudo fail2ban-client set sshd banip <IP Address> #禁止指定ip访问sshd
sudo fail2ban-client set sshd unbanip <IP Address> #解锁指定ip,允许其访问sshd
sudo fail2ban-client set sshd addignoreip 103.94.65.121 #设置指定服务白名单

vsftpd监控

sudo nano /etc/fail2ban/jail.local
#添加以下内容
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 1h

pureftpd监控

sudo nano /etc/fail2ban/jail.local
#添加以下内容
[pureftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3
bantime = 1h

Apache监控

  • [apache]-阻止失败的登录尝试
  • [apache-noscript]-它阻止搜索和执行脚本的远程客户端
  • [apache-overflows]-阻止尝试请求可疑URL的客户端
  • [apache-badbots]-阻止恶意的bot请求
sudo nano /etc/fail2ban/jail.local
#添加以下内容
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
[apache-overflows]
enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
[apache-badbots]
enabled  = true
port     = http,https
filter   = apache-badbots
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600

添加两个附加服务来保护GET和POST请求

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /var/log/apache2/*error.log
maxretry = 400
findtime = 400
bantime = 200
[http-post-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /var/log/apache2/*error.log
maxRetry = 60
findtime = 29
bantime = 6000
#保存更改,并为GET和POST请求添加过滤器,如下所示
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
Ignoreregex =

查看banip内容

cat /var/log/fail2ban.log | grep " Ban " #抛弃cat /var/log/fail2ban.log | grep "NOTICE" | grep "Ban"
#输出到日志
cat /var/log/fail2ban.log | grep " Ban " | sudo tee /var/www/html/banip.txt

可以新建shell脚本并添加每周自动运行后清空日志,脚本参考

#! /bin/sh
cat /var/log/fail2ban.log | grep " Ban " | tee /var/www/html/banip.txt
echo "" > /var/log/fail2ban.log
服务器/nas/fail2ban.txt · 最后更改: 2020/09/25 21:03 由 caiweizhi