Installation configuration for Fail2ban

Fail2ban is a well-known open source framework for intrusion protection on Linux that monitors log files for multiple systems (for example,/var/log/auth.log or/var/log/secure) and automatically triggers different defensive actions based on any suspicious behavior detected. In terms of basic security, Fail2ban is very useful in defending against brute-force password cracking on SSH servers.

Now let's talk about the basic configuration:

1. Download the source

Download the appropriate installation package

2.yum Installation

Yum Install-y Fail2ban

3. Start

Service Fail2ban Start

4.fail2ban's profile is here.

Service Configuration directory:/etc/fail2ban/

/ETC/FAIL2BAN/ACTION.D #动作文件夹 with default files included. Iptables and Mail and other action configuration

/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别, log location, and sock file location

/ETC/FAIL2BAN/FILTER.D #条件文件夹 with default files included. Filtering log key content settings

/etc/fail2ban/jail.conf #主要配置文件, modular. Main settings enable ban Action Service and action threshold

/etc/rc.d/init.d/fail2ban #启动脚本文件

5. Configuration

Vim/etc/fail2ban/jail.conf

[DEFAULT]

# "IGNOREIP" can be an IP address, Classless Inter-domain Routing (Classless inter-domain Routing, CIDR), or DNS address.

# Fail2ban does not disable matching to the IP.

# Multiple addresses can be separated by spaces.

IGNOREIP = 127.0.0.1

# "Bantime" is the time to pull the black, the second count.

Bantime = 3600

# "Findtime" is an IP that is counted as the number of retries in this interval. If 600 is 10 minutes to log in will be the number of retries +1, more than 10 minutes after the beginning of the calculation.

# on a second count.

Findtime = 600

# "Maxretry" is the maximum number of retries. If 3 fails 3 times, the landing is forbidden.

Maxretry = 3

#日志检测机器, there are three modes of "Gamin", "polling" and "auto".

Backend = Auto

Enabled = True

[Ssh-iptables] #启用

Filter = sshd

# Here's port=ssh is the default SSH port, if you change it here also to change, such as port=213

Action = Iptables[name=ssh, Port=ssh, Protocol=tcp]

Sendmail-whois[name=ssh, dest=root, [email protected]

LogPath =/var/log/secure

Maxretry = 5

6. View Iptbales

[Email protected] fail2ban]# iptables-l

Chain INPUT (Policy ACCEPT)

Target Prot opt source destination

F2b-ssh TCP-Anywhere anywhere TCP DPT:SSH

7. View Logs

Tail/var/log/fail2ban.log

This article is from the "My Heart Forever" blog, please be sure to keep this source http://catchen.blog.51cto.com/8816319/1793664

Installation configuration for Fail2ban