Ryan

主动防御:用fail2ban阻隔网络窥探,防止暴力破解
Fail2ban,对于那些需要保护自己服务器的人来说是一款相当不错的免费工具,当一些傻逼企图或者正在对你的SSH、...
扫描右侧二维码阅读全文
07
2018/10

主动防御:用fail2ban阻隔网络窥探,防止暴力破解

Fail2ban,对于那些需要保护自己服务器的人来说是一款相当不错的免费工具,当一些傻逼企图或者正在对你的SSH、SMTP、FTP等信息进行爆破或者使用CC攻击的时候,只要你的规则设置得合理就可以把他们进行有效的阻隔开来。

安装Fail2ban

安装教程很多很多,这里给出官方的安装命令

git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
sudo python setup.py install

或者使用博主写的一键脚本

wget https://shell.ipl.cx/fail2ban.sh
bash fail2ban.sh

配置Fail2ban

SSH防护

如果使用博主的一键脚本,安装好后默认就会开启SSH的防火了,如果需要防火别的程序还需要添加规则。
fail2ban的所有配置文件都存放在/etc/fail2ban/下,默认的启用的规则是jail.local
添加新的规则到jail.local就可以了。
这里给出博主用的SSH规则

[sshd]
enabled  = true
port     = ssh
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5
bantime  = 604800

nginx防护

比如博主防止那些傻逼扫描器扫描网站的一个规则

[nginx-blog-pupt-net]
enabled = true
port = http,https
filter = nginx-not-found
action = iptables[name=nginx, port=http, protocol=tcp]
logpath = /var/log/blog.pupt.net.log
bantime = 3600
findtime = 60
maxretry = 20

启动filter参数是日志匹配规则,对应规则存放在/etc/fail2ban/filter.d
fail2ban默认带挺多匹配规则的

3proxy.conf                freeswitch.conf         postfix.conf
apache-auth.conf           froxlor-auth.conf       proftpd.conf
apache-badbots.conf        groupoffice.conf        pure-ftpd.conf
apache-botsearch.conf      gssftpd.conf            qmail.conf
apache-common.conf         guacamole.conf          recidive.conf
apache-fakegooglebot.conf  haproxy-http-auth.conf  roundcube-auth.conf
apache-modsecurity.conf    horde.conf              screensharingd.conf
apache-nohome.conf         ignorecommands          selinux-common.conf
apache-noscript.conf       kerio.conf              selinux-ssh.conf
apache-overflows.conf      lighttpd-auth.conf      sendmail-auth.conf
apache-pass.conf           mongodb-auth.conf       sendmail-reject.conf
apache-shellshock.conf     monit.conf              sieve.conf
assp.conf                  murmur.conf             slapd.conf
asterisk.conf              mysqld-auth.conf        sogo-auth.conf
botsearch-common.conf      nagios.conf             solid-pop3d.conf
common.conf                named-refused.conf      squid.conf
counter-strike.conf        nginx-botsearch.conf    squirrelmail.conf
courier-auth.conf          nginx-http-auth.conf    sshd.conf
courier-smtp.conf          nginx-limit-req.conf    stunnel.conf
cyrus-imap.conf            nginx-not-found.conf    suhosin.conf
directadmin.conf           nsd.conf                tine20.conf
domino-smtp.conf           openhab.conf            uwimap-auth.conf
dovecot.conf               openwebmail.conf        vsftpd.conf
dropbear.conf              oracleims.conf          webmin-auth.conf
drupal-auth.conf           pam-generic.conf        wuftpd.conf
ejabberd-auth.conf         perdition.conf          xinetd-fail.conf
exim-common.conf           phpmyadmin-syslog.conf  zoneminder.conf
exim.conf                  php-url-fopen.conf
exim-spam.conf             portsentry.conf

nginx-not-found.conf是博主新增的,的内容如下

failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

这个匹配规则可以自己写,写完之后可以使用命令测试匹配结果

fail2ban-regex /var/log/blog.pupt.net.log /etc/fail2ban/filter.d/nginx-not-found.conf 

Running tests
=============

Use   failregex filter file : nginx-not-found, basedir: /etc/fail2ban
Use         log file : /var/log/blog.pupt.net.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [14625] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 14625 lines, 0 ignored, 0 matched, 14625 missed
[processed in 5.11 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 14625 lines

其他说明

查看状态

fail2ban-client status sshd
fail2ban-client status nginx-not-found

解禁IP

fail2ban-client unban ip

最后吐槽一句

这些玩爆破真的司马,看看这装了几天fail2ban的结果

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    371
|  `- File list:    /var/log/secure
`- Actions
   |- Currently banned:    162
   |- Total banned:    175
搬瓦工年付$187机房套餐补货了,电信联通优化,512M内存/500G流量/1G带宽,建站稳定,优惠码:BWH1ZBPVK,【点击购买】!
搬瓦工年付$28CN2高速线路,512M内存/500G流量/1G带宽,电信联通优化,延迟低,速度快,建站稳定,优惠码同上,【点击购买】!
Last modification:December 1st, 2018 at 08:03 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment

One comment

  1. 博客大全

    网络安全不容小觑