centos下fail2ban安装与配置详解
⼀、fail2ban简介
fail2ban可以监视你的系统⽇志,然后匹配⽇志的错误信息(正则式匹配)执⾏相应的屏蔽动作(⼀般情况下是防⽕墙),⽽且可以发送e-mail通知系统管理员,是不是很好、很实⽤、很强⼤!
⼆、简单来介绍⼀下fail2ban的功能和特性
1、⽀持⼤量服务。如sshd,apache,qmail,proftpd,sasl等等
2、⽀持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三⽅⼯具),mail notifications(邮件通知)等等。
3、在logpath选项中⽀持通配符
4、需要Gamin⽀持(注:Gamin是⽤于监视⽂件和⽬录是否更改的服务⼯具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/ndmail
三、fail2ban安装与配置操作实例
原因的英文复制代码代码如下:
# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban
or
复制代码代码如下:
# yum install gamin-python python-inotify python-ctypes
# wget dl.fedoraproject/pub/epel/6/i386/fail2ban-0.8.arch.rpm
# rpm -ivh fail2ban-0.8.arch.rpm
or
复制代码代码如下:
# yum install gamin-python python-inotify python-ctypes
# wget ftp.sjtu.edu/fedora/epel//5/i386/fail2ban-0.8.arch.rpm
# rpm -ivh fail2ban-0.8.arch.rpm
2:源码包安装
复制代码代码如下:
# wget /fail2ban//0.9.0
# tar -xzvf fail2ban-0.9.
# cd
# ./tup.py
# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
# chmod +x /lib/svc/method/svc-fail2ban
安装路径
复制代码代码如下:
/etc/fail2ban
action.d filter.f
我们主要编辑f这个配置⽂件,其他的不要去管它.
复制代码代码如下:
# vi /f
SSH防攻击规则
复制代码代码如下:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
ndmail-whois[name=SSH, dest=root, nder=, ndername="Fail2Ban"]
logpath = /var/log/cure
maxretry = 5
[ssh-ddos]
enabled = true
filter = sshd-ddos
action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath = /var/log/messages
maxretry = 2
[osx-ssh-ipfw]
enabled = true
filter = sshd
action = osx-ipfw
logpath = /var/log/cure.log
maxretry = 5
[ssh-apf]
enabled = true
filter = sshd
action = apf[name=SSH]
logpath = /var/log/cure
maxretry = 5
[osx-ssh-afctl]
enabled = true
filter = sshd
action = osx-afctl[bantime=600]my heart will go on歌词
logpath = /var/log/cure.log
maxretry = 5
[linux-ssh]
enabled = true
filter = linux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5
proftp防攻击规则
复制代码代码如下:
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
ndmail-whois[name=ProFTPD, dest=]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
邮件防攻击规则
复制代码代码如下:
[sasl-iptables]
enabled = true
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
ndmail-whois[name=sasl, dest=]
logpath = /var/log/mail.log
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log
[dovecot-auth]
燕王学道enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/cure
[perdition]
enabled = true
filter = perdition
action = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog
[uwimap-auth]
enabled = true
filter = uwimap-auth
action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog
apache防攻击规则
复制代码代码如下:
[apache-tcpwrapper]
korresenabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/error_log
maxretry = 6
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
ndmail-buffered[name=BadBots, lines=5, dest=]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1
[apache-shorewall]
enabled = true
filter = apache-noscript
action = shorewall
ndmail[name=Postfix, dest=]
logpath = /var/log/httpd/error_log
nginx防攻击规则
复制代码代码如下:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth波特率
empties
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
lighttpd防规击规则
复制代码代码如下:
[suhosin]
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled = true
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
vsftpd防攻击规则
复制代码代码如下:
[vsftpd-notification]
enabled = true
filter = vsftpd
action = ndmail-whois[name=VSFTPD, dest=]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
ndmail-whois[name=VSFTPD, dest=]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
pure-ftpd防攻击规则
复制代码代码如下:
[pure-ftpd]traditional
enabled = true
filter = pure-ftpd
action = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 2
bantime = 86400
mysql防攻击规则
复制代码代码如下:
[mysqld-iptables]
enabled = true
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
ndmail-whois[name=MySQL, dest=root, nder=] logpath = /var/log/mysqld.log
maxretry = 5
apache phpmyadmin防攻击规则
复制代码代码如下:
[apache-phpmyadmin]
filter = apache-phpmyadmin
action = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.f
despairing将以下内容粘贴到f⾥保存即可以创建⼀个f⽂件.
# Fail2Ban configuration file
#
广州新东方英语学校
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
[Definition]
docroot = /var/www
badadmin =
PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 # Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
# Option: ignoreregexaustralian open
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# rvice fail2ban restart
写在最后,在安装完fail2ban后请⽴即重启⼀下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发⽣⽆法启动的问题
我们可以进⾏排查.如果安装完后以默认规则能够正常启动,⽽配置完规则后却不能够正常启动,请先检查⼀下你 /var/log/ ⽬录下有没
有规则⾥的 logpath= 后边的⽂件,或者这个⽂件的路径与规则⾥的是不是⼀致. 如果不⼀致请在 logpath 项那⾥修改你的路径,如果你的缓存⽬录⾥没有这个⽂件,那么请你将该配置项的 enabled 项⽬的值设置为 fal. 然后再进⾏重启fail2ban,这样⼀般不会有什么错误了.