Skip to content


使用fail2ban来阻止Ssh暴力入侵

fail2ban可以设置对方密码失败n次后用防火墙屏蔽n分钟,
写入日志中,并可邮件你。
时间到后会恢复iptables,很干净

http://sourceforge.net/projects/fail2ban/files/
http://www.fail2ban.org/

目前最新版为0.8.4

下载安装
wget “http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=ncu”
#tar xvfj fail2ban-0.8.4.tar.bz2
#cd fail2ban-0.8.4
#python setup.py install
#cp ./files/redhat-initd /etc/init.d/fail2ban #./files目录下还有供其它系统使用的文件如:getoon,suse等
#chkconfig –add fail2ban #添加开机启动
#chkconfig –list |grep fail2ban #检查一下是否已装载到服务

修改配置文件

/etc/fail2ban/fail2ban.conf
可以定义日志记录级别,保存路径及套接字文件,这个使用默认
#vi /etc/fail2ban/jail.conf

  1. ignoreip = 127.0.0.1 # 忽悠 IP范围 如果有二组以上用空白做为间隔
  2. bantime  = 600 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁
  3. findtime  = 600       # 设定在多少时间内达到 maxretry 的次数就封锁
  4. maxretry = 3 # 允许尝试的次数
  5.  
  6. [ssh-iptables]
  7.  #针对sshd暴力入侵防护
  8. enabled  = true # 开启
  9. filter   = sshd
  10. action   = iptables[name=SSH, port=6022, protocol=tcp] #我的sshd port为6022
  11. #           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com] #不发送邮件
  12. logpath  = /var/log/secure #ssh 失败日志路径
  13. maxretry = 3 #重试次数

#service fail2ban start 注:如果重起iptables 记的一定还要重起fail2ban(fail2ban-client reload),不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的.

测试
#tail -f /var/log/secure /var/log/fail2ban.log
==> /var/log/secure <== Jan 13 17:02:02 localhost sshd[24207]: Failed password for c1g from 192.168.1.8 port 10270 ssh2 Jan 13 17:02:12 localhost last message repeated 2 times Jan 13 17:02:19 localhost sshd[24287]: Failed password for c1g from 192.168.1.8 port 10398 ssh2 Jan 13 17:02:28 localhost last message repeated 2 times Jan 13 17:02:35 localhost sshd[24322]: Failed password for c1g from 192.168.1.8 port 10447 ssh2 ==> /var/log/fail2ban.log <== 2010-01-13 17:02:36,849 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.8 ==> /var/log/fail2ban.log <== 2010-01-13 17:12:36,852 fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.1.8 #fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 4
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 1

配置日志
写一个logrotate的配置文件,并拷贝成/etc/logrotate.d/fail2ban,用来定期清理日志文件

  1. /var/log/fail2ban.log {
  2.     missingok
  3.     notifempty
  4.     size 30k
  5.     create 0600 root root
  6.     postrotate
  7.         /usr/bin/fail2ban-client reload 2> /dev/null || true
  8.     endscript
  9. }

参考
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options
http://allblue.mllm.org/node/186
http://www.lsanotes.cn/fail2ban

Posted in linux 维护优化, 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.