防网络嗅探利器fail2ban

security

字数统计: 1.8k阅读时长: 9 min

 2017/02/24   Share

fail2ban

fail2ban可以监视你的系统日志，然后匹配日志的错误信息（正则式匹配）执行相应的屏蔽动作（一般情况下是调用防火墙屏蔽），如:当有人在试探你的SSH、SMTP、FTP、HTTP密码，只要达到你预设的次数，fail2ban就会调用防火墙屏蔽这个IP，而且可以发送e-mail通知系统管理员，是一款很实用、很强大的软件！其实fail2ban就是用来监控，具体是调用iptables来实现动作！

服务器安装

fail2ban被epel源收录，能够被fedora项目组接受，可见这个框架也是蛮出名的，所以我们首先得配置epel源：

配置epel源有很多方法，最偷懒的方法就是yum install -y epel-release。

国内有许多epel源的镜像站点，如网易，阿里，搜狐都是不错的镜像站点，毕竟大公司，程序包的可靠性还是可以保障的，下面我选择阿里镜像来配置epel源。

[root@localhost ~]#cd /etc/yum.repos.d/
[root@localhost /etc/yum.repos.d]#vim epel.repo 
[aliyun_epel]
name=epel
baseurl=http://mirrors.aliyun.com/epel/7Server/$basearch/
enable=1
gpgcheck=0
cost=1000
[root@localhost /etc/yum.repos.d]#yum repolist
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * extras: mirrors.163.com
 * updates: mirrors.163.com
repo id                                                                                repo name                                                                               status
aliyun_epel/x86_64                                                                     epel                                                                                    11,236
base/7/x86_64                                                                          CentOS-7 - Base                                                                          9,363
extras/7/x86_64                                                                        CentOS-7 - Extras                                                                          263
updates/7/x86_64                                                                       CentOS-7 - Updates                                                                         844
repolist: 21,706

可以看见epel仓库已经生效了，下面我们只需要yum install -y fail2ban来安装fail2ban就可以了。

安装后的配置

安装完成后，服务器配置目录为/etc/fail2ban

/etc/fail2ban/action.d #动作文件夹，内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/faul2ban.conf #定义fail2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d #条件文件夹，内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf #只要配置文件，模块化。主要设置启动ban动作的服务器以及动作阀值
/etc/rc.d/init.d/fail2ban #启动脚本

/etc/fail2ban/fail2ban.conf fail2ban自己的配置文件，相信大家都看的懂

[root@localhost /etc/fail2ban]# cat fail2ban.conf | grep -v -E "^#|^$"
[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400

接下来是主要的配置文件/etc/fail2ban/jail.conf,大家可以看下这里面的配置，方正我的第一个感觉，就是把我搞的一头雾水，这也太复杂了吧，其实我们完全不需要按照它的配置来配置，前面我们也说到了这个配置文件是以模块化设计的，下面我们以实验的方式来配置这个文件。

配置ssh爆破防护

[root@localhost /etc/fail2ban]#vim jail.conf
[default]
ignoreip=127.0.0.1                          #忽略ip
bantime=600                                 #屏蔽时间
findtime=600                                #这个时间段超过的次数
maxretry=3                                  #最大尝试次数
backend=auto                                #日志修改检测机制
[ssh-iptables]                              #模块化配置
enabled=true                                #是否激活
filter=sshd                                 #启用/etc/filter.d/sshd.conf
action=iptables[name=SSH,port=ssh,protocol=tcp]  #启用/etc/action/iptables.conf
       mail[name=SSH,dest=root,sender=fail2ban] #启用/etc/action/mail.conf
logpath=/var/log/secure                     #日志路径
maxretry=5                                  #最大尝试次数

启动fail2ban systemctl start fail2ban
启动iptabls systemctl start iptables

测试：

#客户端
[root@node1 ~]# ssh 10.211.55.24
The authenticity of host '10.211.55.24 (10.211.55.24)' can't be established.
RSA key fingerprint is 80:26:e2:26:6a:8b:f0:59:f4:42:58:15:12:df:c8:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.211.55.24' (RSA) to the list of known hosts.
root@10.211.55.24's password: 
Permission denied, please try again.
root@10.211.55.24's password: 
Permission denied, please try again.
root@10.211.55.24's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@node1 ~]# ssh 10.211.55.24
ssh: connect to host 10.211.55.24 port 22: Connection refused

#服务端
[root@localhost /etc/fail2ban]#tail -f /var/log/fail2ban.log 
2017-02-19 21:18:47,123 fail2ban.server         [30276]: INFO    Exiting Fail2ban
2017-02-19 21:18:47,287 fail2ban.server         [30298]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-02-19 21:18:47,288 fail2ban.database       [30298]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-02-19 21:18:47,289 fail2ban.jail           [30298]: INFO    Creating new jail 'ssh-iptables'
2017-02-19 21:18:47,295 fail2ban.jail           [30298]: INFO    Jail 'ssh-iptables' uses poller {}
2017-02-19 21:18:47,309 fail2ban.jail           [30298]: INFO    Initiated 'polling' backend
2017-02-19 21:18:47,311 fail2ban.filter         [30298]: INFO    Added logfile = /var/log/secure
2017-02-19 21:18:47,311 fail2ban.filter         [30298]: INFO    Set maxlines = 10
2017-02-19 21:18:47,368 fail2ban.server         [30298]: INFO    Jail ssh-iptables is not a JournalFilter instance
2017-02-19 21:18:47,381 fail2ban.jail           [30298]: INFO    Jail 'ssh-iptables' started
2017-02-19 21:23:40,748 fail2ban.filter         [30298]: WARNING Determined IP using DNS Lookup: node1 = ['10.211.55.35']
2017-02-19 21:23:40,748 fail2ban.filter         [30298]: INFO    [ssh-iptables] Found 10.211.55.35
2017-02-19 21:23:42,754 fail2ban.filter         [30298]: INFO    [ssh-iptables] Found 10.211.55.35
2017-02-19 21:23:49,766 fail2ban.filter         [30298]: INFO    [ssh-iptables] Found 10.211.55.35
2017-02-19 21:23:49,848 fail2ban.actions        [30298]: NOTICE  [ssh-iptables] Ban 10.211.55.35
#可见22端口已经被禁止
[root@localhost /etc/fail2ban]#iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain f2b-SSH (1 references)
target     prot opt source               destination         
REJECT     all  --  10.211.55.35         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0  
#并且设置的邮件通知，我们也收到了。
[root@localhost /etc/fail2ban]#mail
Heirloom Mail version 12.5 7/5/10.  Type ? for help.
"/var/spool/mail/root": 4 messages 3 new
    1 root                  Sun Feb 19 22:17  30/1148  "test"
>N  2 root                  Sun Feb 19 22:18  24/709   "[Fail2Ban] SSH: stopped on localhost.localdomain"
 N  3 root                  Sun Feb 19 22:18  24/723   "[Fail2Ban] SSH: started  on localhost.localdomain"
 N  4 root                  Sun Feb 19 22:18  25/775   "[Fail2Ban] SSH: banned 10.211.55.35 from localhost.localdomain"

利用fail2ban来监控nginx日志

[nginx]
enabled=true
filter=nginx-sniffer
action=iptables[name=nginx,port=http,protocol=tcp]
logpath=/usr/local/nginx/log/access.log
maxretry=300
findtime=60
bantime=3600

然后需要在/etc/fail2ban/filter.d下创建nginx-sniffer.conf

1	[Definition]
2	failregex=<HOST> -.- .HTTP/1.* .* .*$
3	ignoreregex=

重新启动fail2ban服务，以上没60秒请求超过300次，封禁1小时。

原文作者：Zhang Jusene

原文链接：http://jusene.github.io/2017/02/24/fail2ban/

发表日期：February 24th 2017, 8:55:18 am

更新日期：November 30th 2019, 1:54:24 am

Next Post

nginx平滑升级
Previous Post

grub修复及自定义linux初始

CATALOG

1. fail2ban
1. 1.1. 服务器安装
2. 1.2. 安装后的配置
2. 配置ssh爆破防护
3. 利用fail2ban来监控nginx日志



1	[root@localhost ~]#cd /etc/yum.repos.d/
2	[root@localhost /etc/yum.repos.d]#vim epel.repo
3	[aliyun_epel]
4	name=epel
5	baseurl=http://mirrors.aliyun.com/epel/7Server/$basearch/
6	enable=1
7	gpgcheck=0
8	cost=1000
9	[root@localhost /etc/yum.repos.d]#yum repolist
10	Loaded plugins: fastestmirror, priorities
11	Loading mirror speeds from cached hostfile
12	* base: mirrors.163.com
13	* extras: mirrors.163.com
14	* updates: mirrors.163.com
15	repo id repo name status
16	aliyun_epel/x86_64 epel 11,236
17	base/7/x86_64 CentOS-7 - Base 9,363
18	extras/7/x86_64 CentOS-7 - Extras 263
19	updates/7/x86_64 CentOS-7 - Updates 844
20	repolist: 21,706

1	[root@localhost /etc/fail2ban]# cat fail2ban.conf \| grep -v -E "^#\|^$"
2	[Definition]
3	loglevel = INFO
4	logtarget = /var/log/fail2ban.log
5	syslogsocket = auto
6	socket = /var/run/fail2ban/fail2ban.sock
7	pidfile = /var/run/fail2ban/fail2ban.pid
8	dbfile = /var/lib/fail2ban/fail2ban.sqlite3
9	dbpurgeage = 86400

1	[root@localhost /etc/fail2ban]#vim jail.conf
2	[default]
3	ignoreip=127.0.0.1 #忽略ip
4	bantime=600 #屏蔽时间
5	findtime=600 #这个时间段超过的次数
6	maxretry=3 #最大尝试次数
7	backend=auto #日志修改检测机制
8	[ssh-iptables] #模块化配置
9	enabled=true #是否激活
10	filter=sshd #启用/etc/filter.d/sshd.conf
11	action=iptables[name=SSH,port=ssh,protocol=tcp] #启用/etc/action/iptables.conf
12	mail[name=SSH,dest=root,sender=fail2ban] #启用/etc/action/mail.conf
13	logpath=/var/log/secure #日志路径
14	maxretry=5 #最大尝试次数

1	#客户端
2	[root@node1 ~]# ssh 10.211.55.24
3	The authenticity of host '10.211.55.24 (10.211.55.24)' can't be established.
4	RSA key fingerprint is 80:26:e2:26:6a:8b:f0:59:f4:42:58:15:12:df:c8:e1.
5	Are you sure you want to continue connecting (yes/no)? yes
6	Warning: Permanently added '10.211.55.24' (RSA) to the list of known hosts.
7	root@10.211.55.24's password:
8	Permission denied, please try again.
9	root@10.211.55.24's password:
10	Permission denied, please try again.
11	root@10.211.55.24's password:
12	Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
13	[root@node1 ~]# ssh 10.211.55.24
14	ssh: connect to host 10.211.55.24 port 22: Connection refused

1	#服务端
2	[root@localhost /etc/fail2ban]#tail -f /var/log/fail2ban.log
3	2017-02-19 21:18:47,123 fail2ban.server [30276]: INFO Exiting Fail2ban
4	2017-02-19 21:18:47,287 fail2ban.server [30298]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
5	2017-02-19 21:18:47,288 fail2ban.database [30298]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
6	2017-02-19 21:18:47,289 fail2ban.jail [30298]: INFO Creating new jail 'ssh-iptables'
7	2017-02-19 21:18:47,295 fail2ban.jail [30298]: INFO Jail 'ssh-iptables' uses poller {}
8	2017-02-19 21:18:47,309 fail2ban.jail [30298]: INFO Initiated 'polling' backend
9	2017-02-19 21:18:47,311 fail2ban.filter [30298]: INFO Added logfile = /var/log/secure
10	2017-02-19 21:18:47,311 fail2ban.filter [30298]: INFO Set maxlines = 10
11	2017-02-19 21:18:47,368 fail2ban.server [30298]: INFO Jail ssh-iptables is not a JournalFilter instance
12	2017-02-19 21:18:47,381 fail2ban.jail [30298]: INFO Jail 'ssh-iptables' started
13	2017-02-19 21:23:40,748 fail2ban.filter [30298]: WARNING Determined IP using DNS Lookup: node1 = ['10.211.55.35']
14	2017-02-19 21:23:40,748 fail2ban.filter [30298]: INFO [ssh-iptables] Found 10.211.55.35
15	2017-02-19 21:23:42,754 fail2ban.filter [30298]: INFO [ssh-iptables] Found 10.211.55.35
16	2017-02-19 21:23:49,766 fail2ban.filter [30298]: INFO [ssh-iptables] Found 10.211.55.35
17	2017-02-19 21:23:49,848 fail2ban.actions [30298]: NOTICE [ssh-iptables] Ban 10.211.55.35
18	#可见22端口已经被禁止
19	[root@localhost /etc/fail2ban]#iptables -L -n
20	Chain INPUT (policy ACCEPT)
21	target prot opt source destination
22	f2b-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
23	ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
24	ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
25	ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
26	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
27	REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
28	Chain FORWARD (policy ACCEPT)
29	target prot opt source destination
30	REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
31	Chain OUTPUT (policy ACCEPT)
32	target prot opt source destination
33	Chain f2b-SSH (1 references)
34	target prot opt source destination
35	REJECT all -- 10.211.55.35 0.0.0.0/0 reject-with icmp-port-unreachable
36	RETURN all -- 0.0.0.0/0 0.0.0.0/0
37	#并且设置的邮件通知，我们也收到了。
38	[root@localhost /etc/fail2ban]#mail
39	Heirloom Mail version 12.5 7/5/10. Type ? for help.
40	"/var/spool/mail/root": 4 messages 3 new
41	1 root Sun Feb 19 22:17 30/1148 "test"
42	>N 2 root Sun Feb 19 22:18 24/709 "[Fail2Ban] SSH: stopped on localhost.localdomain"
43	N 3 root Sun Feb 19 22:18 24/723 "[Fail2Ban] SSH: started on localhost.localdomain"
44	N 4 root Sun Feb 19 22:18 25/775 "[Fail2Ban] SSH: banned 10.211.55.35 from localhost.localdomain"

1	[nginx]
2	enabled=true
3	filter=nginx-sniffer
4	action=iptables[name=nginx,port=http,protocol=tcp]
5	logpath=/usr/local/nginx/log/access.log
6	maxretry=300
7	findtime=60
8	bantime=3600