Skip to content


使用fail2ban来阻止Ssh暴力入侵

fail2ban可以设置对方密码失败n次后用防火墙屏蔽n分钟,
写入日志中,并可邮件你。
时间到后会恢复iptables,很干净

http://sourceforge.net/projects/fail2ban/files/
http://www.fail2ban.org/

目前最新版为0.8.4

下载安装
wget “http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=ncu”
#tar xvfj fail2ban-0.8.4.tar.bz2
#cd fail2ban-0.8.4
#python setup.py install
#cp ./files/redhat-initd /etc/init.d/fail2ban #./files目录下还有供其它系统使用的文件如:getoon,suse等
#chkconfig –add fail2ban #添加开机启动
#chkconfig –list |grep fail2ban #检查一下是否已装载到服务

修改配置文件

/etc/fail2ban/fail2ban.conf
可以定义日志记录级别,保存路径及套接字文件,这个使用默认
#vi /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1 # 忽悠 IP范围 如果有二组以上用空白做为间隔
bantime = 600 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁
findtime = 600 # 设定在多少时间内达到 maxretry 的次数就封锁
maxretry = 3 # 允许尝试的次数

[ssh-iptables]
#针对sshd暴力入侵防护
enabled = true # 开启
filter = sshd
action = iptables[name=SSH, port=6022, protocol=tcp] #我的sshd port为6022
# sendmail-whois[name=SSH, [email protected], [email protected]] #不发送邮件
logpath = /var/log/secure #ssh 失败日志路径
maxretry = 3 #重试次数

#service fail2ban start 注:如果重起iptables 记的一定还要重起fail2ban(fail2ban-client reload),不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的.

测试
#tail -f /var/log/secure /var/log/fail2ban.log
==> /var/log/secure <== Jan 13 17:02:02 localhost sshd[24207]: Failed password for c1g from 192.168.1.8 port 10270 ssh2 Jan 13 17:02:12 localhost last message repeated 2 times Jan 13 17:02:19 localhost sshd[24287]: Failed password for c1g from 192.168.1.8 port 10398 ssh2 Jan 13 17:02:28 localhost last message repeated 2 times Jan 13 17:02:35 localhost sshd[24322]: Failed password for c1g from 192.168.1.8 port 10447 ssh2 ==> /var/log/fail2ban.log <== 2010-01-13 17:02:36,849 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.8 ==> /var/log/fail2ban.log <== 2010-01-13 17:12:36,852 fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.1.8 #fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 4
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 1

配置日志
写一个logrotate的配置文件,并拷贝成/etc/logrotate.d/fail2ban,用来定期清理日志文件

/var/log/fail2ban.log {
missingok
notifempty
size 30k
create 0600 root root
postrotate
/usr/bin/fail2ban-client reload 2> /dev/null || true
endscript
}

参考
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options
http://allblue.mllm.org/node/186
http://www.lsanotes.cn/fail2ban

Posted in linux 维护优化, 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.