centos: fail2ban

1、fail2ban簡介

fail2ban能夠監視你的系統日誌，而後匹配日誌的錯誤信息（正則式匹配）執行相應的屏蔽動做（通常狀況下是防火牆），並且能夠發送e-mail通知系統管理員，是否是很好、很實用、很強大！

2、簡單來介紹一下fail2ban的功能和特性

一、支持大量服務。如sshd,apache,qmail,proftpd,sasl等等 二、支持多種動做。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。 三、在logpath選項中支持通配符 四、須要Gamin支持(注：Gamin是用於監視文件和目錄是否更改的服務工具) 五、須要安裝python,iptables,tcp-wrapper,shorewall,Gamin。若是想要發郵件，那必需安裝postfix/sendmail

3、fail2ban安裝與配置操做實例

1:安裝epel更新源：http://fedoraproject.org/wiki/EPEL/zh-cn

yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban

or

yum install gamin-python python-inotify python-ctypes

wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm

rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

or

yum install gamin-python python-inotify python-ctypes

wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm

rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm

2:源碼包安裝

wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0

tar -xzvf fail2ban-0.9.0.tar.gz

cd

/etc/fail2ban/action.d #動做文件夾，內含默認文件。iptables以及mail等動做配置 /etc/fail2ban/fail2ban.conf #定義了fai2ban日誌級別、日誌位置及sock文件位置 /etc/fail2ban/filter.d #條件文件夾，內含默認文件。過濾日誌關鍵內容設置 /etc/fail2ban/jail.conf #主要配置文件，模塊化。主要設置啓用ban動做的服務及動做閥值 /etc/rc.d/init.d/fail2ban #啓動腳本文件

3. vi /etc/fail2ban/fail2ban.conf [Definition] loglevel =3 logtarget = SYSLOG #咱們須要作的就是把這行改爲/var/log/fail2ban.log，方便用來記錄日誌信息 socket =/var/run/fail2ban/fail2ban.sock
4. vi /etc/fail2ban/jail.conf

[DEFAULT] #全局設置 ignoreip = 127.0.0.1 #忽略的IP列表,不受設置限制 bantime = 600 #屏蔽時間，單位：秒 findtime = 600 #這個時間段內超過規定次數會被ban掉 maxretry = 3 #最大嘗試次數 backend = auto #日誌修改檢測機制（gamin、polling和auto這三種）

[sshd] #單個服務檢查設置，如設置bantime、findtime、maxretry和全局衝突，服務優先級大於全局設置。 enabled = true #是否激活此項（true/false） filter = sshd #過濾規則filter的名字，對應filter.d目錄下的sshd.conf action = iptables[name=SSH, port=ssh, protocol=tcp]#動做的相關參數，對應action.d/iptables.conf文件 logpath = /var/log/secure #檢測的日誌文件path bantime = 3600 findtime = 300 maxretry = 3

servicefail2ban start 啓動服務 4.解除fail2ban綁定的IP 查詢限制列表

iptables -L --line-numbers

Chain fail2ban-SSH (1references) num target prot opt source destination 1 DROP all -- 118.152.158.61.ha.cnc anywhere 2 RETURN all -- anywhere anywhere 解除限制

iptables -D fail2ban-SSH 1

咱們主要編輯jail.conf這個配置文件，其餘的不要去管它.

vi /etc/fail2ban.conf

SSH防攻擊規則

[ssh-iptables]

enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5

[ssh-ddos] enabled = true filter = sshd-ddos action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp] logpath = /var/log/messages maxretry = 2

[osx-ssh-ipfw]

enabled = true filter = sshd action = osx-ipfw logpath = /var/log/secure.log maxretry = 5

[ssh-apf]

enabled = true filter = sshd action = apf[name=SSH] logpath = /var/log/secure maxretry = 5

[osx-ssh-afctl]

enabled = true filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log maxretry = 5

[selinux-ssh] enabled = true filter = selinux-ssh action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5

proftp防攻擊規則

[proftpd-iptables]

enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6

郵件防攻擊規則

[sasl-iptables]

enabled = true filter = postfix-sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log

[dovecot]

enabled = true filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/mail.log

[dovecot-auth]

enabled = true filter = dovecot action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/secure

[perdition]

enabled = true filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog

[uwimap-auth]

enabled = true filter = uwimap-auth action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"] logpath = /var/log/maillog

apache防攻擊規則

[apache-tcpwrapper]

enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/httpd/error_log maxretry = 6

[apache-badbots]

enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/log/httpd/access_log bantime = 172800 maxretry = 1

[apache-shorewall]

enabled = true filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/httpd/error_log

nginx防攻擊規則

[nginx-http-auth]

enabled = true filter = nginx-http-auth action = iptables-multiport[name=nginx-http-auth,port="80,443"] logpath = /var/log/nginx/error.log

lighttpd防規擊規則

[suhosin]

enabled = true filter = suhosin action = iptables-multiport[name=suhosin, port="http,https"]

adapt the following two items as needed

logpath = /var/log/lighttpd/error.log maxretry = 2

[lighttpd-auth]

enabled = true filter = lighttpd-auth action = iptables-multiport[name=lighttpd-auth, port="http,https"]

adapt the following two items as needed

logpath = /var/log/lighttpd/error.log maxretry = 2

vsftpd防攻擊規則

[vsftpd-notification]

enabled = true filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800

[vsftpd-iptables]

enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800

pure-ftpd防攻擊規則

[pure-ftpd] enabled = true filter = pure-ftpd action = iptables[name=pure-ftpd, port=ftp, protocol=tcp] logpath = /var/log/pureftpd.log maxretry = 2 bantime = 86400

mysql防攻擊規則

[mysqld-iptables]

enabled = true filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] logpath = /var/log/mysqld.log maxretry = 5

apache phpmyadmin防攻擊規則

[apache-phpmyadmin] enabled = true filter = apache-phpmyadmin action = iptables[name=phpmyadmin, port=http,https protocol=tcp] logpath = /var/log/httpd/error_log maxretry = 3

/etc/fail2ban/filter.d/apache-phpmyadmin.conf

將如下內容粘貼到apache-phpmyadmin.conf裏保存便可以建立一個apache-phpmyadmin.conf文件.

Fail2Ban configuration file

Bans bots scanning for non-existing phpMyAdmin installations on your webhost.

Author: Gina Haeussge

[Definition]

docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

Option: failregex

Notes.: Regexp to match often probed and not available phpmyadmin paths.

Values: TEXT

failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =

service fail2ban restart

寫在最後，在安裝完fail2ban後請當即重啓一下fail2ban,看是否是能正常啓動，由於在後邊咱們配置完規則後若是發生沒法啓動的問題咱們能夠進行排查.若是安裝完後以默認規則可以正常啓動，而配置完規則後卻不可以正常啓動，請先檢查一下你 /var/log/ 目錄下有沒有規則裏的 logpath= 後邊的文件，或者這個文件的路徑與規則裏的是否是一致. 若是不一致請在 logpath 項那裏修改你的路徑， 若是你的緩存目錄裏沒有這個文件，那麼請你將該配置項的 enabled 項目的值設置爲 false. 而後再進行重啓fail2ban，這樣通常不會有什麼錯誤了.