1.安裝fail2ban原因
本人的網站自從搭建好一段時間後被問候了無數次,阿裡雲安全團隊真敬業,夜裡都給我發異常通知短信,感謝!!!(給他做個廣告
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIiZpdmL5UDMw8lavwlM4p2LclGavwVbvNmL1RWahJmLn1Wavw1LcpDc0RHaiojIsJye.gif)
)
[root@Lnmp logs]# awk '{print $1}' access.log|sort|uniq -c|sort -rn|head -10
18559 121.42.0.38
16353 121.42.0.39
15351 222.186.34.249
15350 222.186.160.94
15341 222.186.21.35
13870 121.42.0.36
13172 121.42.0.17
12393 121.42.0.31
12302 121.42.0.37
11843 121.42.0.30
是以決定安裝fail2ban 來限制通路。
1.1 軟體介紹
fail2ban是一款實用軟體,可以監視你的日志,然後比對日志的資訊(正則式比對)執行相應的屏蔽動作。
1.2 安裝環境
[root@Lnmp logs]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@Lnmp logs]# uname -r
2.6.32-642.6.1.el6.x86_64
2.實戰 fail2ban 搭建
#上傳fail2ban-0.8.14.tar.gz到安裝目錄,解壓安裝
[root@Lnmp tools]# tar xf fail2ban-0.8.14.tar.gz
[root@Lnmp tools]# cd fail2ban-0.8.14
[root@Lnmp fail2ban-0.8.14]# ll
total 236
-rw-rw-r-- 1 root root 46255 Aug 20 2014 ChangeLog
drwxrwxr-x 2 root root 4096 Aug 20 2014 client
drwxrwxr-x 2 root root 4096 Aug 20 2014 common
drwxrwxr-x 4 root root 4096 Aug 20 2014 config
-rw-rw-r-- 1 root root 19296 Aug 20 2014 COPYING
-rw-rw-r-- 1 root root 13329 Aug 20 2014 DEVELOP
drwxrwxr-x 2 root root 4096 Aug 20 2014 doc
-rwxrwxr-x 1 root root 12699 Aug 20 2014 fail2ban-client
-rwxrwxr-x 1 root root 13570 Aug 20 2014 fail2ban-regex
-rwxrwxr-x 1 root root 4502 Aug 20 2014 fail2ban-server
-rwxrwxr-x 1 root root 8242 Aug 20 2014 fail2ban-testcases
-rwxrwxr-x 1 root root 397 Aug 20 2014 fail2ban-testcases-all
drwxrwxr-x 4 root root 4096 Aug 20 2014 files
-rw-rw-r-- 1 root root 18972 Aug 20 2014 FILTERS
-rwxrwxr-x 1 root root 69 Aug 20 2014 kill-server
drwxrwxr-x 2 root root 4096 Aug 20 2014 man
-rw-rw-r-- 1 root root 8268 Aug 20 2014 MANIFEST
-rw-rw-r-- 1 root root 3992 Aug 20 2014 README.md
-rw-rw-r-- 1 root root 4189 Aug 20 2014 README.Solaris
drwxrwxr-x 2 root root 4096 Aug 20 2014 server
-rw-rw-r-- 1 root root 291 Aug 20 2014 setup.cfg
-rwxrwxr-x 1 root root 3337 Aug 20 2014 setup.py
drwxrwxr-x 4 root root 4096 Aug 20 2014 testcases
-rw-rw-r-- 1 root root 1733 Aug 20 2014 THANKS
-rw-rw-r-- 1 root root 1827 Aug 20 2014 TODO
#安裝fail2ban,注:沒有安裝python,需要先安裝一下
[root@Lnmp fail2ban-0.8.14]#python setup.py install
#檢查啟動檔案
[root@Lnmp fail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:# chkconfig: - 92 08
#把啟動檔案複制到 /etc/init.d下做開機自啟動
[root@Lnmp fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --add fail2ban
[root@Lnmp fail2ban-0.8.14]# chkconfig --list fail2ban
fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off
#修改配置檔案,修改前備份配置檔案
[root@Lnmp fail2ban-0.8.14]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.ori
[root@Lnmp fail2ban-0.8.14]# ls /etc/fail2ban/
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.ori jail.d
#定位到94行[ssh-iptables]修改參數
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf +94
#預防暴力破解
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 3 #設定通路頻率,機關"次"
bantime = 3600 #限制1小時内不能登入,機關"秒"
findtime = 300 #設定通路時間,十分鐘(300s)内
#以上表示十分鐘内,3次輸錯登入密碼,關禁閉1小時。
[root@Lnmp fail2ban-0.8.14]# service fail2ban start
Starting fail2ban: [ OK ]
#檢視fail2ban規則是否生效
[root@Lnmp fail2ban-0.8.14]# service fail2ban status
fail2ban-server (pid 6723) is running...
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
#限制使用者頻繁通路網站,禁止非法ip
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf
#按大寫G定位到最後,添加如下代碼
#nginx access control
[access-get-dos]
enables = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IT300,port=http,portocol=tcp]
sendmail-whois[name=IT300,[email protected],[email protected]]
#通路日志路徑
logpath = /application/nginx/logs/access.log
#限制規則
findtime = 60 #設定通路時間,一分鐘(60s)内
maxretry = 30 #設定通路頻率,機關"次"
bantime = 3600 #限制1小時内不能登入,機關"秒"
#以上表示1分鐘内,30次通路,關禁閉1小時
#建立規則檔案
[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/filter.d/nginx-bansniffer.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
#重新啟動fail2ban
[root@Lnmp fail2ban-0.8.14]# service fail2ban reload
#檢視fail2ban生效的規則狀态
fail2ban-server (pid 7013) is running...
|- Number of jail: 2
`- Jail list: access-get-dos, ssh-iptables
#檢視生效後通路情況,注:通路日志做了切割
[root@Lnmp logs]#awk '{print $1}' 20161101_access_www.log|sort|uniq -c|sort -rn|head -10
11 121.42.0.16
9 198.52.119.97
8 61.158.152.132
6 112.97.63.104
5 42.48.70.245
5 36.57.226.54
5 221.225.2.214
5 180.114.17.26
5 171.105.144.226
5 123.11.115.223
#uniq -c 表示合并相鄰的重複記錄,并統計重複數
#sort -n 表示按從小到大進行排序
#sort -r 表示逆序,即按照從大到小的順序進行排序。
#head -10 表示取前10位