CentOS8与Fail2Ban的联合使用 | Word Count: 1.1k | Reading Time: 5mins | Post Views:
CentOS8与Fail2Ban的联合使用
Fail2ban是一个根据系统日志动态调整防火墙规则的安全工具,它具有响应迅速、使用方便的特性。
概述 安装 # Fail2ban是fedora社区打包的rpm包,需要添加EPEL软件源 dnf install -y epel-release dnf makecache dnf update -y dnf install -y fail2ban systemctl enable --now fail2ban.service
配置 [root@centos fail2ban]# tree /etc/fail2ban/ /etc/fail2ban/ # 配置文件目录 ├── action.d # 可搭配下列进程进行防火管理,比如防火墙封堵、发送邮件等 │ ├── abuseipdb.conf │ ├── apf.conf │ ├── badips.conf │ ├── badips.py │ ├── blocklist_de.conf │ ├── cloudflare.conf │ ├── dshield.conf │ ├── dummy.conf │ ├── firewallcmd-allports.conf │ ├── firewallcmd-common.conf │ ├── firewallcmd-ipset.conf │ ├── firewallcmd-multiport.conf │ ├── firewallcmd-new.conf │ ├── firewallcmd-rich-logging.conf │ ├── firewallcmd-rich-rules.conf │ ├── helpers-common.conf │ ├── iptables-allports.conf │ ├── iptables-common.conf │ ├── iptables.conf │ ├── iptables-ipset-proto4.conf │ ├── iptables-ipset-proto6-allports.conf │ ├── iptables-ipset-proto6.conf │ ├── iptables-multiport.conf │ ├── iptables-multiport-log.conf │ ├── iptables-new.conf │ ├── iptables-xt_recent-echo.conf │ ├── mail-whois-common.conf │ ├── mynetwatchman.conf │ ├── netscaler.conf │ ├── nftables-allports.conf │ ├── nftables.conf │ ├── nftables-multiport.conf │ ├── nginx-block-map.conf │ ├── npf.conf │ ├── nsupdate.conf │ ├── route.conf │ ├── sendmail-buffered.conf │ ├── sendmail-common.conf │ ├── sendmail.conf │ ├── sendmail-geoip-lines.conf │ ├── sendmail-whois.conf │ ├── sendmail-whois-ipjailmatches.conf │ ├── sendmail-whois-ipmatches.conf │ ├── sendmail-whois-lines.conf │ ├── sendmail-whois-matches.conf │ ├── shorewall-ipset-proto6.conf │ ├── smtp.py │ ├── symbiosis-blacklist-allports.conf │ └── xarf-login-attack.conf ├── fail2ban.conf # 服务配置文件 ├── fail2ban.d ├── filter.d # 结合各种过滤器和规则实现对多种服务的防护 │ ├── 3proxy.conf │ ├── apache-auth.conf │ ├── apache-badbots.conf │ ├── apache-botsearch.conf │ ├── apache-common.conf │ ├── apache-fakegooglebot.conf │ ├── apache-modsecurity.conf │ ├── apache-nohome.conf │ ├── apache-noscript.conf │ ├── apache-overflows.conf │ ├── apache-pass.conf │ ├── apache-shellshock.conf │ ├── assp.conf │ ├── asterisk.conf │ ├── bitwarden.conf │ ├── botsearch-common.conf │ ├── centreon.conf │ ├── common.conf │ ├── counter-strike.conf │ ├── courier-auth.conf │ ├── courier-smtp.conf │ ├── cyrus-imap.conf │ ├── directadmin.conf │ ├── domino-smtp.conf │ ├── dovecot.conf │ ├── dropbear.conf │ ├── drupal-auth.conf │ ├── ejabberd-auth.conf │ ├── exim-common.conf │ ├── exim.conf │ ├── exim-spam.conf │ ├── freeswitch.conf │ ├── froxlor-auth.conf │ ├── gitlab.conf │ ├── grafana.conf │ ├── groupoffice.conf │ ├── gssftpd.conf │ ├── guacamole.conf │ ├── haproxy-http-auth.conf │ ├── horde.conf │ ├── ignorecommands │ │ └── apache-fakegooglebot │ ├── kerio.conf │ ├── lighttpd-auth.conf │ ├── mongodb-auth.conf │ ├── monit.conf │ ├── murmur.conf │ ├── mysqld-auth.conf │ ├── nagios.conf │ ├── named-refused.conf │ ├── nginx-botsearch.conf │ ├── nginx-http-auth.conf │ ├── nginx-limit-req.conf │ ├── nsd.conf │ ├── openhab.conf │ ├── openwebmail.conf │ ├── oracleims.conf │ ├── pam-generic.conf │ ├── perdition.conf │ ├── phpmyadmin-syslog.conf │ ├── php-url-fopen.conf │ ├── portsentry.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── pure-ftpd.conf │ ├── qmail.conf │ ├── recidive.conf │ ├── roundcube-auth.conf │ ├── screensharingd.conf │ ├── selinux-common.conf │ ├── selinux-ssh.conf │ ├── sendmail-auth.conf │ ├── sendmail-reject.conf │ ├── sieve.conf │ ├── slapd.conf │ ├── softethervpn.conf │ ├── sogo-auth.conf │ ├── solid-pop3d.conf │ ├── squid.conf │ ├── squirrelmail.conf │ ├── sshd.conf │ ├── stunnel.conf │ ├── suhosin.conf │ ├── tine20.conf │ ├── traefik-auth.conf │ ├── uwimap-auth.conf │ ├── vsftpd.conf │ ├── webmin-auth.conf │ ├── wuftpd.conf │ ├── xinetd-fail.conf │ ├── znc-adminlog.conf │ └── zoneminder.conf ├── jail.conf # 自定义监狱,所有黑名单用户根据此项配置管理 ├── jail.d │ └── 00-firewalld.conf ├── paths-common.conf └── paths-fedora.conf 5 directories, 145 files
初步应用 定义服务 在管理目录下存在一个jail.conf文件,通过修改该文件就可实现对各项服务的访问关进监狱。
[root@centos fail2ban]# cp jail.conf jail.confbak [root@centos fail2ban]# vim jail.conf # 默认配置 [DEFAULT] # 被ban时间 bantime = 15m # 检索时间 findtime = 10m # 最大尝试数,即失败5次就被ban15分钟 maxretry = 5 maxmatches = %(maxretry)s # 后端服务依赖systemd backend = systemd # 日志警告信息可以使用DNS记录访问主机地址 usedns = warn # 日志编码使用utf-8 logencoding = utf-8 # 启用监管 enabled = ture # 默认为普通模式 mode = normal # 过滤模块 filter = %(__name__)s[mode=%(mode)s] # 防火墙调用firewallcmd,默认为iptables banaction = firewallcmd-ipset[actiontype=<multiport>] banaction_allports = firewallcmd-ipset[actiontype=<allports>] # 管理SSHD [sshd] enabled = true filter = sshd port = 22 logpath = /var/log/secure
应对SSH爆破 [root@sklnx001 ~]# systemctl restart fail2ban [root@sklnx001 ~]# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd [root@sklnx001 ~]# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
常用命令 # 查看被ban IP,其中sshd为名称,比如上面的[wordpress] fail2ban-client status sshd # 删除被ban IP fail2ban-client set sshd delignoreip 192.168.111.111 # 查看日志 tail /var/log/fail2ban.log
高级应用 防护Wordpress # 在指定目录下建立wordpress配置文件,指定监控wordpress的访问地址 vi /etc/fail2ban/filter.d/wordpress.conf [Definition] failregex = ^ -.* /wp-login.php.* HTTP/1\.." ignoreregex =
# 在jail.conf中加入如下配置,让fail2ban监视指定日志文件,根据日志记录进行拦截 [wordpress] enabled = true port = http,https filter = wordpress action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
防止半连接攻击 # 需要先新建一个nginx日志匹配规则 vi /etc/fail2ban/filter.d/nginx-cc.conf # 填写如下内容 [Definition] failregex = -.*- .*HTTP/1.* .* .*$ ignoreregex =
# 加入如下配置 [nginx-cc] enabled = true port = http,https filter = nginx-cc action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
参考文件 [fail2ban防护DDOS攻击]: https://www.cnblogs.com/ipyanthony/p/9336142.html “”Fail2ban防护DDOS攻击” [使用Fail2Ban保护Nginx\Wordpress简单又高效]: https://zhuanlan.zhihu.com/p/71818778 ““使用Fail2Ban保护wordpress”