Linux, network and security servers, network and security for a mature website, it is hard to say that it has not been attacked several times a day.
I have previously written a shell script and implemented an "active firewall", that is, to find potential threats from the access features, and directly use the iptables firewall to deny. The general principle is also very simple:
Cat logs, and the source ip addresses are separated from the logs by awk.
Sort + uniq-c
Obtain several sources with the highest access traffic. Once the threshold is reached, enable the iptables policy to block the traffic.
Such a script can achieve the active firewall effect as long as it is regularly called through the cron service. However, after a long time, the disadvantages of this method are shown. First, it is not flexible enough. It is very troublesome to adjust the time granularity and set the blacklist and whitelist; second, this method can only target a certain service, such as apache's port 80, but does not play an appropriate role in joint attacks such as full port scanning.
I was planning to use python to write a Comprehensive Intrusion Log Analysis + iptables call framework. I did not expect it to have been implemented for a long time. This is the fail2ban described in this article.
Install fail2ban
Or ubuntu, the apt-get install fail2ban project exists in the apt library.
Service fail2ban start starts this service.
If you need to compile the source code, you can download the source code from the project's home page. The installation process is closer to the python extension installation. It should be noted that fail2ban is based on the gamin service framework, and the python-gamin support library must be installed during compilation.
Configuration Service
After apt installation, several configuration files under the/etc/fail2ban directory, fail2ban. conf, mainly define the server logs and listening ports. You can ignore them and open jail. conf directly.
[DEFAULT] There are many DEFAULT configuration parameters. Here are some common parameters:
Ignoreip = 127.0.0.1/8 whitelist address, supports network segments, multiple addresses are separated by spaces. The address segment is not blocked.
Bantime = 600 plugging time, in seconds
Maxretry = 3 people think this configuration is a bit misleading. It is actually the number of times that the log filtered out by the filter (as described later) needs to be blocked according to the rule.
We use the default [ssh] service to introduce the configuration of a service:
Enabled = true: whether to enable or not.
Port = ssh block port. port Number and protocol name are supported. multiple ports are separated by commas (,).
Filter = sshd filter Name. The default filter is in/etc/fail2ban/filter. d directory. the end of conf. In this example, for/etc/fail2ban/filter. d/sshd. conf
Logpath =/var/log/auth. log Path
Maxretry = 6 maximum number of retries, same as above
The configuration of the filter is actually very simple. You need to know how to use regular expressions to filter logs,
Failregex = reject: RCPT from (. *) []: A Regular Expression filtered by 554. Multiple rows can be used to represent multiple rules.
Fail2ban also has a client tool called fail2ban-client, which can be used to complete the configuration of the entire fail2ban, which is relatively simple, and it will not be said here.
Others
I personally think that fail2ban is a very convenient tool and almost no configuration is required. Some may need to perform firewall operations through the program, such as php. as I do now, the program regularly writes the IP address to a file, and extracts the ip address through the filter for blocking.