centos(linux): 安装管理fail2ban

一，官网:

https://www.fail2ban.org

会跳转到代码站:

https://github.com/fail2ban/fail2ban

二，安装:

用yum 安装:

[root@blog ~]# yum install fail2ban

安装后查看状态:未启动

[root@blog ~]# systemctl status fail2ban.service
○ fail2ban.service - Fail2Ban Service
     Loaded: loaded (;;file://blog/usr/lib/systemd/system/fail2ban.service/usr/lib/systemd/system/
     fail2ban.service;;; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: ;;man:fail2ban(1)man:fail2ban(1);;

安装后查看版本:

[root@blog ~]# fail2ban-server --version
Fail2Ban v1.0.2

 

三，安装后配置

[root@blog fail2ban]# more jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

含义:

ignoreip：IP白名单，白名单中的IP不会屏蔽，可填写多个以（,）分隔
bantime：屏蔽时间，单位为秒（s）
findtime：时间范围
maxretry：最大次数
banaction：屏蔽IP所使用的方法，上面使用firewalld屏蔽端口

[sshd]：名称，可以随便填写
filter：规则名称，必须填写位于filter.d目录里面的规则，sshd是fail2ban内置规则
port：对应的端口
action：采取的行动
logpath：需要监视的日志路径

上面的配置意思是如果同一个IP，在10分钟内，如果连续超过5次错误，则使用Firewalld将他IP ban了

 

四，启动，并查看效果:

启动:

[root@blog fail2ban]# systemctl start fail2ban.service

查看状态:

[root@blog fail2ban]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (;;file://blog/usr/lib/systemd/system/fail2ban.service/usr/lib/
     systemd/system/fail2ban.service;;; disabled; preset: disabled)
     Active: active (running) since Fri 2024-08-23 19:23:30 CST; 3s ago
       Docs: ;;man:fail2ban(1)man:fail2ban(1);;
    Process: 1746798 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)

查看sshd这个监狱中已ban掉的ip:
banned ip list一项即是:

[root@blog fail2ban]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list: