安全: fail2ban的日常操作/配置

一，指定监控多个日志文件:

例子如下:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/www/vhosts/site1.com/log/errorlog
           /var/log/apache*/*error.log
           /var/www/vhosts/site1.com/subdom/log/errorlog
           /var/www/vhosts/site3/log/errorlog
           /var/www/vhosts/site4/log/errorlog  
maxretry = 1

 也可以写成如下形式:

[apache-w00tw00t-1]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/log/apache*/*error.log 
maxretry = 1

[apache-w00tw00t-2]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/www/vhosts/site1.com/log/errorlog 
maxretry = 1

二，测试过滤器规则的有效性

 # 语法：

fail2ban-regex 日志文件 规则文件

例子:

[root@blog filter.d]# fail2ban-regex /logs/weblogs/www_ssl.access_log /etc/fail2ban/filter.d/nginx404.conf

Running tests
=============

Use   failregex filter file : nginx404, basedir: /etc/fail2ban
Use         log file : /logs/weblogs/www_ssl.access_log
Use         encoding : UTF-8


Results
=======

Failregex: 91 total
|-  #) [# of hits] regular expression
|   1) [91] ^<HOST> .* "(GET|POST|HEAD).*HTTP.*" (404|400|503) .*$
`-

Ignoreregex: 13 total
|-  #) [# of hits] regular expression
|   1) [13] .*(robots.txt|favicon.ico|jpg|png)
`-

Date template hits:
|- [# of hits] date format
|  [149] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 149 lines, 13 ignored, 91 matched, 45 missed
[processed in 0.40 sec]

|- Ignored line(s):
|  59.82.21.13 - - [21/Sep/2024:00:40:08 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.3130.74 Safari/537.36" "-" 0.000
|  59.82.21.181 - - [21/Sep/2024:02:44:05 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.6295.169 Safari/537.36" "-" 0.000
|  51.222.253.12 - - [21/Sep/2024:02:58:02 +0800] "GET /robots.txt HTTP/1.1" 404 146 "-" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)" "-" 0.000
|  113.215.189.19 - - [21/Sep/2024:03:22:10 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.6998.177 Safari/537.36" "-" 0.000
|  113.215.188.152 - - [21/Sep/2024:03:27:03 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.5267.19 Safari/537.36" "-" 0.000 

 三，查看已关闭的ip地址

[root@blog fail2ban]# fail2ban-client status nginx404-admin
Status for the jail: nginx404-admin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /logs/weblogs/admin.access_log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   13.57.24.28 

四，把误关闭的ip地址解除封闭

[root@blog fail2ban]# fail2ban-client set nginx404-admin unbanip 13.57.24.28
1

 看到返回1，表示成功

说明；此操作会同步firewalld防火墙

五，测试配置是否有效

[root@blog fail2ban]# fail2ban-client -t
OK: configuration test is successful

六,ip白名单:

添加在default段中ignoreip项中即可,多个ip用空格隔开

[DEFAULT]
ignoreip = 127.0.0.1/8 101.39.160.33
bantime  = 30d
findtime = 600
maxretry = 5