细述:Fail2ban 阻止暴力破解案例
source link: https://www.linuxprobe.com/fail2ban-prevent-violence.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
攻击者不断尝试穷举 SSH 、SMTP 、FTP 密码等,只要达到预设值,fail2ban 就会调用防火墙屏蔽此 IP ,并且可以发送邮件通知系统管理员。
功能、特性:
1、支持大量服务:sshd 、apache 、qmail 等
2、支持多作动作:iptables 、tcp-wrapper 、shorewall 、mail notifications 等
3、logpath 选项中支持通配符
4、需要 Gamin 支持(Gamin 用于监控文件和目录是否更改)
5、如果需要邮件通知,则系统事先要确保能够正常发送邮件
shell > yum -y install epel-release shell > yum -y install fail2ban
/etc/fail2ban ## fail2ban 服务配置目录 /etc/fail2ban/action.d ## iptables 、mail 等动作文件目录 /etc/fail2ban/filter.d ## 条件匹配文件目录,过滤日志关键内容 /etc/fail2ban/jail.conf ## fail2ban 防护配置文件 /etc/fail2ban/fail2ban.conf ## fail2ban 配置文件,定义日志级别、日志、sock 文件位置等
shell > grep -v ^# /etc/fail2ban/fail2ban.conf [Definition] loglevel = 3 ## 定义日志级别,默认 logtarget = /var/log/fail2ban.log ## 定义 fail2ban 日志文件 socket = /var/run/fail2ban/fail2ban.sock ## sock 文件存放位置,默认 pidfile = /var/run/fail2ban/fail2ban.pid ## pid 文件存放位置,默认
shell > grep -v ^# /etc/fail2ban/jail.conf [DEFAULT] ## 全局设置,优先级最小 ignoreip = 127.0.0.1/8 ## 不受限制的 IP ,多组用空格分割 bantime = 600 ## 非法 IP 被屏蔽时间(秒),-1 代表永远封锁 findtime = 600 ## 设置多长时间(秒)内超过 maxretry 限制次数即被封锁 maxretry = 3 ## 最大尝试次数 backend = auto ## 日志修改检测机制(gamin 、polling 、auto 三种) usedns = warn [ssh-iptables] ## 分类设置(基于 SSHD 服务的防护) enabled = true ## 是否开启防护,false 为关闭 filter = sshd ## 过滤规则 filter 名称,对应 filter.d 目录下的 sshd.conf action = iptables[name=SSH, port=ssh, protocol=tcp] ## 动作参数 sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"] ## 邮件通知参数 # 收件人地址 ## 发件人地址 logpath = /var/log/secure ## 检测系统登陆日志文件 maxretry = 5 ## 最大尝试次数
## 默认此配置文件中还有大量的服务防护配置,只不过默认都是关闭(false)状态,不用理会。
shell > service fail2ban start ## 如果重启 iptables ,必须重启 fail2ban shell > fail2ban-client status ## 可以看到有一个实例已经开始监控 Status |- Number of jail: 1 `- Jail list: ssh-iptables shell > iptables -nL ## iptables 也加入了一条规则 fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
## 同时,管理员邮箱也收到一封邮件..
[Fail2Ban] SSH: started on localhost.localdomain 发件人:Fail2Ban 收件人:1355******* 时 间:2015-06-05 23:58:5 Hi, The jail SSH has been started successfully. Regards, Fail2Ban
## 这时客户端尝试登陆本机,故意输入五次密码,就会看到如下日志:
shell > tail -1 /var/log/fail2ban.log 2015-06-05 17:39:19,647 fail2ban.actions[1313]: WARNING [ssh-iptables] Ban 192.168.214.1 ## 可以看到:192.168.214.1 被 Ban 掉了。
shell > cat /var/log/secure ## 系统登陆日志 Jun 5 17:39:01 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2 Jun 5 17:39:06 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2 Jun 5 17:39:11 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2 Jun 5 17:39:14 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2 Jun 5 17:39:18 localhost sshd[1341]: Failed password for root from 192.168.214.1 port 2444 ssh2 Jun 5 17:41:39 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
## 收到的邮件通知
[Fail2Ban] SSH: banned 192.168.214.1 from localhost.localdomain 发件人:Fail2Ban 收件人:1355******* 时 间:2015-06-06 00:05:45 Hi, The IP 192.168.214.1 has just been banned by Fail2Ban after 5 attempts against SSH. Here is more information about 192.168.214.1: missing whois program Regards, Fail2Ban
## 测试成功 !
## 目的是把规定时间内达到限定访问次数的 IP 封锁(例如,一分钟内有几百次请求)
shell > vim /etc/fail2ban/jail.conf [nginx] ## nginx 防护 enabled = true filter = nginx ## 访问规则定义文件,位置在 /etc/fail2ban/filter.d/nginx.conf action = iptables[name=nginx, port=http, protocol=tcp] sendmail-whois[name=nginx, dest=1355*******@139.com, [email protected], sendername="Fail2Ban"] logpath = /var/log/httpd/access_log ## nginx 访问日志 bantime = 86400 ## 符合规则的屏蔽一天,如果参数值与全局有冲突,优先级大于全局配置 findtime = 600 ## 10 分钟内访问超过 maxretry 次数的封锁 IP maxretry = 1000 ## 最大尝试次数 shell > vim /etc/fail2ban/filter.d/nginx.conf [Definition] failregex =.*-.*-.*$ ## 表示访问 IP ,其余的其实是最简单匹配了。因为这里没有要匹配精确的 URL ,只是限制访问次数 ignoreregex = shell > fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/nginx.conf ## 可以测试条件规则是否可用 shell > service fail2ban restart ## 重启服务 shell > fail2ban-client status ## 可以看到有两个实例在监控中 Status |- Number of jail: 2 `- Jail list: nginx, ssh-iptables
## 开始测试,通过脚本或者不管刷新页面测试 Nginx 防护( 便于测试,可以将 maxretry 的值调为 10 )
shell > fail2ban-client status nginx ## 可以看到被 Ban 掉的 IP Status for the jail: nginx |- filter | |- File list: /var/log/httpd/access_log | |- Currently failed: 1 | `- Total failed: 39 `- action |- Currently banned: 1 | `- IP list: 192.168.214.1 `- Total banned: 1
## 同时也有对应的邮件通知
[Fail2Ban] nginx: banned 192.168.214.1 from localhost.localdomain 发件人:Fail2Ban 收件人:1355******* 时 间:2015-06-06 01:04:11 Hi, The IP 192.168.214.1 has just been banned by Fail2Ban after 20 attempts against nginx. Here is more information about 192.168.214.1: missing whois program Regards, Fail2Ban shell > tail -1 /var/log/fail2ban.log ## fail2ban 的日志信息 2015-06-05 19:04:11,705 fail2ban.actions[2592]: WARNING [nginx] Ban 192.168.214.1
## OK ,这就是 fail2ban 。很强大 !!!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK