Skip to content


使用fail2ban来阻止Ssh暴力入侵

fail2ban可以设置对方密码失败n次后用防火墙屏蔽n分钟, 写入日志中,并可邮件你。 时间到后会恢复iptables,很干净

http://sourceforge.net/projects/fail2ban/files/ http://www.fail2ban.org/

目前最新版为0.8.4

下载安装 wget “http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=ncu” #tar xvfj fail2ban-0.8.4.tar.bz2 #cd fail2ban-0.8.4 #python setup.py install #cp ./files/redhat-initd /etc/init.d/fail2ban #./files目录下还有供其它系统使用的文件如:getoon,suse等 #chkconfig –add fail2ban #添加开机启动 #chkconfig –list |grep fail2ban #检查一下是否已装载到服务

修改配置文件

/etc/fail2ban/fail2ban.conf 可以定义日志记录级别,保存路径及套接字文件,这个使用默认 #vi /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1 # 忽悠 IP范围 如果有二组以上用空白做为间隔 bantime = 600 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁 findtime = 600 # 设定在多少时间内达到 maxretry 的次数就封锁 maxretry = 3 # 允许尝试的次数 [ssh-iptables] #针对sshd暴力入侵防护 enabled = true # 开启 filter = sshd action = iptables[name=SSH, port=6022, protocol=tcp] #我的sshd port为6022 # sendmail-whois[name=SSH, [email protected], [email protected]] #不发送邮件 logpath = /var/log/secure #ssh 失败日志路径 maxretry = 3 #重试次数

#service fail2ban start 注:如果重起iptables 记的一定还要重起fail2ban(fail2ban-client reload),不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的.

测试 #tail -f /var/log/secure /var/log/fail2ban.log ==> /var/log/secure <== Jan 13 17:02:02 localhost sshd[24207]: Failed password for c1g from 192.168.1.8 port 10270 ssh2 Jan 13 17:02:12 localhost last message repeated 2 times Jan 13 17:02:19 localhost sshd[24287]: Failed password for c1g from 192.168.1.8 port 10398 ssh2 Jan 13 17:02:28 localhost last message repeated 2 times Jan 13 17:02:35 localhost sshd[24322]: Failed password for c1g from 192.168.1.8 port 10447 ssh2

==> /var/log/fail2ban.log <== 2010-01-13 17:02:36,849 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.8

==> /var/log/fail2ban.log <== 2010-01-13 17:12:36,852 fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.1.8

#fail2ban-client status ssh-iptables

Status for the jail: ssh-iptables |- filter | |- File list: /var/log/secure | |- Currently failed: 0 | `- Total failed: 4 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 1 配置日志 写一个logrotate的配置文件,并拷贝成/etc/logrotate.d/fail2ban,用来定期清理日志文件 /var/log/fail2ban.log { missingok notifempty size 30k create 0600 root root postrotate /usr/bin/fail2ban-client reload 2> /dev/null || true endscript } 参考 http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options http://allblue.mllm.org/node/186 http://www.lsanotes.cn/fail2ban

Posted in linux 维护优化, 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.