centos下fail2ban安裝與配置詳解

centos下fail2ban安裝與配置詳解_Linux

最後更新：2017-01-19 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

一、fail2ban簡介

fail2ban可以監視你的系統日誌，然後匹配日誌的錯誤資訊（正則式匹配）執行相應的屏蔽動作（一般情況下是防火牆），而且可以發送e-mail通知系統管理員，是不是很好、很實用、很強大！

二、簡單來介紹一下fail2ban的功能和特性

1、支援大量服務。如sshd,apache,qmail,proftpd,sasl等等
2、支援多種動作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(郵件通知)等等。
3、在logpath選項中支援萬用字元
4、需要Gamin支援(註：Gamin是用於監視檔案和目錄是否更改的服務工具)
5、需要安裝python,iptables,tcp-wrapper,shorewall,Gamin。如果想要發郵件，那必需安裝postfix/sendmail

三、fail2ban安裝與配置操作執行個體

1:安裝epel更新源：http://fedoraproject.org/wiki/EPEL/zh-cn

複製代碼代碼如下:

# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban

複製代碼代碼如下:

# yum install gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

複製代碼代碼如下:

# yum install gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm

2:源碼包安裝

複製代碼代碼如下:

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
# cd
# ./setup.py
# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
# chmod +x /lib/svc/method/svc-fail2ban

安裝路徑

複製代碼代碼如下:

/etc/fail2ban
action.d filter.d fail2ban.conf jail.conf

我們主要編輯jail.conf這個設定檔，其他的不要去管它.

複製代碼代碼如下:

# vi /etc/fail2ban.conf

SSH防攻擊規則

複製代碼代碼如下:

[ssh-iptables]

enabled = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5

[ssh-ddos]
enabled = true
filter = sshd-ddos
action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath = /var/log/messages
maxretry = 2

[osx-ssh-ipfw]

enabled = true
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
maxretry = 5

[ssh-apf]

enabled = true
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

[osx-ssh-afctl]

enabled = true
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5

[selinux-ssh]
enabled = true
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5

proftp防攻擊規則

複製代碼代碼如下:

[proftpd-iptables]

enabled = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

郵件防攻擊規則

複製代碼代碼如下:

[sasl-iptables]

enabled = true
filter   = postfix-sasl
backend = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log

[dovecot-auth]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure

[perdition]

enabled = true
filter = perdition
action = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog

[uwimap-auth]

enabled = true
filter = uwimap-auth
action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog

apache防攻擊規則

複製代碼代碼如下:

[apache-tcpwrapper]

enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/error_log
maxretry = 6

[apache-badbots]

enabled = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1

[apache-shorewall]

enabled = true
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/httpd/error_log

nginx防攻擊規則

複製代碼代碼如下:

[nginx-http-auth]

enabled = true
filter = nginx-http-auth
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log

lighttpd防規擊規則

複製代碼代碼如下:

[suhosin]

enabled = true
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

[lighttpd-auth]

enabled = true
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

vsftpd防攻擊規則

複製代碼代碼如下:

[vsftpd-notification]

enabled = true
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

[vsftpd-iptables]

enabled = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

pure-ftpd防攻擊規則

複製代碼代碼如下:

[pure-ftpd]
enabled = true
filter = pure-ftpd
action = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 2
bantime = 86400

mysql防攻擊規則

複製代碼代碼如下:

[mysqld-iptables]

enabled = true
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath = /var/log/mysqld.log
maxretry = 5

apache phpmyadmin防攻擊規則

複製代碼代碼如下:

[apache-phpmyadmin]
enabled = true
filter = apache-phpmyadmin
action = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf
將以下內容粘貼到apache-phpmyadmin.conf裡儲存即可以建立一個apache-phpmyadmin.conf檔案.

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#

[Definition]

docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# service fail2ban restart

寫在最後，在安裝完fail2ban後請立即重啟一下fail2ban,看是不是能正常啟動，因為在後邊我們配置完規則後如果發生無法啟動的問題我們可以進行排查.如果安裝完後以預設規則能夠正常啟動，而配置完規則後卻不能夠正常啟動，請先檢查一下你 /var/log/ 目錄下有沒有規則裡的 logpath= 後邊的檔案，或者這個檔案的路徑與規則裡的是不是一致. 如果不一致請在 logpath 項那裡修改你的路徑，如果你的緩衝目錄裡沒有這個檔案，那麼請你將該配置項的 enabled 項目的值設定為 false. 然後再進行重啟fail2ban，這樣一般不會有什麼錯誤了.

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More