fail2ban配置与说明
1.安装比较简单
tar xvfj fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python setup.py install
cd files
cp ./redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
service fail2ban start
cd fail2ban-0.8.4
python setup.py install
cd files
cp ./redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
service fail2ban start
2.设定fail2ban服务
fail2ban 的设定档在这里
/etc/fail2ban
fail2ban.conf 日志设定文档
jail.conf 阻挡设定文档
jail.conf 阻挡设定文档
/etc/fail2ban/filter.d 具体阻挡内容设定目录
3.实施保护
总体配置:
ignoreip = 127.0.0.1
#此ip或者ip段不会被封锁
bantime = 60000
#出错一次封锁的时间
findtime = 600
#在多少秒内出现规定次数就开始工作
maxretry = 2
#最大尝试次数,下面的次数可以覆盖这里的次数
#此ip或者ip段不会被封锁
bantime = 60000
#出错一次封锁的时间
findtime = 600
#在多少秒内出现规定次数就开始工作
maxretry = 2
#最大尝试次数,下面的次数可以覆盖这里的次数
1. 保护 SSH 拦截
先看看fail2ban是如何拦截的?
cat /etc/fail2ban/filter.d/sshd.conf
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
fail2ban 使用了正则表达式找出:
Authentication failure/authentication failure
ROOT LOGIN REFUSED
refused connect from
POSSIBLE BREAK-IN ATTEMPT
not allowed because not listed in AllowUsers
以上的状况,可以根据你实际要求删减. 其中<HOST> 为建立连接的IP
开启 SSH 拦截
vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=收件者电邮地址, sender=寄件者电邮地址]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 86400
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=收件者电邮地址, sender=寄件者电邮地址]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 86400
fail2ban 会按照你的要求去查看/var/log/secure日志文件,然后在findtime = 300 "5分钟" 之内符合条件
的记录下来,如果到达了maxretry = 3 "3次符合条件" 就阻挡这个IP连接22端口 bantime = 86400 "一天的时间".
的记录下来,如果到达了maxretry = 3 "3次符合条件" 就阻挡这个IP连接22端口 bantime = 86400 "一天的时间".
2. POP3 保护拦截
cat /etc/fail2ban/filter.d/courierlogin.conf
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
这里表示错误地输入用户名/密码的pop3连接.
开启 pop3 保护
vi /etc/fail2ban/jail.conf
[POP3]
enabled = true
filter = courierlogin
action = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
filter = courierlogin
action = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
大家应该懂得如何看了吧? 我不写拉!好累。参数可以按照你实际要求修改噢~!
3. POP3-SSL 保护拦截
cat /etc/fail2ban/filter.d/courierlogin-ssl.conf
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
这里表示错误地输入用户名/密码的pop3-ssl连接.
vi /etc/fail2ban/jail.conf
[POP3-SSL]
enabled = true
filter = courierlogin-ssl
action = iptables[name=pop3-ssl, port=995, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
filter = courierlogin-ssl
action = iptables[name=pop3-ssl, port=995, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
4 SMTP 保护拦截
cat /etc/fail2ban/filter.d/couriersmtp.conf
failregex = postfix/smtpd.* warning: unknown\[<HOST>\]: SASL LOGIN authentication failed: authentication failure
这里表示错误地输入用户名/密码的smtp连接.
vi /etc/fail2ban/jail.conf
[SMTP]
enabled = true
filter = couriersmtp
action = iptables[name=smtp, port=25:366, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
filter = couriersmtp
action = iptables[name=smtp, port=25:366, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15
参数可以按照你实际要求修改.
5. Extmail 登录保护
由于Extmail 的web mail 登入没有做到保护,现在加固吧!
vi /etc/fail2ban/filter.d/extmail.conf
failregex = extmail.*: user=.*, client=<HOST>, module=login, status=badlogin
这里表示错误地输入用户名/密码的web mail 登入.
vi /etc/fail2ban/jail.conf
[extmail]
enabled = true
filter = extmail
action = iptables[name=httpd, port=http, protocol=tcp]
logpath = /var/log/maillog
bantime = 300
findtime = 300
maxretry = 6
filter = extmail
action = iptables[name=httpd, port=http, protocol=tcp]
logpath = /var/log/maillog
bantime = 300
findtime = 300
maxretry = 6
6. POSTFIX 保护User unknow 的试探.
不知道这个动作的意思先看看这篇文章。
vi /etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)\[<HOST>\]: 450
vi /etc/fail2ban/jail.conf
[POSTFIX]
enabled = true
filter = postfix
action = iptables[name=postfix, port=25, protocol=tcp]
logpath = /var/log/maillog
bantime = 43200
findtime = 1200
maxretry = 5
enabled = true
filter = postfix
action = iptables[name=postfix, port=25, protocol=tcp]
logpath = /var/log/maillog
bantime = 43200
findtime = 1200
maxretry = 5
这里保护了User unknow 的试探以及垃圾邮件跳信攻击。
四 看看iptables
iptables -L -nv
pkts bytes target prot opt in out source destination
0 0 fail2ban-pop3-ssl tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
773 83329 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
299 12660 fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
301 12740 fail2ban-ftp tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3354 253K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
438 33979 fail2ban-httpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 fail2ban-pop3-ssl tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
773 83329 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
299 12660 fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
301 12740 fail2ban-ftp tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3354 253K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
438 33979 fail2ban-httpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5703 packets, 829K bytes)
pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
3354 253K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
3354 253K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ftp (1 references)
pkts bytes target prot opt in out source destination
301 12740 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
301 12740 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-httpd (1 references)
pkts bytes target prot opt in out source destination
438 33979 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
438 33979 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pop3 (1 references)
pkts bytes target prot opt in out source destination
299 12660 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
299 12660 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pop3-ssl (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
773 83329 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
773 83329 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-smtp (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
如何监察呢?
#watch -n 1 fail2ban-client status POSTFIX
Status for the jail: POSTFIX
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 2
| `- Total failed: 22
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 2
| `- Total failed: 22
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
看看那些垃圾邮件者真是好无聊!不断地试探我的邮件服务器呢。
五 看看fail2ban的日志
# cat fail2ban.log | grep 'Ban '
2009-04-07 20:22:44,575 fail2ban.actions: WARNING [POSTFIX] Ban ip地址
就以看到过去有那些IP拦截了,以及是那个服务。
# cat fail2ban.log | grep '] Unban '
1. 修改/usr/bin/fail2ban-client文件的def __processCmd函数,在for c in cmd:那行下面增加一行:time.sleep(0.1)。保存、重启fail2ban。这里是修复一个fail2ban的bug。
2. 在/etc/fail2ban/jail.conf配置文件中,要确保每个action=那行的iptables[name=这里的name的字符长度不要超过21个。否则iptable chain name会超标