Fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的HTTP、SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件! Fail2ban由python语言开发,基于logwatch、gamin、iptables、tcp-wrapper、shorewall等。如果想要发送邮件通知道,那还需要安装postfix或sendmail。
在外网环境下,有很多的恶意扫描和密码猜测等恶意攻击行为,使用Fail2ban配合iptables,实现动态防火墙是一个很好的解决方案
一 安装Fail2ban
-
1 下载
-
# wget -v https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.3 -O fail2ban-0.9.3.tar.gz
-
# tar zxvf fail2ban-0.9.3.tar.gz
-
# cd fail2ban-0.9.3
-
# yum -y install python
-
# python setup.py install
二 配置Fail2ban
1. 安装完成后配置文件在目录/etc/fail2ban/中:
/etc/fail2ban/fail2ban.conf #fail2ban的配置文件
/etc/fail2ban/jail.conf #阻挡设定文件
/etc/fail2ban/filter.d/ #具体过滤规则文件目录
/etc/fail2ban/action.d/ #具体过滤规则检测到后采取相对应措施的目录
2. 编辑jail.conf,加入
-
[nginx] //规则的名称
-
enabled = true //是否启用 (true/false)
-
port = http,https // 监控的端口
-
filter = nginx //匹配的规则名称 对应filter.d/nginx.conf
-
logpath = /usr/local/nginx/logs/access.log //检测的日志文件路径
-
findtime = 60 //检测周期,单位秒
-
bantime = 300 //iptables封禁IP的时间,单位秒
-
maxretry = 10 //最大尝试次数
-
action = iptables-multiport[name=cc-attrack, port="http", protocol=tcp] //动作的相关参数,对应action.d/iptables.conf文件
-
sendmail[name=nginx, dest=xxxx@qq.com] // 匹配到后使用senmail邮件通知
-
#ignoreip = 192.168.1.146 // 白名单
-
3 添加 /etc/fail2ban/filter.d/nginx.conf , 这里用index.html举例,实际可以换成网站login页面或其它,例如login.php/login.jsp
-
[Definition]
-
failregex =<HOST> .*GET.*/index.html.*$
-
ignoreregex =
4 上面配置完成后要使用fail2ban-regex命令,查看日志中是否匹配到,如果规则写的不对,那后面就没办法匹配到IP,
-
[root@localhost ~]# fail2ban-regex /usr/local/nginx/logs/access.log /etc/fail2ban/filter.d/nginx.conf
Running tests
=============
Use failregex filter file : nginx, basedir: /etc/fail2ban
Use log file : /usr/local/nginx/logs/access.log
Use encoding : ANSI_X3.4-1968
Results
=======
Failregex: 101 total
|- #) [# of hits] regular expression
| 1) [101] .*GET.*/index.html.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [101] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 101 lines, 0 ignored, 101 matched, 0 missed [processed in 0.01 sec]
匹配到101条,上面设置maxretry = 10// 匹配到10次将会封掉此ip
使用fail2ban-client可以查看当前的状态,可以看到jail有一项nginx运行
[root@localhost ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: nginx
查看具体的jail中的nginx状态
[root@localhost ~]# fail2ban-client status nginx
Status for the jail: nginx
|- Filter
| |- Currently failed: 0
| |- Total failed: 202
| `- File list: /usr/local/nginx/logs/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 2
`- Banned IP list:
5 启动iptables 和 fail2ban
-
# /etc/init.d/iptables start
-
# /etc/init.d/fail2ban start
6 如果你的iptables 高于1.4.0 启动fail2ban你将会在/var/log/fail2ban中看到如下报错,
-
2016-01-15 01:40:29,778 fail2ban.action [7167]: ERROR iptables -w -N f2b-cc-attrack
-
iptables -w -A f2b-cc-attrack -j RETURN
-
iptables -w -I INPUT -p tcp -m multiport --dports http -j f2b-cc-attrack -- stdout: ''
-
2016-01-15 01:40:29,778 fail2ban.action [7167]: ERROR iptables -w -N f2b-cc-attrack
-
iptables -w -A f2b-cc-attrack -j RETURN
-
iptables -w -I INPUT -p tcp -m multiport --dports http -j f2b-cc-attrack -- stderr: "iptables v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option `-w' requires
-
an argument\nTry `iptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables --help' for more information.\n"
主要是因为iptables 1.4.0版以后去掉的-w参数, 所以我们需要编辑/etc/fail2ban/action.d/iptables-common.conf
-
lockingopt = -w 修改为 #lockingopt = -w
-
iptables = iptables 修改为 iptables = iptables
7 然后重启fail2ban
-
# /etc/init.d/fail2ban start
-
-
如果启动正常将会看到如下日志:
-
2016-01-15 01:48:03,782 fail2ban.server [7271]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3
-
2016-01-15 01:48:03,782 fail2ban.database [7271]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
-
2016-01-15 01:48:03,786 fail2ban.jail [7271]: INFO Creating new jail 'nginx'
-
2016-01-15 01:48:03,787 fail2ban.jail [7271]: INFO Jail 'nginx' uses poller
-
2016-01-15 01:48:03,799 fail2ban.filter [7271]: INFO Set jail log file encoding to UTF-8
-
2016-01-15 01:48:03,799 fail2ban.jail [7271]: INFO Initiated 'polling' backend
-
2016-01-15 01:48:03,805 fail2ban.filter [7271]: INFO Added logfile = /usr/local/nginx/logs/access.log
-
2016-01-15 01:48:03,805 fail2ban.filter [7271]: INFO Set maxRetry = 10
-
2016-01-15 01:48:03,806 fail2ban.filter [7271]: INFO Set jail log file encoding to UTF-8
-
2016-01-15 01:48:03,806 fail2ban.actions [7271]: INFO Set banTime = 300
-
2016-01-15 01:48:03,807 fail2ban.filter [7271]: INFO Set findtime = 60
-
2016-01-15 01:48:03,815 fail2ban.jail [7271]: INFO Jail 'nginx' started
8 测试, 监控nginx日志,测试机ip为192.168.1.147,
-
[root@localhost sysconfig]# ab -n 11 -c 11 http://192.168.1.146/index.html
-
查看日志,其中192.168.1.147被匹配到了
-
[root@localhost ~]# tail /var/log/fail2ban.log
2016-01-15 01:52:37,397 fail2ban.actions [7271]: NOTICE [nginx] Ban 192.168.1.147
查看iptanles,发现192.168.1.147被REJECT
[root@localhost ~]# iptables -nvL
Chain f2b-cc-attrack (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.1.147 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
9 手动解封IP
点击(此处)折叠或打开
-
查找line 编号
-
[root@localhost ~]# iptables -nvL --line-numbers
-
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
-
num pkts bytes target prot opt in out source destination
-
1 1218 83559 f2b-cc-attrack tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80
-
2 2036 150K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
-
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
-
4 273 16380 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
-
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
-
6 203 12172 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
-
7 4896 407K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-
num pkts bytes target prot opt in out source destination
-
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
-
Chain OUTPUT (policy ACCEPT 13 packets, 2976 bytes)
-
num pkts bytes target prot opt in out source destination
-
-
Chain f2b-cc-attrack (1 references)
-
num pkts bytes target prot opt in out source destination
-
1 0 0 REJECT all -- * * 192.168.1.147 0.0.0.0/0 reject-with icmp-port-unreachable
-
2 1218 83559 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
删除这个编号的规则
-
[root@localhost ~]# # iptables -D f2b-cc-attrack 1
10 增加监控sshd日志,编辑jail.conf 增加下面几项
-
[sshd]
-
enabled = true
-
filter = sshd
-
port = ssh
-
logpath = /var/log/secure
-
findtime = 60
-
bantime = 300
-
maxretry = 2
-
action = iptables-multiport[name=SSH, port="ssh", protocol=tcp]
11 系统已经创建了SSHD的模板 我们只要注意jail.conf中filter = sshd
12 验证之前所写的规则是否有效,从面可以看出192.168.1.147在使用SSHD登陆2次输错密码后,IP就会被封禁
-
[root@localhost filter.d]# fail2ban-client status sshd
-
Status for the jail: sshd
-
|- Filter
-
| |- Currently failed: 0
-
| |- Total failed: 0
-
| `- File list: /var/log/secure
-
`- Actions
-
|- Currently banned: 0
-
|- Total banned: 0
-
`- Banned IP list:
-
[root@localhost filter.d]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
-
-
Running tests
-
=============
-
-
Use failregex filter file : sshd, basedir: /etc/fail2ban
-
Use maxlines : 10
-
Use log file : /var/log/secure
-
Use encoding : ANSI_X3.4-1968
-
-
-
Results
-
=======
-
-
Failregex: 10 total
-
|- #) [# of hits] regular expression
-
| 3) [7] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
-
| 16) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
-
`-
-
-
Ignoreregex: 0 total
-
-
Date template hits:
-
|- [# of hits] date format
-
| [277] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
-
`-
-
-
Lines: 277 lines, 0 ignored, 10 matched, 267 missed [processed in 0.17 sec]
-
Missed line(s): too many to print. Use --print-all-missed to print all 267 lines
-
[root@localhost filter.d]# fail2ban-client status sshd
-
Status for the jail: sshd
-
|- Filter
-
| |- Currently failed: 0
-
| |- Total failed: 2
-
| `- File list: /var/log/secure
-
`- Actions
-
|- Currently banned: 1
-
|- Total banned: 1
-
`- Banned IP list: 192.168.1.147
[root@localhost filter.d]# iptables -nvL
Chain f2b-SSH (1 references)
pkts bytes target prot opt in out source destination
6 1176 REJECT all -- * * 192.168.1.147 0.0.0.0/0 reject-with icmp-port-unreachable
13 最后,将fail2ban和iptables 设置为开机启动
[root@localhost filter.d]# chkconfig fail2ban on
[root@localhost filter.d]# chkconfig iptables on
14 未完....... 上面关于email的选项配置未成功.
参考文章:http://my.oschina.net/monkeyzhu/blog/418592
阅读(5382) | 评论(0) | 转发(0) |
