centos下fail2ban安装与配置详解
fail2ban可以監(jiān)視你的系統(tǒng)日志,然后匹配日志的錯(cuò)誤信息(正則式匹配)執(zhí)行相應(yīng)的屏蔽動(dòng)作(一般情況下是防火墻),而且可以發(fā)送e-mail通知系統(tǒng)管理員,是不是很好、很實(shí)用、很強(qiáng)大!
二、簡單來介紹一下fail2ban的功能和特性
1、支持大量服務(wù)。如sshd,apache,qmail,proftpd,sasl等等
2、支持多種動(dòng)作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
3、在logpath選項(xiàng)中支持通配符
4、需要Gamin支持(注:Gamin是用于監(jiān)視文件和目錄是否更改的服務(wù)工具)
5、需要安裝python,iptables,tcp-wrapper,shorewall,Gamin。如果想要發(fā)郵件,那必需安裝postfix/sendmail
三、fail2ban安裝與配置操作實(shí)例
1:安裝epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
or
復(fù)制代碼 代碼如下: # yum install gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm
or
復(fù)制代碼 代碼如下: # yum install gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源碼包安裝
# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
# cd
/etc/fail2ban/action.d? ? ?? ? ???#動(dòng)作文件夾,內(nèi)含默認(rèn)文件。iptables以及mail等動(dòng)作配置 /etc/fail2ban/fail2ban.conf? ? ?? ?#定義了fai2ban日志級(jí)別、日志位置及sock文件位置 /etc/fail2ban/filter.d? ? ?? ? ???#條件文件夾,內(nèi)含默認(rèn)文件。過濾日志關(guān)鍵內(nèi)容設(shè)置 /etc/fail2ban/jail.conf? ? ?? ? ?? #主要配置文件,模塊化。主要設(shè)置啟用ban動(dòng)作的服務(wù)及動(dòng)作閥值 /etc/rc.d/init.d/fail2ban? ? ?? ? ?#啟動(dòng)腳本文件
3. vi /etc/fail2ban/fail2ban.conf [Definition]? loglevel =3? logtarget = SYSLOG??#我們需要做的就是把這行改成/var/log/fail2ban.log,方便用來記錄日志信息? socket =/var/run/fail2ban/fail2ban.sock 4. vi /etc/fail2ban/jail.conf [DEFAULT]?????????????? #全局設(shè)置 ignoreip = 127.0.0.1?????? #忽略的IP列表,不受設(shè)置限制 bantime = 600???????????? #屏蔽時(shí)間,單位:秒 findtime = 600???????????? #這個(gè)時(shí)間段內(nèi)超過規(guī)定次數(shù)會(huì)被ban掉 maxretry = 3??????????????? #最大嘗試次數(shù) backend = auto??????????? #日志修改檢測機(jī)制(gamin、polling和auto這三種)[sshd]?????????????????? #單個(gè)服務(wù)檢查設(shè)置,如設(shè)置bantime、findtime、maxretry和全局沖突,服務(wù)優(yōu)先級(jí)大于全局設(shè)置。 enabled = true???????????? #是否激活此項(xiàng)(true/false) filter = sshd????????????? #過濾規(guī)則filter的名字,對應(yīng)filter.d目錄下的sshd.conf action = iptables[name=SSH, port=ssh, protocol=tcp]#動(dòng)作的相關(guān)參數(shù),對應(yīng)action.d/iptables.conf文件 logpath = /var/log/secure???????? #檢測的日志文件path bantime = 3600 findtime = 300 maxretry = 3 servicefail2ban start 啟動(dòng)服務(wù)
4.解除fail2ban綁定的IP? 查詢限制列表 # iptables -L --line-numbers Chain fail2ban-SSH (1references) num ?target ?? prot opt source ?? ? ?? ? ?destination 1 ? ?DROP ?? ? all ?--?118.152.158.61.ha.cnc?anywhere 2 ? ?RETURN? ? all ?--?anywhere ? ?? ? ?? anywhere 解除限制 #?iptables -D?fail2ban-SSH?1
我們主要編輯jail.conf這個(gè)配置文件,其他的不要去管它.
復(fù)制代碼 代碼如下:
# vi /etc/fail2ban.conf
SSH防攻擊規(guī)則
[ssh-iptables]
enabled? = true
filter?? = sshd
action?? = iptables[name=SSH, port=ssh, protocol=tcp]
?????????? sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath? = /var/log/secure
maxretry = 5
[ssh-ddos]
enabled = true
filter? = sshd-ddos
action? = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath? = /var/log/messages
maxretry = 2
[osx-ssh-ipfw]
enabled? = true
filter?? = sshd
action?? = osx-ipfw
logpath? = /var/log/secure.log
maxretry = 5
[ssh-apf]
enabled = true
filter? = sshd
action? = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
[osx-ssh-afctl]
enabled? = true
filter?? = sshd
action?? = osx-afctl[bantime=600]
logpath? = /var/log/secure.log
maxretry = 5
[selinux-ssh]
enabled = true
filter? = selinux-ssh
action? = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath? = /var/log/audit/audit.log
maxretry = 5
proftp防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[proftpd-iptables]
enabled? = true
filter?? = proftpd
action?? = iptables[name=ProFTPD, port=ftp, protocol=tcp]
?????????? sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath? = /var/log/proftpd/proftpd.log
maxretry = 6
郵件防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[sasl-iptables]
enabled? = true
filter?? = postfix-sasl
backend? = polling
action?? = iptables[name=sasl, port=smtp, protocol=tcp]
?????????? sendmail-whois[name=sasl, dest=you@example.com]
logpath? = /var/log/mail.log
[dovecot]
enabled = true
filter? = dovecot
action? = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log
[dovecot-auth]
enabled = true
filter? = dovecot
action? = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure
[perdition]
enabled = true
filter? = perdition
action? = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog
[uwimap-auth]
enabled = true
filter? = uwimap-auth
action? = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog
apache防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[apache-tcpwrapper]
enabled? = true
filter? = apache-auth
action?? = hostsdeny
logpath? = /var/log/httpd/error_log
maxretry = 6
[apache-badbots]
enabled? = true
filter?? = apache-badbots
action?? = iptables-multiport[name=BadBots, port="http,https"]
?????????? sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath? = /var/log/httpd/access_log
bantime? = 172800
maxretry = 1
[apache-shorewall]
enabled? = true
filter?? = apache-noscript
action?? = shorewall
?????????? sendmail[name=Postfix, dest=you@example.com]
logpath? = /var/log/httpd/error_log
nginx防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[nginx-http-auth]
enabled = true
filter? = nginx-http-auth
action? = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
lighttpd防規(guī)擊規(guī)則
復(fù)制代碼 代碼如下:
[suhosin]
enabled? = true
filter?? = suhosin
action?? = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath? = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled? = true
filter?? = lighttpd-auth
action?? = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath? = /var/log/lighttpd/error.log
maxretry = 2
vsftpd防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[vsftpd-notification]
enabled? = true
filter?? = vsftpd
action?? = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath? = /var/log/vsftpd.log
maxretry = 5
bantime? = 1800
[vsftpd-iptables]
enabled? = true
filter?? = vsftpd
action?? = iptables[name=VSFTPD, port=ftp, protocol=tcp]
?????????? sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath? = /var/log/vsftpd.log
maxretry = 5
bantime? = 1800
pure-ftpd防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[pure-ftpd]
enabled? = true
filter?? = pure-ftpd
action?? = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath? = /var/log/pureftpd.log
maxretry = 2
bantime? = 86400
mysql防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[mysqld-iptables]
enabled? = true
filter?? = mysqld-auth
action?? = iptables[name=mysql, port=3306, protocol=tcp]
?????????? sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath? = /var/log/mysqld.log
maxretry = 5
apache phpmyadmin防攻擊規(guī)則
復(fù)制代碼 代碼如下:
[apache-phpmyadmin]
enabled? = true
filter?? = apache-phpmyadmin
action? = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath? = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf
將以下內(nèi)容粘貼到apache-phpmyadmin.conf里保存即可以創(chuàng)建一個(gè)apache-phpmyadmin.conf文件.
# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
[Definition]
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
# Option:? failregex
# Notes.:? Regexp to match often probed and not available phpmyadmin paths.
# Values:? TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
# Option:? ignoreregex
# Notes.:? regex to ignore. If this regex matches, the line is ignored.
# Values:? TEXT
#
ignoreregex =
# service fail2ban restart
寫在最后,在安裝完fail2ban后請立即重啟一下fail2ban,看是不是能正常啟動(dòng),因?yàn)樵诤筮呂覀兣渲猛暌?guī)則后如果發(fā)生無法啟動(dòng)的問題我們可以進(jìn)行排查.如果安裝完后以默認(rèn)規(guī)則能夠正常啟動(dòng),而配置完規(guī)則后卻不能夠正常啟動(dòng),請先檢查一下你 /var/log/ 目錄下有沒有規(guī)則里的 logpath= 后邊的文件,或者這個(gè)文件的路徑與規(guī)則里的是不是一致. 如果不一致請?jiān)?logpath 項(xiàng)那里修改你的路徑, 如果你的緩存目錄里沒有這個(gè)文件,那么請你將該配置項(xiàng)的 enabled 項(xiàng)目的值設(shè)置為 false. 然后再進(jìn)行重啟fail2ban,這樣一般不會(huì)有什么錯(cuò)誤了.
總結(jié)
以上是生活随笔為你收集整理的centos下fail2ban安装与配置详解的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 如何保证Linux服务器的安全
- 下一篇: 负载情况