Password protection: Fail2Ban

Which of the following is the best choice. There seems to be a lot of crisis on the Internet, and no matter whether it is a machine or a manual "poor password and password", there will be no more. In this case, you can modify the service port, such as-Modify the SSH port in Linux. However, this strategy is always temporary. Therefore, we need to add a line of defense to the server, and use the Fail2Ban tool to automatically block the "poor password server ".

Note: The following methods are applicable to CentOS and must be used with iptables to run-Basic Application of iptables Firewall

1. Download and decompress Fail2Ban

wget http://soft.kwx.gd/security/fail2ban-0.8.4.tar.bz2

Run the preceding command in SSH to download Fail2Ban 0.8.4.

tar -xjvf fail2ban-0.8.4.tar.bz2

Execute the sshcommand to cancel fail2ban-0.8.4.tar.bz2.

cd fail2ban-0.8.4

SSH executes the above command to enter the fail2ban-0.8.4 folder.

Ii. Install Fail2Ban

Python setup. py install # Run the installation script cd files # enter the files Folder cp. /redhat-initd/etc/init. d/fail2ban # copy the file to the startup list chkconfig -- add fail2ban # create a startup Item service fail2ban start # Test Run

Run the above line-by-line command in SSH to install Fail2Ban and add it to the startup Item. No need to copy the yellow text.

If Fail2Ban is enabled, the installation is successful.

3. modify the configuration file
1. Enter the Directory

cd /etc/fail2ban

2. Modify the overall configuration file jail. conf.
(1) overall configuration

# This ip address or ip segment is an exception and is not affected by the following conditions: ignoreip = 127.0.0.1 # blocking time (for example, 86400 in a day) bantime = 600 # When the condition is reached, the blocking will start, if it reaches 3 times in 600 seconds, it is executed. # Unit: Second findtime = 600 # number of errors in the preceding conditions. If the number of errors reaches 3 in 600 seconds, the execution is performed. # Unit: maxretry = 3

(2) SSH settings

[Ssh-iptables] enabled = false # enable or not, truefilter = sshdaction = iptables [name = SSH, port = ssh, protocol = tcp] # post is the port number sendmail-whois [name = SSH, dest = you@mail.com, sender = fail2ban@mail.com] # Red words above-you@mail.com, it is your email address and sender address (the same as recommended) # The sendmail service is required for sending emails. If this service is not available or you do not need to send emails, add the # sign before sendmail to comment out. Logpath =/var/log/sshd. log # corresponding error log, generally:/var/log/securemaxretry = 5 # Number of error attempts

(3) proftpd settings

[Proftpd-iptables] enabled = false # enable or not, truefilter = proftpdaction = iptables [name = ProFTPD, port = ftp, protocol = tcp] sendmail-whois [name = ProFTPD, dest = you@mail.com] # The red text above is the same as the SSH setting. Logpath =/var/log/proftpd. log # corresponding error log maxretry = 6 # Number of error attempts

Note: The above "corresponding error log" file must match with the actual file; otherwise, Fail2Ban will not work properly.

4. Save and restart Fail2Ban

Service fail2ban restart # restart fail2banchkconfig fail2ban on # Set to auto start upon startup

5. Verify that Fail2Ban is running properly

fail2ban-client status

Run the preceding command in SSH to check whether the monitoring status enabled by fail2ban is running, but the actual effect is not displayed.

For example, the SSH and proftpd settings demonstrated in step 3 have taken effect. You can also use iptables-L-n to view the blocked IP addresses.