fail2ban的功能和特性(實測)

fail2ban的功能和特性

https://fedoraproject.org/wiki/Fail2ban_with_FirewallD

一、支持大量服務。如sshd,apache,qmail,proftpd,sasl等等
二、支持多種動做。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
三、在logpath選項中支持通配符
四、須要Gamin支持(注：Gamin是用於監視文件和目錄是否更改的服務工具)
五、須要安裝python,iptables,tcp-wrapper,shorewall,Gamin。若是想要發郵件，那必需安裝postfix/sendmail

/etc/fail2ban/action.d #動做文件夾，內含默認文件。iptables以及mail等動做配置
/etc/fail2ban/fail2ban.conf #定義了fai2ban日誌級別、日誌位置及sock文件位置
/etc/fail2ban/filter.d #條件文件夾，內含默認文件。過濾日誌關鍵內容設置
/etc/fail2ban/jail.conf #主要配置文件，模塊化。主要設置啓用ban動做的服務及動做閥值

1.下載，安裝
wget https://github.com/fail2ban/fail2ban/archive/0.11.tar.gz -O fail2ban-0.11.tar.gz
tar -zvxf fail2ban-0.11.tar.gz && cd fail2ban-0.11
python setup.py install

2.修改配置文件
vim /etc/fail2ban/fail2ban.conf
修改如下內容
socket = /var/run/fail2ban.sock
pidfile = /var/run/fail2ban.pid
:wq 保存退出

3.自定義規則
vim /etc/fail2ban/jail.local
修改如下內容

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3000
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure

[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
maxretry = 20
findtime = 60
bantime = 300
action = %(action_mwl)s
logpath = /opt/nginx/logs/access.log

:wq 保存退出

4.設置自動啓動
[root@centos7 system]# vim /etc/systemd/system/fail2ban.service
修改如下內容

[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service
PartOf=firewalld.service

[Service]
Type=forking
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban.pid
Restart=always

[Install]
WantedBy=multi-user.target

:wq 保存退出

[root@centos7 system]# vim /etc/systemd/system/fail2ban.service
修改如下內容
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =

:wq 保存退出

5.調試過濾器 （查看fail2ban過濾器是否適用於特定日誌文件）

fail2ban-regex /opt/nginx/logs/access.log /etc/fail2ban/filter.d/nginx-cc.conf

若是，輸出內容是零匹配，那麼過濾器的正規表達式可能有問題。
-----------------------------------------------------------------------------------------------------------------------
[root@centos7 system]#cat /opt/nginx/logs/access.log
192.168.1.222 - - [26/Oct/2019:15:01:34 +0800] "GET / HTTP/1.1" 200 96 "-" "curl/7.29.0"
127.0.0.1 - - [26/Oct/2019:19:34:29 +0800] "GET / HTTP/1.1" 200 96 "-" "curl/7.29.0"
127.0.0.1 - - [26/Oct/2019:19:34:35 +0800] "GET / HTTP/1.1" 200 96 "-" "curl/7.29.0"
192.168.1.107 - - [26/Oct/2019:19:34:57 +0800] "GET / HTTP/1.1" 200 96 "-" "Mozilla/5.0 (Windows NT 10.0; Win6 4; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
192.168.1.107 - - [26/Oct/2019:19:34:57 +0800] "GET /favicon.ico HTTP/1.1" 404 555 "http://192.168.1.221/" "Mo zilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537. 36"
192.168.1.107 - - [26/Oct/2019:19:37:56 +0800] "GET / HTTP/1.1" 200 96 "-" "curl/7.65.3"
192.168.1.107 - - [26/Oct/2019:19:38:25 +0800] "GET / HTTP/1.1" 200 96 "-" "fasthttp"
192.168.1.107 - - [26/Oct/2019:19:38:25 +0800] "GET / HTTP/1.1" 200 96 "-" "fasthttp"

正式則表達式匹配
# ^<HOST> - - .*HTTP/1.1.*$
# ^<HOST>.*$
# ^<HOST>.*Mozilla.*$
# ^<HOST>.*"fasthttp".*$
# failregex = ^<HOST>.*"curl/7.29.0".*$
# failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
-----------------------------------------------------------------------------------------------------------------------

6. 設爲容許默認啓動
systemctl enable fail2ban
systemctl restart fail2ban && systemctl status fail2ban

7.查看版本，狀態
fail2ban-client version
fail2ban-client status
fail2ban-client status sshd

8.查看當前觸發規則，刪除規則禁止IP （須要指定規則名稱及IP，sshd,192.168.1.107）
ipset list
fail2ban-client set sshd unbanip 192.168.1.107

9.查看相關文件日誌
tail -f /var/log/secure
tail -f /var/log/fail2ban.log
cat /var/spool/mail/root

10.查看防火牆firewall-cmd --statefirewall-cmd --reload && iptables -L --line-numbers|grep ACCEPTfirewall-cmd --zone=public --list-portsfirewall-cmd --direct --get-all-rules------------------------------------------------------------添加規則firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 80 -s 172.25.254.77 -j ACCEPT ## 只容許172.25.254.77經過80端口訪問主機的http服務。## 主機內核贊成開啓http服務，須要在表filter中設置INPUT。##-p 數據包類型；--dport 服務端口；------------------------------------------------------------