CentOS 7 安装 Fail2ban 并支持 Firewalld

  • 内容
  • 评论
  • 相关

Fail2ban
最近发现网站总是被莫名的穷举暴力破解,于是想到了 Fail2ban,基于CentOS 6或 7 版本的系统,我们可以安装 Fail2ban 工具来阻止一定的暴力破解SSH或者FTP账户问题,也许不能足够的解决问题,但至少可以解决一般的问题。


第一、Fail2ban安装

CentOS 6
https://dl.fedoraproject.org/pub/epel/6/x86_64/fail2ban-0.9.3-1.el6.1.noarch.rpm
yum install fail2ban*
CentOS 7
rpm -ivh https://dl.fedoraproject.org/pub/epel/7/x86_64/f/fail2ban-0.9.3-1.el7.noarch.rpm
yum install fail2ban*

第二、配置Fail2ban

Fail2ban的目录结构

/etc/fail2ban/
├── action.d
│ ├── dummy.conf
│ ├── hostsdeny.conf
│ ├── iptables.conf
│ ├── mail-whois.conf
│ ├── mail.conf
│ └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│ ├── apache-auth.conf
│ ├── apache-noscript.conf
│ ├── couriersmtp.conf
│ ├── postfix.conf
│ ├── proftpd.conf
│ ├── qmail.conf
│ ├── sasl.conf
│ ├── sshd.conf
│ └── vsftpd.conf
├── jail.conf
└── jail.local

这里要注意的是所有.conf文件里面的配置信息都会被.local配置所覆盖.
# 我们创建一个新的jail.local文件


vi /etc/fail2ban/jail.local

填入一下内容


[DEFAULT]
# set a higher bantime and findtime
bantime=1200
findtime=1800
# set max number of attempts
maxretry = 5
# set mail receiver
destemail = admin@domain.tld
sender = fail2ban@domain.tld
# Default banning action
# 这里banaction必须用firewallcmd-ipset,这是fiewalll支持的关键
banaction = firewallcmd-ipset
# enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
# see jail.conf for details
action = %(action_mwl)s

[sshd]
enabled = true
port    = 10068

[sshd-ddos]
enabled = true
port = 10068

[vsftpd]
enabled = true
port = 10021

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath = /var/log/nginx/error.log

[nginx-noscript]
enabled  = true
port     = http,https
filter   = nginx-noscript
logpath  = /var/log/nginx/access.log
maxretry = 6

[nginx-nohome]
enabled  = true
port     = http,https
filter   = nginx-nohome
logpath  = /var/log/nginx/access.log
maxretry = 2

[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

[nginx-nohome]
enabled  = true
port     = http,https
filter   = nginx-nohome
logpath  = /var/log/nginx/access.log
maxretry = 2

[nginx-noproxy]
enabled  = true
port     = http,https
filter   = nginx-noproxy
logpath  = /var/log/nginx/access.log
maxretry = 2

接下来,我们为上面的内容创建过滤规则配置文件,所有配置文件存放到 /etc/fail2ban/filter.d/ 里面.

vim /etc/fail2ban/filter.d/nginx-http-auth.conf

# fail2ban filter configuration for nginx
[Definition]

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =
........
cp apache-badbots.conf nginx-badbots.conf
vim /etc/fail2ban/filter.d/nginx-noscript.conf
[Definition]

failregex = ^ -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)

ignoreregex =

保存,退出

vim /etc/fail2ban/filter.d/nginx-nohome.conf
[Definition]

failregex = ^ -.*GET .*/~.*

ignoreregex =

保存退出.
现在我们来重启服务,查看结果.

systemctl restart fail2ban.servicefail2ban-client status
Status
|- Number of jail:      6
`- Jail list:           nginx-noproxy, nginx-noscript, nginx-nohome, nginx-http-auth, nginx-badbots, ssh

我们在测试环境看看效果

fail2ban-client status nginx-http-auth
Status for the jail: nginx-http-auth
|- filter
|  |- File list:        /var/log/nginx/error.log 
|  |- Currently failed: 0
|  `- Total failed:     12
`- action
   |- Currently banned: 1
   |  `- IP list:       111.111.111.111
   `- Total banned:     1     

确认规则生效后,可以手动解除被禁止的IP,使IP可以重新访问.

fail2ban-client set nginx-http-auth unbanip 111.111.111.111

结论

通过配置Fail2ban来预防暴力破解是个非常有效的途径,它的设置很灵活,通过/etc/fail2ban/jail.local文件的设置,可以设计出属于你自己的防御方案.
文章最后给大家附上官方的文档:http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
RedHat关于使用的文档:https://bugzilla.redhat.com/attachment.cgi?id=791126

评论

0条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注