实战fail2ban安装
1.安装fail2ban原因
成都创新互联是一家企业级云计算解决方案提供商,超15年IDC数据中心运营经验。主营GPU显卡服务器,站群服务器,成都服务器托管,海外高防服务器,服务器机柜,动态拨号VPS,海外云手机,海外云服务器,海外服务器租用托管等。
本人的网站自从搭建好一段时间后被问候了无数次,阿里云安全团队真敬业,夜里都给我发异常通知短信,感谢!!!(给他做个广告)
[root@Lnmp logs]# awk '{print $1}' access.log|sort|uniq -c|sort -rn|head -10
18559 121.42.0.38
16353 121.42.0.39
15351 222.186.34.249
15350 222.186.160.94
15341 222.186.21.35
13870 121.42.0.36
13172 121.42.0.17
12393 121.42.0.31
12302 121.42.0.37
11843 121.42.0.30
所以决定安装fail2ban 来限制访问。
1.1 软件介绍
fail2ban是一款实用软件,可以监视你的日志,然后匹配日志的信息(正则式匹配)执行相应的屏蔽动作。
1.2 安装环境
[root@Lnmp logs]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@Lnmp logs]# uname -r
2.6.32-642.6.1.el6.x86_64
2.实战 fail2ban 搭建
#上传fail2ban-0.8.14.tar.gz到安装目录,解压安装
[root@Lnmp tools]# tar xf fail2ban-0.8.14.tar.gz
[root@Lnmp tools]# cd fail2ban-0.8.14
[root@Lnmp fail2ban-0.8.14]# ll
total 236
-rw-rw-r-- 1 root root 46255 Aug 20 2014 ChangeLog
drwxrwxr-x 2 root root 4096 Aug 20 2014 client
drwxrwxr-x 2 root root 4096 Aug 20 2014 common
drwxrwxr-x 4 root root 4096 Aug 20 2014 config
-rw-rw-r-- 1 root root 19296 Aug 20 2014 COPYING
-rw-rw-r-- 1 root root 13329 Aug 20 2014 DEVELOP
drwxrwxr-x 2 root root 4096 Aug 20 2014 doc
-rwxrwxr-x 1 root root 12699 Aug 20 2014 fail2ban-client
-rwxrwxr-x 1 root root 13570 Aug 20 2014 fail2ban-regex
-rwxrwxr-x 1 root root 4502 Aug 20 2014 fail2ban-server
-rwxrwxr-x 1 root root 8242 Aug 20 2014 fail2ban-testcases
-rwxrwxr-x 1 root root 397 Aug 20 2014 fail2ban-testcases-all
drwxrwxr-x 4 root root 4096 Aug 20 2014 files
-rw-rw-r-- 1 root root 18972 Aug 20 2014 FILTERS
-rwxrwxr-x 1 root root 69 Aug 20 2014 kill-server
drwxrwxr-x 2 root root 4096 Aug 20 2014 man
-rw-rw-r-- 1 root root 8268 Aug 20 2014 MANIFEST
-rw-rw-r-- 1 root root 3992 Aug 20 2014 README.md
-rw-rw-r-- 1 root root 4189 Aug 20 2014 README.Solaris
drwxrwxr-x 2 root root 4096 Aug 20 2014 server
-rw-rw-r-- 1 root root 291 Aug 20 2014 setup.cfg
-rwxrwxr-x 1 root root 3337 Aug 20 2014 setup.py
drwxrwxr-x 4 root root 4096 Aug 20 2014 testcases
-rw-rw-r-- 1 root root 1733 Aug 20 2014 THANKS
-rw-rw-r-- 1 root root 1827 Aug 20 2014 TODO
#安装fail2ban,注:没有安装python,需要先安装一下
[root@Lnmp fail2ban-0.8.14]#python setup.py install
#检查启动文件
[root@Lnmp fail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:# chkconfig: - 92 08
#把启动文件复制到 /etc/init.d下做开机自启动
[root@Lnmp fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --add fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --list fail2ban
fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off
#修改配置文件,修改前备份配置文件
[root@Lnmp fail2ban-0.8.14]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.ori
[root@Lnmp fail2ban-0.8.14]# ls /etc/fail2ban/
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.ori jail.d
#定位到94行[ssh-iptables]修改参数
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf +94
#预防暴力破解
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=wwj@163.com, sender=bob@163.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 3 #设定访问频率,单位"次"
bantime = 3600 #限制1小时内不能登录,单位"秒"
findtime = 300 #设定访问时间,十分钟(300s)内
#以上表示十分钟内,3次输错登录密码,关禁闭1小时。
[root@Lnmp fail2ban-0.8.14]# service fail2ban start
Starting fail2ban: [ OK ]
#查看fail2ban规则是否生效
[root@Lnmp fail2ban-0.8.14]# service fail2ban status
fail2ban-server (pid 6723) is running...
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
#限制用户频繁访问网站,禁止非法ip
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf
#按大写G定位到最后,添加如下代码
#nginx access control
[access-get-dos]
enables = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IT300,port=http,portocol=tcp]
sendmail-whois[name=IT300,dest=11223379@qq.com,sender=wwj@163.com]
#访问日志路径
logpath = /application/nginx/logs/access.log
#限制规则
findtime = 60 #设定访问时间,一分钟(60s)内
maxretry = 30 #设定访问频率,单位"次"
bantime = 3600 #限制1小时内不能登录,单位"秒"
#以上表示1分钟内,30次访问,关禁闭1小时
#创建规则文件
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/filter.d/nginx-bansniffer.conf
[Definition]
failregex =
ignoreregex =
#重新启动fail2ban
[root@Lnmp fail2ban-0.8.14]# service fail2ban reload
#查看fail2ban生效的规则状态
[root@Lnmp fail2ban-0.8.14]# service fail2ban status
fail2ban-server (pid 7013) is running...
Status
|- Number of jail: 2
`- Jail list: access-get-dos, ssh-iptables
#查看生效后访问情况,注:访问日志做了切割
[root@Lnmp logs]#awk '{print $1}' 20161101_access_www.log|sort|uniq -c|sort -rn|head -10
11 121.42.0.16
9 198.52.119.97
8 61.158.152.132
6 112.97.63.104
5 42.48.70.245
5 36.57.226.54
5 221.225.2.214
5 180.114.17.26
5 171.105.144.226
5 123.11.115.223
#uniq -c 表示合并相邻的重复记录,并统计重复数
#sort -n 表示按从小到大进行排序
#sort -r 表示逆序,即按照从大到小的顺序进行排序。
#head -10 表示取前10位
总结:自从fail2ban安装后每天不再接到阿里安全团队的问候短信了,设置成功。
网页标题:实战fail2ban安装
浏览路径:http://scyanting.com/article/jeiogg.html