Fail2ban 是一种开源工具,通过监视服务日志中的恶意活动,帮助保护您的 Linux 计算机免受暴力攻击和其他自动攻击。它使用正则表达式扫描日志文件。匹配模式的所有条目都计算在内,当其编号达到某个预定义阈值时,Fail2ban 会禁止有问题的 IP 在特定时间长度内使用。默认系统防火墙用作禁止操作。当禁令期到期时,IP 地址将从禁令列表中删除。
本文介绍如何在 CentOS 8 上安装和配置 Fail2ban。
在 CentOS 上安装 Fail2ban
Fail2ban 包包含在默认 CentOS 8 存储库中。要安装它,请输入以下命令作为 root或用户具有 sudo 权限:
sudo dnf install fail2ban
安装完成后,启用并启动 Fail2ban 服务:
sudo systemctl enable --now fail2ban
要检查 Fail2ban 服务器是否正在运行,请键入:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-09-10 12:53:45 UTC; 8s ago
...
就是这样。此时,您的 CentOS 服务器上运行了 Fail2Ban。
失败2班配置
默认的 Fail2ban 安装附带两个配置文件 和 。不应修改这些文件,因为它们可能在更新包时被覆盖。/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/00-firewalld.conf
Fail2ban 按以下顺序读取配置文件:
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local
Each file overrides the settings from the file..local
.conf
The easiest way to configure Fail2ban is to copy the to and modify the file. More advanced users can build a configuration file from scratch. The file doesn’t have to include all settings from the corresponding file, only those you want to override.jail.conf
jail.local
.local
.local
.local
.conf
Create a configuration file from the default file:.local
jail.conf
sudo cp /etc/fail2ban/jail.{conf,local}
To start configuring the Fail2ban server open, the file with your text editor :jail.local
sudo nano /etc/fail2ban/jail.local
The file includes comments describing what each configuration option does. In this example, we’ll change the basic settings.
Whitelist IP Addresses
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the directive. Here you should add your local PC IP address and all other machines that you want to whitelist.ignoreip
Uncomment the line starting with and add your IP addresses separated by space:ignoreip
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24
Ban Settings
The values of , , and options define the ban time and ban conditions.bantime
findtime
maxretry
bantime
is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the value is set to 10 minutes. Generally, most users will want to set a longer ban time. Change the value to your liking:bantime
bantime = 1d
To permanently ban the IP, use a negative number.
findtime
is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (, see below), those failures must occur within the duration.maxretry
findtime
findtime = 10m
maxretry
is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.
maxretry = 5
Email Notifications
Fail2ban can send email alerts when an IP has been banned. To receive email messages, you need to have an SMTP installed on your server and change the default action, which only bans the IP to , as shown below:%(action_mw)s
action = %(action_mw)s
%(action_mw)s
will ban the offending IP and send an email with a whois report. If you want to include the relevant logs in the email set the action to .%(action_mwl)s
You can also adjust the sending and receiving email addresses:
destemail = admin@linuxize.com
sender = root@linuxize.com
Fail2ban 监狱
Fail2ban 使用监狱的概念。监狱描述一项服务,包括过滤器和操作。计算与搜索模式匹配的日志条目,当满足预定义条件时,将执行相应的操作。
Fail2ban 船舶与不同的服务与一些监狱。您还可以创建自己的监狱配置。
默认情况下,在 CentOS 8 上,不启用任何监狱。要启用监狱,您需要在监狱标题之后添加。下面的示例演示如何启用监狱:enabled = true
sshd
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
我们在上一节中讨论的设置可以设置为每个监狱。下面是一个示例:
筛选器位于目录中,存储在与监狱同名的文件中。如果您有自定义设置和正则表达式的经验,您可以微调筛选器。/etc/fail2ban/filter.d
每次修改配置文件时,必须重新启动 Fail2ban 服务才能使更改生效:
sudo systemctl restart fail2ban
Fail2ban 客户端
Fail2ban 附带一个名为命令行工具,您可以使用该工具与 Fail2ban 服务进行交互。fail2ban-client
若要查看命令的所有可用选项,请使用 以下选项调用它:fail2ban-client
-h
fail2ban-client -h
此工具可用于禁止/取消禁止 IP 地址、更改设置、重新启动服务等。下面是一些示例:
- 检查监狱的状态:
sudo fail2ban-client status sshd
- 取消禁止 IP:
sudo fail2ban-client set sshd unbanip 23.34.45.56
- 禁止知识产权:
sudo fail2ban-client set sshd banip 23.34.45.56
原创文章,作者:校长,如若转载,请注明出处:https://www.yundongfang.com/Yun35715.html