一、fail2ban简介
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。3、在logpath选项中支持通配符4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装EPEL更新源:
复制代码 代码如下:# yum install shorewall gamin-python shorewall-shell shorewall-Perl shorewall-common python-inotify python-ctypes fail2banor
复制代码 代码如下:# yum install gamin-python python-inotify python-ctypes# wgetrpm -ivh fail2ban-0.8.11-2.el6.noarch.rpmor
复制代码 代码如下:# yum install gamin-python python-inotify python-ctypes# wgetrpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm2:源码包安装
复制代码 代码如下:# wgettar -xzvf fail2ban-0.9.0.tar.gz# cd# ./setup.py# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban# chmod +x /lib/svc/method/svc-fail2ban安装路径
复制代码 代码如下:/etc/fail2banaction.d filter.d fail2ban.conf jail.conf我们主要编辑jail.conf这个配置文件,其他的不要去管它.
复制代码 代码如下:# vi /etc/fail2ban.confSSH防攻击规则
复制代码 代码如下:[ssh-iptables]
enabled = truefilter = sshdaction = iptables[name=SSH, port=ssh, protocol=tcp]sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]logpath = /var/log/securemaxretry = 5
[ssh-ddos]enabled = truefilter = sshd-ddosaction = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]logpath = /var/log/messagesmaxretry = 2
[osx-ssh-ipfw]
enabled = truefilter = sshdaction = osx-ipfwlogpath = /var/log/secure.logmaxretry = 5
enabled = truefilter = sshdaction = apf[name=SSH]logpath = /var/log/securemaxretry = 5
[osx-ssh-afctl]
enabled = truefilter = sshdaction = osx-afctl[bantime=600]logpath = /var/log/secure.logmaxretry = 5
[selinux-ssh]enabled = truefilter = selinux-sshaction = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]logpath = /var/log/audit/audit.logmaxretry = 5
proftp防攻击规则
复制代码 代码如下:[proftpd-iptables]
enabled = truefilter = proftpdaction = iptables[name=ProFTPD, port=ftp, protocol=tcp]sendmail-whois[name=ProFTPD, dest=you@example.com]logpath = /var/log/proftpd/proftpd.logmaxretry = 6
邮件防攻击规则
复制代码 代码如下:[sasl-iptables]
enabled = truefilter = postfix-saslbackend = pollingaction = iptables[name=sasl, port=smtp, protocol=tcp]sendmail-whois[name=sasl, dest=you@example.com]logpath = /var/log/mail.log
enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/mail.log
[dovecot-auth]
enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/secure
[perdition]
enabled = truefilter = perditionaction = iptables-multiport[name=perdition,port="110,143,993,995"]logpath = /var/log/maillog
[uwimap-auth]
enabled = truefilter = uwimap-authaction = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]logpath = /var/log/maillog
apache防攻击规则
复制代码 代码如下:[apache-tcpwrapper]
enabled = truefilter = apache-authaction = hostsdenylogpath = /var/log/httpd/error_logmaxretry = 6
[apache-badbots]
enabled = truefilter = apache-badbotsaction = iptables-multiport[name=BadBots, port="http,https"]sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]logpath = /var/log/httpd/access_logbantime = 172800maxretry = 1
[apache-shorewall]
enabled = truefilter = apache-noscriptaction = shorewallsendmail[name=Postfix, dest=you@example.com]logpath = /var/log/httpd/error_log
nginx防攻击规则
复制代码 代码如下:[nginx-http-auth]
enabled = truefilter = nginx-http-authaction = iptables-multiport[name=nginx-http-auth,port="80,443"]logpath = /var/log/nginx/error.log
lighttpd防规击规则
复制代码 代码如下:[suhosin]
enabled = truefilter = suhosinaction = iptables-multiport[name=suhosin, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
[lighttpd-auth]
enabled = truefilter = lighttpd-authaction = iptables-multiport[name=lighttpd-auth, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
vsftpd防攻击规则
复制代码 代码如下:[vsftpd-notification]
enabled = truefilter = vsftpdaction = sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
[vsftpd-iptables]
enabled = truefilter = vsftpdaction = iptables[name=VSFTPD, port=ftp, protocol=tcp]sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
pure-ftpd防攻击规则
复制代码 代码如下:[pure-ftpd]enabled = truefilter = pure-ftpdaction = iptables[name=pure-ftpd, port=ftp, protocol=tcp]logpath = /var/log/pureftpd.logmaxretry = 2bantime = 86400mysql防攻击规则
复制代码 代码如下:[mysqld-iptables]
enabled = truefilter = mysqld-authaction = iptables[name=mysql, port=3306, protocol=tcp]sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]logpath = /var/log/mysqld.logmaxretry = 5
apache phpmyadmin防攻击规则
复制代码 代码如下:[apache-phpmyadmin]enabled = truefilter = apache-phpmyadminaction = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath = /var/log/httpd/error_logmaxretry = 3# /etc/fail2ban/filter.d/apache-phpmyadmin.conf将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file## Bans bots scanning for non-existing phpMyAdmin installations on your webhost.## Author: Gina Haeussge#[Definition]docroot = /var/wwwbadadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2# Option: failregex# Notes.: Regexp to match often probed and not available phpmyadmin paths.# Values: TEXT#failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =# service fail2ban restart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.
发表评论