Fail2ban can monitor your system log, and then match the log error message (regular match) to perform the appropriate shielding action (in general, call the firewall screen), such as: When someone is testing your ssh, SMTP, ftp password, as long as the number of times you preset, Fail2ban will call the firewall screen this IP, and can send e-mail notification system administrator, is a very practical, very powerful software!
Features and Features:
1, support a large number of services. such as SSHD,APACHE,QMAIL,PROFTPD,SASL and so on
2, support a variety of actions. such as Iptables,tcp-wrapper,shorewall (iptables third-party tools), mail notifications (mail notification), and so on.
3. Support wildcard characters in the LogPath option
4. Need gamin Support (note: Gamin is a service tool for monitoring files and directories for changes)
5, need to install python,iptables,tcp-wrapper,shorewall,gamin. If you want to send an email, you must install Postfix or SendMail
Core principle:
In fact, Fail2ban is used to monitor, specifically call iptables to achieve the action!
Well, let's talk about how to install and deploy it in detail.
First, the service installation
First configure the Yum source, where the use of the Yum directly installed (also can source installation)
Vim/etc/yum.repos.d/centos-base.repo
In the last add:
[Atrpms]
name=red Hat Enterprise Linux $releasever-$basearch-atrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
Gpgkey=http://atrpms.net/rpm-gpg-key.atrpms
Gpgcheck=1
Enabled=1
Then directly on the Yum: yum-y install Fail2ban
After the installation is complete, the service configuration directory is:/etc/fail2ban
/ETC/FAIL2BAN/ACTION.D #动作文件夹, contains default files. Iptables and Mail and other action configuration
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别, log location, and sock file location
/ETC/FAIL2BAN/FILTER.D #条件文件夹, contains default files. Filter Log key content settings
/etc/fail2ban/jail.conf #主要配置文件, modular. Main settings to enable ban action services and action thresholds
/etc/rc.d/init.d/fail2ban #启动脚本文件
Second, after installation configuration
First take a look at the default definition of the log file:
cat/etc/fail2ban/fail2ban.conf |grep-v ^#
[Definition]
loglevel = 3
Logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log, easy to log information
Socket =/var/run/fail2ban/fail2ban.sock
Take a look at the configuration by default for the master configuration:
cat/etc/fail2ban/jail.conf |grep-v ^# |less
[DEFAULT] #全局设置
Ignoreip = 127.0.0.1 #忽略的IP列表, not subject to set limits (white list)
Bantime = #屏蔽时间, Unit: SEC
Findtime = #这个时间段内超过规定次数会被ban掉
Maxretry = 3 #最大尝试次数
Backend = Auto #日志修改检测机制 (three of gamin, polling and auto)
[Ssh-iptables] #针对各服务的检查配置, such as setting Bantime, Findtime, Maxretry, and global conflicts, service priority greater than global settings
Enabled = True #是否激活此项 (true/false)
Filter = sshd #过滤规则filter的名字, corresponding to sshd.conf in FILTER.D directory
Action = Iptables[name=ssh, Port=ssh, Protocol=tcp] #动作的相关参数
Sendmail-whois[name=ssh, Dest=root, sender=fail2ban@example.com] #触发报警的收件人
LogPath =/var/log/secure #检测的系统的登陆日志文件
Maxretry = 5 #最大尝试次数
Ps:logpath (CENTOS5 and Rhel5) to write/var/log/secure, this is the system log, can not be arbitrarily set
Service Fail2ban start #启动服务即可 (as defined in the default master configuration file)
Service iptables start #fail2ban依赖预iptables #之前改过日志路径, restart Fail2ban if you can't.