fail2ban安装配置与使用

注意:如果重启了防火墙,请同时将fail2ban服务重启,不然fail2ban不能生效,fail2ban的过滤表是在iptables启动后再添加的

安装配置:

安装epel源

# yum -y install fail2ban

配置文件

在/etc/fail2ban/目录下,标注红色的为我们添加的

即:

[root@s108c fail2ban]# ll /etc/fail2ban/jail.d/jail.local
-rw-r–r– 1 root root 174 Sep 12 10:27 /etc/fail2ban/jail.d/jail.local
[root@s108c fail2ban]# ll /etc/fail2ban/filter.d/authdaemond.conf
-rw-r–r– 1 root root 962 Sep 12 10:08 /etc/fail2ban/filter.d/authdaemond.conf

日志文件:

将/etc/fail2ban/fail2ban.conf配置中logtarget 指向日志要保存的文件

logtarget = /var/log/fail2ban.log

[root@s108c fail2ban]# tree /etc/fail2ban/
/etc/fail2ban/
├── action.d
│   ├── apf.conf
│   ├── badips.conf
│   ├── badips.py
│   ├── badips.pyc
│   ├── badips.pyo
│   ├── blocklist_de.conf
│   ├── cloudflare.conf
│   ├── complain.conf
│   ├── dshield.conf
│   ├── dummy.conf
│   ├── firewallcmd-allports.conf
│   ├── firewallcmd-ipset.conf
│   ├── firewallcmd-multiport.conf
│   ├── firewallcmd-new.conf
│   ├── firewallcmd-rich-logging.conf
│   ├── firewallcmd-rich-rules.conf
│   ├── hostsdeny.conf
│   ├── iptables-allports.conf
│   ├── iptables-common.conf
│   ├── iptables.conf
│   ├── iptables-ipset-proto4.conf
│   ├── iptables-ipset-proto6-allports.conf
│   ├── iptables-ipset-proto6.conf
│   ├── iptables-multiport.conf
│   ├── iptables-multiport-log.conf
│   ├── iptables-new.conf
│   ├── iptables-xt_recent-echo.conf
│   ├── mail-buffered.conf
│   ├── mail.conf
│   ├── mail-whois-common.conf
│   ├── mail-whois.conf
│   ├── mail-whois-lines.conf
│   ├── mynetwatchman.conf
│   ├── nftables-allports.conf
│   ├── nftables-common.conf
│   ├── nftables-multiport.conf
│   ├── npf.conf
│   ├── nsupdate.conf
│   ├── route.conf
│   ├── sendmail-buffered.conf
│   ├── sendmail-common.conf
│   ├── sendmail.conf
│   ├── sendmail-geoip-lines.conf
│   ├── sendmail-whois.conf
│   ├── sendmail-whois-ipjailmatches.conf
│   ├── sendmail-whois-ipmatches.conf
│   ├── sendmail-whois-lines.conf
│   ├── sendmail-whois-matches.conf
│   ├── shorewall.conf
│   ├── shorewall-ipset-proto6.conf
│   ├── smtp.py
│   ├── smtp.pyc
│   ├── smtp.pyo
│   ├── symbiosis-blacklist-allports.conf
│   └── xarf-login-attack.conf
├── fail2ban.conf
├── fail2ban.conf.20170912
├── fail2ban.d
├── filter.d
│   ├── 3proxy.conf
│   ├── apache-auth.conf
│   ├── apache-badbots.conf
│   ├── apache-botsearch.conf
│   ├── apache-common.conf
│   ├── apache-fakegooglebot.conf
│   ├── apache-modsecurity.conf
│   ├── apache-nohome.conf
│   ├── apache-noscript.conf
│   ├── apache-overflows.conf
│   ├── apache-pass.conf
│   ├── apache-shellshock.conf
│   ├── assp.conf
│   ├── asterisk.conf
│   ├── authdaemond.conf
│   ├── botsearch-common.conf
│   ├── common.conf
│   ├── counter-strike.conf
│   ├── courier-auth.conf
│   ├── courier-smtp.conf
│   ├── cyrus-imap.conf
│   ├── directadmin.conf
│   ├── dovecot.conf
│   ├── dropbear.conf
│   ├── drupal-auth.conf
│   ├── ejabberd-auth.conf
│   ├── exim-common.conf
│   ├── exim.conf
│   ├── exim-spam.conf
│   ├── freeswitch.conf
│   ├── froxlor-auth.conf
│   ├── groupoffice.conf
│   ├── gssftpd.conf
│   ├── guacamole.conf
│   ├── haproxy-http-auth.conf
│   ├── horde.conf
│   ├── ignorecommands
│   │   └── apache-fakegooglebot
│   ├── kerio.conf
│   ├── lighttpd-auth.conf
│   ├── mongodb-auth.conf
│   ├── monit.conf
│   ├── murmur.conf
│   ├── mysqld-auth.conf
│   ├── nagios.conf
│   ├── named-refused.conf
│   ├── nginx-botsearch.conf
│   ├── nginx-http-auth.conf
│   ├── nginx-limit-req.conf
│   ├── nsd.conf
│   ├── openhab.conf
│   ├── openwebmail.conf
│   ├── oracleims.conf
│   ├── pam-generic.conf
│   ├── perdition.conf
│   ├── php-url-fopen.conf
│   ├── portsentry.conf
│   ├── postfix.conf
│   ├── postfix-rbl.conf
│   ├── postfix-sasl.conf
│   ├── proftpd.conf
│   ├── pure-ftpd.conf
│   ├── qmail.conf
│   ├── recidive.conf
│   ├── roundcube-auth.conf
│   ├── screensharingd.conf
│   ├── selinux-common.conf
│   ├── selinux-ssh.conf
│   ├── sendmail-auth.conf
│   ├── sendmail-reject.conf
│   ├── sieve.conf
│   ├── slapd.conf
│   ├── sogo-auth.conf
│   ├── solid-pop3d.conf
│   ├── squid.conf
│   ├── squirrelmail.conf
│   ├── sshd.conf
│   ├── sshd-ddos.conf
│   ├── stunnel.conf
│   ├── suhosin.conf
│   ├── tine20.conf
│   ├── uwimap-auth.conf
│   ├── vsftpd.conf
│   ├── webmin-auth.conf
│   ├── wuftpd.conf
│   └── xinetd-fail.conf
├── is
├── jail.conf
├── jail.d
│   └── jail.local
├── paths-common.conf
├── paths-debian.conf
├── paths-fedora.conf
├── paths-freebsd.conf
├── paths-opensuse.conf
└── paths-osx.conf

5 directories, 151 files

管理服务命令:

Usage: fail2ban {start|stop|restart|reload|status}

查看特定针对特定服务的防护状态:

[root@s108c jail.d]# fail2ban-client status authdaemond
Status for the jail: authdaemond
|- Filter
|  |- Currently failed: 13
|  |- Total failed:     452
|  `- File list:        /var/log/authdaemond.log.2017-09-10 /var/log/authdaemond.log.2017-09-05 /var/log/authdaemond.log.2017-09-08 /var/log/authdaemond.log.2017-09-09 /var/log/authdaemond.log.2017-09-01 /var/log/authdaemond.log.2017-09-12 /var/log/authdaemond.log.2017-09-11 /var/log/authdaemond.log.2017-09-03 /var/log/authdaemond.log.2017-09-04 /var/log/authdaemond.log.2017-09-02 /var/log/authdaemond.log.2017-09-06 /var/log/authdaemond.log.2017-09-07
`- Actions
|- Currently banned: 15
|- Total banned:     15
`- Banned IP list:   114.99.27.234 171.211.32.165 36.5.50.152 36.5.53.125 58.221.47.24 60.173.24.19 60.169.199.10 115.183.189.90 58.221.49.92 36.5.54.115 36.5.54.81 121.13.12.123 118.120.228.187 60.167.117.30 118.120.228.209

防火墙表现为:

Chain f2b-authdaemond (1 references)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  —  *      *       60.173.24.19         0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       60.169.199.10        0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       60.167.117.30        0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       58.221.49.92         0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       58.221.47.24         0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       36.5.54.81           0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       36.5.54.115          0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       36.5.53.125          0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       36.5.50.152          0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       171.211.32.165       0.0.0.0/0           reject-with icmp-port-unreachable
19   880 REJECT     all  —  *      *       121.13.12.123        0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       118.120.228.209      0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       118.120.228.187      0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       115.183.189.90       0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       114.99.27.234        0.0.0.0/0           reject-with icmp-port-unreachable
0     0 REJECT     all  —  *      *       110.189.223.236      0.0.0.0/0           reject-with icmp-port-unreachable
2   104 REJECT     all  —  *      *       104.243.26.19        0.0.0.0/0           reject-with icmp-port-unreachable

移除被封的IP
iptables -D f2b-<name> -s <banned_ip> -j REJECT

fail2ban无法处理logpath 形如:/var/log/authdaemond.log.%Y-%m-%d的解决方案:

每天计划任务定时将配置文件更改并restart/reload fail2ban

[root@s108c fail2ban]# crontab -l

# fail2ban mgr(20170913)
00 00 * * * root /home/wangguan/fail2ban/fail2ban_mgr.sh >> /tmp/fail2ban_mgr.log 2>&1

[root@s108c fail2ban]# pwd
/home/wangguan/fail2ban
[root@s108c fail2ban]# cat fail2ban_mgr.sh

timestamp=`date +%Y-%m-%d`
cfg_file="/etc/fail2ban/jail.d/jail.local"
if [ -f :$cfg_file" ]; then
	sed -i "s#logpath = \/var\/log\/authdaemond.log.*#logpath = \/var\/log\/authdaemond.log.$timestamp#" "cfg_file"
fi
/etc/init.d/fail2ban status
if [ $? !=0 ];then
	/etc/init.d/fail2ban restart
else
	/etc/init.d/fail2ban reload
fi

发表评论