The process of installing Fail2ban anti-violent cracking tool under CentOS 6.3

Fail2ban can monitor your system log, and then match the log error message (regular match) to perform the appropriate shielding action (in general, call the firewall screen), such as: When someone is testing your ssh, SMTP, ftp password, as long as the number of times you preset, Fail2ban will call the firewall screen this IP, and can send e-mail notification system administrator, is a very practical, very powerful software!

Features and Features:

1, support a large number of services. such as SSHD,APACHE,QMAIL,PROFTPD,SASL and so on

2, support a variety of actions. such as Iptables,tcp-wrapper,shorewall (iptables third-party tools), mail notifications (mail notification), and so on.

3. Support wildcard characters in the LogPath option

4. Need gamin Support (note: Gamin is a service tool for monitoring files and directories for changes)

5, need to install python,iptables,tcp-wrapper,shorewall,gamin. If you want to send an email, you must install Postfix or SendMail

Core principle:

In fact, Fail2ban is used to monitor, specifically call iptables to achieve the action!

Well, let's talk about how to install and deploy it in detail.

First, the service installation

First configure the Yum source, where the use of the Yum directly installed (also can source installation)

Vim/etc/yum.repos.d/centos-base.repo

In the last add:

[Atrpms]

name=red Hat Enterprise Linux $releasever-$basearch-atrpms

baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable

Gpgkey=http://atrpms.net/rpm-gpg-key.atrpms

Gpgcheck=1

Enabled=1

Then directly on the Yum: yum-y install Fail2ban

After the installation is complete, the service configuration directory is:/etc/fail2ban

/ETC/FAIL2BAN/ACTION.D #动作文件夹, contains default files. Iptables and Mail and other action configuration

/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别, log location, and sock file location

/ETC/FAIL2BAN/FILTER.D #条件文件夹, contains default files. Filter Log key content settings

/etc/fail2ban/jail.conf #主要配置文件, modular. Main settings to enable ban action services and action thresholds

/etc/rc.d/init.d/fail2ban #启动脚本文件

Second, after installation configuration

First take a look at the default definition of the log file:

cat/etc/fail2ban/fail2ban.conf |grep-v ^#

[Definition]

loglevel = 3

Logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log, easy to log information

Socket =/var/run/fail2ban/fail2ban.sock

Take a look at the configuration by default for the master configuration:

cat/etc/fail2ban/jail.conf |grep-v ^# |less

[DEFAULT] #全局设置

Ignoreip = 127.0.0.1 #忽略的IP列表, not subject to set limits (white list)

Bantime = #屏蔽时间, Unit: SEC

Findtime = #这个时间段内超过规定次数会被ban掉

Maxretry = 3 #最大尝试次数

Backend = Auto #日志修改检测机制 (three of gamin, polling and auto)

[Ssh-iptables] #针对各服务的检查配置, such as setting Bantime, Findtime, Maxretry, and global conflicts, service priority greater than global settings

Enabled = True #是否激活此项 (true/false)

Filter = sshd #过滤规则filter的名字, corresponding to sshd.conf in FILTER.D directory

Action = Iptables[name=ssh, Port=ssh, Protocol=tcp] #动作的相关参数

Sendmail-whois[name=ssh, Dest=root, sender=fail2ban@example.com] #触发报警的收件人

LogPath =/var/log/secure #检测的系统的登陆日志文件

Maxretry = 5 #最大尝试次数

Ps:logpath (CENTOS5 and Rhel5) to write/var/log/secure, this is the system log, can not be arbitrarily set

Service Fail2ban start #启动服务即可 (as defined in the default master configuration file)

Service iptables start #fail2ban依赖预iptables #之前改过日志路径, restart Fail2ban if you can't.