实战 fail2ban 安装

1.安装fail2ban原因

本人的网站自从搭建好一段时间后被问候了无数次，阿里云安全团队真敬业，夜里都给我发异常通知短信，感谢！！！（给他做个广告）

[root@Lnmp logs]# awk '{print $1}' access.log|sort|uniq -c|sort -rn|head -10

18559 121.42.0.38

16353 121.42.0.39

15351 222.186.34.249

15350 222.186.160.94

15341 222.186.21.35

13870 121.42.0.36

13172 121.42.0.17

12393 121.42.0.31

12302 121.42.0.37

11843 121.42.0.30

所以决定安装fail2ban 来限制访问。

1.1 软件介绍

fail2ban是一款实用软件，可以监视你的日志，然后匹配日志的信息（正则式匹配）执行相应的屏蔽动作。

1.2 安装环境

[root@Lnmp logs]# cat /etc/redhat-release

CentOS release 6.8 (Final)

[root@Lnmp logs]# uname -r

2.6.32-642.6.1.el6.x86_64

2.实战 fail2ban 搭建

#上传fail2ban-0.8.14.tar.gz到安装目录，解压安装

[root@Lnmp tools]# tar xf fail2ban-0.8.14.tar.gz

[root@Lnmp tools]# cd fail2ban-0.8.14

[root@Lnmp fail2ban-0.8.14]# ll

total 236

-rw-rw-r-- 1 root root 46255 Aug 20 2014 ChangeLog

drwxrwxr-x 2 root root 4096 Aug 20 2014 client

drwxrwxr-x 2 root root 4096 Aug 20 2014 common

drwxrwxr-x 4 root root 4096 Aug 20 2014 config

-rw-rw-r-- 1 root root 19296 Aug 20 2014 COPYING

-rw-rw-r-- 1 root root 13329 Aug 20 2014 DEVELOP

drwxrwxr-x 2 root root 4096 Aug 20 2014 doc

-rwxrwxr-x 1 root root 12699 Aug 20 2014 fail2ban-client

-rwxrwxr-x 1 root root 13570 Aug 20 2014 fail2ban-regex

-rwxrwxr-x 1 root root 4502 Aug 20 2014 fail2ban-server

-rwxrwxr-x 1 root root 8242 Aug 20 2014 fail2ban-testcases

-rwxrwxr-x 1 root root 397 Aug 20 2014 fail2ban-testcases-all

drwxrwxr-x 4 root root 4096 Aug 20 2014 files

-rw-rw-r-- 1 root root 18972 Aug 20 2014 FILTERS

-rwxrwxr-x 1 root root 69 Aug 20 2014 kill-server

drwxrwxr-x 2 root root 4096 Aug 20 2014 man

-rw-rw-r-- 1 root root 8268 Aug 20 2014 MANIFEST

-rw-rw-r-- 1 root root 3992 Aug 20 2014 README.md

-rw-rw-r-- 1 root root 4189 Aug 20 2014 README.Solaris

drwxrwxr-x 2 root root 4096 Aug 20 2014 server

-rw-rw-r-- 1 root root 291 Aug 20 2014 setup.cfg

-rwxrwxr-x 1 root root 3337 Aug 20 2014 setup.py

drwxrwxr-x 4 root root 4096 Aug 20 2014 testcases

-rw-rw-r-- 1 root root 1733 Aug 20 2014 THANKS

-rw-rw-r-- 1 root root 1827 Aug 20 2014 TODO

#安装fail2ban，注:没有安装python,需要先安装一下

[root@Lnmp fail2ban-0.8.14]#python setup.py install

#检查启动文件

[root@Lnmp fail2ban-0.8.14]# grep chkconfig ./* -R --color

./files/redhat-initd:# chkconfig: - 92 08

#把启动文件复制到 /etc/init.d下做开机自启动

[root@Lnmp fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban

[root@Lnmp fail2ban-0.8.14]# chkconfig --add fail2ban

[root@Lnmp fail2ban-0.8.14]# chkconfig --list fail2ban

fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off

#修改配置文件，修改前备份配置文件

[root@Lnmp fail2ban-0.8.14]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.ori

[root@Lnmp fail2ban-0.8.14]# ls /etc/fail2ban/

action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.ori jail.d

#定位到94行[ssh-iptables]修改参数

[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf +94

#预防暴力破解

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=wwj@163.com, sender=bob@163.com, sendername="Fail2Ban"]

logpath = /var/log/secure

maxretry = 3 #设定访问频率，单位"次"

bantime = 3600 #限制1小时内不能登录，单位"秒"

findtime = 300 #设定访问时间，十分钟(300s)内

#以上表示十分钟内，3次输错登录密码，关禁闭1小时。

[root@Lnmp fail2ban-0.8.14]# service fail2ban start

Starting fail2ban: [ OK ]

#查看fail2ban规则是否生效

[root@Lnmp fail2ban-0.8.14]# service fail2ban status

fail2ban-server (pid 6723) is running...

Status

|- Number of jail: 1

`- Jail list: ssh-iptables

#限制用户频繁访问网站,禁止非法ip

[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf

#按大写G定位到最后，添加如下代码

#nginx access control

[access-get-dos]

enables = true

port = http,https

filter = nginx-bansniffer

action = iptables[name=IT300,port=http,portocol=tcp]

sendmail-whois[name=IT300,dest=11223379@qq.com,sender=wwj@163.com]

#访问日志路径

logpath = /application/nginx/logs/access.log

#限制规则

findtime = 60 #设定访问时间，一分钟(60s)内

maxretry = 30 #设定访问频率，单位"次"

bantime = 3600 #限制1小时内不能登录，单位"秒"

#以上表示1分钟内，30次访问，关禁闭1小时

#创建规则文件

[root@Lnmp fail2ban-0.8.14]# vi /etc/fail2ban/filter.d/nginx-bansniffer.conf

[Definition]

failregex = -.*- .*HTTP/1.* .* .*$

ignoreregex =

#重新启动fail2ban

[root@Lnmp fail2ban-0.8.14]# service fail2ban reload

#查看fail2ban生效的规则状态

[root@Lnmp fail2ban-0.8.14]# service fail2ban status

fail2ban-server (pid 7013) is running...

Status

|- Number of jail: 2

`- Jail list: access-get-dos, ssh-iptables

#查看生效后访问情况，注：访问日志做了切割

[root@Lnmp logs]#awk '{print $1}' 20161101_access_www.log|sort|uniq -c|sort -rn|head -10

11 121.42.0.16

9 198.52.119.97

8 61.158.152.132

6 112.97.63.104

5 42.48.70.245

5 36.57.226.54

5 221.225.2.214

5 180.114.17.26

5 171.105.144.226

5 123.11.115.223

#uniq -c 表示合并相邻的重复记录，并统计重复数

#sort -n 表示按从小到大进行排序

#sort -r 表示逆序，即按照从大到小的顺序进行排序。

#head -10 表示取前10位

总结：自从fail2ban安装后每天不再接到阿里安全团队的问候短信了，设置成功。