fai2ban防暴力破解
2016-06-01 13:55
363 查看
fai2ban的介绍
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mailnotifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
# yum install shorewall gamin-pythonshorewall-shell shorewall-perl shorewall-common python-inotify python-ctypesfail2ban
# yum install gamin-python python-inotifypython-ctypes
# wgethttp://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm
# yum install gamin-python python-inotifypython-ctypes
# wgethttp://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源码包安装
# wgethttps://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值
/etc/rc.d/init.d/fail2ban #启动脚本文件
3. vi /etc/fail2ban/fail2ban.conf
[Definition] loglevel =3 logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息socket =/var/run/fail2ban/fail2ban.sock4. vi /etc/fail2ban/jail.conf
[DEFAULT] #全局设置ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制bantime = 600 #屏蔽时间,单位:秒findtime = 600 #这个时间段内超过规定次数会被ban掉maxretry = 3 #最大尝试次数backend = auto #日志修改检测机制(gamin、polling和auto这三种)[sshd] #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。enabled = true #是否激活此项(true/false)filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.confaction = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件logpath = /var/log/secure #检测的日志文件pathbantime = 3600findtime = 300 maxretry = 3 #最大尝试次数
service fail2ban start 启动服务
4.解除fail2ban绑定的IP
查询限制列表
# iptables -L--line-numbers Chain fail2ban-SSH(1references) num target prot opt source destination 1 DROP all -- 118.152.158.61.ha.cncanywhere 2 RETURN all -- anywhere anywhere
解除限制
# iptables -D fail2ban-SSH 1
我们主要编辑jail.conf这个配置文件,其他的不要去管它
# vi /etc/fail2ban.conf
SSH防攻击规则
ssh-iptables]enabled = truefilter = sshdaction = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com,sendername="Fail2Ban"]logpath = /var/log/securemaxretry = 5[ssh-ddos]enabled = truefilter = sshd-ddosaction = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]logpath = /var/log/messagesmaxretry = 2[osx-ssh-ipfw]enabled = truefilter = sshdaction = osx-ipfwlogpath = /var/log/secure.logmaxretry = 5[ssh-apf]enabled = truefilter = sshdaction = apf[name=SSH]logpath = /var/log/securemaxretry = 5[osx-ssh-afctl]enabled = truefilter = sshdaction = osx-afctl[bantime=600]logpath = /var/log/secure.logmaxretry = 5[selinux-ssh]enabled = truefilter = selinux-sshaction = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]logpath = /var/log/audit/audit.logmaxretry = 5
proftp防攻击规则
[proftpd-iptables]enabled = truefilter = proftpdaction = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com]logpath = /var/log/proftpd/proftpd.logmaxretry = 6
邮件防攻击规则
[sasl-iptables]enabled = truefilter = postfix-saslbackend = pollingaction = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com]logpath = /var/log/mail.log[dovecot]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot,port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/mail.log[dovecot-auth]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve",protocol=tcp]logpath = /var/log/secure[perdition]enabled = truefilter = perditionaction = iptables-multiport[name=perdition,port="110,143,993,995"]logpath = /var/log/maillog[uwimap-auth]enabled = truefilter = uwimap-authaction = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]logpath = /var/log/maillog
apache防攻击规则
[apache-tcpwrapper]enabled = truefilter = apache-authaction = hostsdenylogpath = /var/log/httpd/error_logmaxretry = 6[apache-badbots]enabled = truefilter = apache-badbotsaction = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]logpath = /var/log/httpd/access_logbantime = 172800maxretry = 1[apache-shorewall]enabled = truefilter = apache-noscriptaction = shorewall sendmail[name=Postfix, dest=you@example.com]logpath = /var/log/httpd/error_log
nginx防攻击规则
[nginx-http-auth]enabled = truefilter = nginx-http-authaction = iptables-multiport[name=nginx-http-auth,port="80,443"]logpath = /var/log/nginx/error.log
lighttpd防规击规则
[suhosin]enabled = truefilter = suhosinaction = iptables-multiport[name=suhosin, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2[lighttpd-auth]enabled = truefilter = lighttpd-authaction = iptables-multiport[name=lighttpd-auth, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
vsftpd防攻击规则
[vsftpd-notification]enabled = truefilter = vsftpdaction = sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800[vsftpd-iptables]enabled = truefilter = vsftpdaction = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
pure-ftpd防攻击规则
[pure-ftpd]enabled = truefilter = pure-ftpdaction = iptables[name=pure-ftpd, port=ftp, protocol=tcp]logpath = /var/log/pureftpd.logmaxretry = 2bantime = 86400
mysql防攻击规则
[mysqld-iptables]enabled = truefilter = mysqld-authaction = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]logpath = /var/log/mysqld.logmaxretry = 5
apache phpmyadmin 防攻击规则
[apache-phpmyadmin]enabled = truefilter = apache-phpmyadminaction = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath = /var/log/httpd/error_logmaxretry = 3#/etc/fail2ban/filter.d/apache-phpmyadmin.conf
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file## Bans bots scanning for non-existingphpMyAdmin installations on your webhost.## Author: Gina Haeussge#[Definition]docroot = /var/wwwbadadmin =PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2# Option: failregex# Notes.: Regexp to match often probed and not available phpmyadmin paths.# Values: TEXT#failregex = [[]client []] File does notexist: %(docroot)s/(?:%(badadmin)s)# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =# service fail2ban restart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径,如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽),如:当有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理员,是一款很实用、很强大的软件!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mailnotifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
# yum install shorewall gamin-pythonshorewall-shell shorewall-perl shorewall-common python-inotify python-ctypesfail2ban
# yum install gamin-python python-inotifypython-ctypes
# wgethttp://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm
# yum install gamin-python python-inotifypython-ctypes
# wgethttp://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源码包安装
# wgethttps://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值
/etc/rc.d/init.d/fail2ban #启动脚本文件
3. vi /etc/fail2ban/fail2ban.conf
[Definition] loglevel =3 logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息socket =/var/run/fail2ban/fail2ban.sock4. vi /etc/fail2ban/jail.conf
[DEFAULT] #全局设置ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制bantime = 600 #屏蔽时间,单位:秒findtime = 600 #这个时间段内超过规定次数会被ban掉maxretry = 3 #最大尝试次数backend = auto #日志修改检测机制(gamin、polling和auto这三种)[sshd] #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。enabled = true #是否激活此项(true/false)filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.confaction = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件logpath = /var/log/secure #检测的日志文件pathbantime = 3600findtime = 300 maxretry = 3 #最大尝试次数
service fail2ban start 启动服务
4.解除fail2ban绑定的IP
查询限制列表
# iptables -L--line-numbers Chain fail2ban-SSH(1references) num target prot opt source destination 1 DROP all -- 118.152.158.61.ha.cncanywhere 2 RETURN all -- anywhere anywhere
解除限制
# iptables -D fail2ban-SSH 1
我们主要编辑jail.conf这个配置文件,其他的不要去管它
# vi /etc/fail2ban.conf
SSH防攻击规则
ssh-iptables]enabled = truefilter = sshdaction = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com,sendername="Fail2Ban"]logpath = /var/log/securemaxretry = 5[ssh-ddos]enabled = truefilter = sshd-ddosaction = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]logpath = /var/log/messagesmaxretry = 2[osx-ssh-ipfw]enabled = truefilter = sshdaction = osx-ipfwlogpath = /var/log/secure.logmaxretry = 5[ssh-apf]enabled = truefilter = sshdaction = apf[name=SSH]logpath = /var/log/securemaxretry = 5[osx-ssh-afctl]enabled = truefilter = sshdaction = osx-afctl[bantime=600]logpath = /var/log/secure.logmaxretry = 5[selinux-ssh]enabled = truefilter = selinux-sshaction = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]logpath = /var/log/audit/audit.logmaxretry = 5
proftp防攻击规则
[proftpd-iptables]enabled = truefilter = proftpdaction = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com]logpath = /var/log/proftpd/proftpd.logmaxretry = 6
邮件防攻击规则
[sasl-iptables]enabled = truefilter = postfix-saslbackend = pollingaction = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com]logpath = /var/log/mail.log[dovecot]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot,port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/mail.log[dovecot-auth]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve",protocol=tcp]logpath = /var/log/secure[perdition]enabled = truefilter = perditionaction = iptables-multiport[name=perdition,port="110,143,993,995"]logpath = /var/log/maillog[uwimap-auth]enabled = truefilter = uwimap-authaction = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]logpath = /var/log/maillog
apache防攻击规则
[apache-tcpwrapper]enabled = truefilter = apache-authaction = hostsdenylogpath = /var/log/httpd/error_logmaxretry = 6[apache-badbots]enabled = truefilter = apache-badbotsaction = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]logpath = /var/log/httpd/access_logbantime = 172800maxretry = 1[apache-shorewall]enabled = truefilter = apache-noscriptaction = shorewall sendmail[name=Postfix, dest=you@example.com]logpath = /var/log/httpd/error_log
nginx防攻击规则
[nginx-http-auth]enabled = truefilter = nginx-http-authaction = iptables-multiport[name=nginx-http-auth,port="80,443"]logpath = /var/log/nginx/error.log
lighttpd防规击规则
[suhosin]enabled = truefilter = suhosinaction = iptables-multiport[name=suhosin, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2[lighttpd-auth]enabled = truefilter = lighttpd-authaction = iptables-multiport[name=lighttpd-auth, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
vsftpd防攻击规则
[vsftpd-notification]enabled = truefilter = vsftpdaction = sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800[vsftpd-iptables]enabled = truefilter = vsftpdaction = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
pure-ftpd防攻击规则
[pure-ftpd]enabled = truefilter = pure-ftpdaction = iptables[name=pure-ftpd, port=ftp, protocol=tcp]logpath = /var/log/pureftpd.logmaxretry = 2bantime = 86400
mysql防攻击规则
[mysqld-iptables]enabled = truefilter = mysqld-authaction = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]logpath = /var/log/mysqld.logmaxretry = 5
apache phpmyadmin 防攻击规则
[apache-phpmyadmin]enabled = truefilter = apache-phpmyadminaction = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath = /var/log/httpd/error_logmaxretry = 3#/etc/fail2ban/filter.d/apache-phpmyadmin.conf
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file## Bans bots scanning for non-existingphpMyAdmin installations on your webhost.## Author: Gina Haeussge#[Definition]docroot = /var/wwwbadadmin =PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2# Option: failregex# Notes.: Regexp to match often probed and not available phpmyadmin paths.# Values: TEXT#failregex = [[]client []] File does notexist: %(docroot)s/(?:%(badadmin)s)# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =# service fail2ban restart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径,如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了
相关文章推荐
- 关于jetbrains的各种工具的快捷键参考
- 安装llvm3.8.0时遇到的问题,FAILED: lib/libLTO.so or FAILED: lib/libclang.so.3.8
- AIX建立文件系统
- 回流reflow和重绘repaint
- SSDsim源码分析之main
- 部署kubernetes出现“etcd cluster is unavailable or misconfigured”错误
- 分清big data,ML,AI之间的关系
- 【交换安全】DAI - Dynamic ARP Inspection 详解
- gridbagconstraints
- 【Leetcode】之Climbing Stairs
- 使用Genymotion调试出现错误INSTALL_FAILED_CPU_ABI_INCOMPATIBLE解决办法
- Rails 3 与 Rails 4 中 try 方法的不同
- 【问题处理】GIT删除主分支报错:[remote rejected] master (deletion of the current branch prohibited)
- RAC原理 转载自http://blog.csdn.net/xabc3000/article/details/7078399
- lr 远程控制报Vuser compilation failed.
- leetcode----Container With Most Water
- 将数据划分为训练数据及测试数据(div_train_val.py 解析)
- ccah-500 第5题 How will the Fair Scheduler handle these two jobs?
- SQL Server2008如何设置开启远程连接http://jingyan.baidu.com/article/fec4bce226a264f2618d8ba5.html
- root.sh Fails to Start HAIP as Default Gateway is Configured for Private Network VLAN (ID 1366211)