fail2ban 使用IPtables防止惡意的破解密碼網路連線(brute-force attack)

1.安裝 yum install fail2ban

2.建立fail2ban記錄檔存放目錄

[root@dns ~]# mkdir /var/log/fail2ban

3. /etc/fail2ban/fail2ban.conf

   請依需求設定,若無則維持原狀

#更改fail2ban記錄檔位置

#logtarget = SYSLOG

logtarget = /var/log/fail2ban/fail2ban.log

4.設定 /etc/fail2ban/jail.conf

#先設定全域預設值

#bantime+findtime+maxretry三個規則的意義是:在 60秒鐘內,錯誤登入3次,則禁止連線 600 秒

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

#設定全域[DEFAULT]的參數設定值,此設定值可被其他服務項目設定的相同參數覆寫
[DEFAULT]
#設定不檢查ip白名單
ignoreip = 127.0.0.1/8 你信任的IP

#被禁止連線的時間,單位為秒
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
#在多少時間內,嘗試連線次數錯誤會被禁止連線,單位為秒
findtime = 60

#嘗試登入錯誤次數
# "maxretry" is the number of failures before a host get banned.
maxretry = 3

#記錄檔修改的機制,共有pyinotify、gamin、polling、auto四種,預設為自動
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

#保護SSH

[ssh-iptables]

enabled  = true
filter = sshd  #對應/etc/fail2ban/filter.d/sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] #系統使用的防火牆是iptables,所以action參數後面接iptables
          sendmail-whois[name=SSH, dest=你的電子郵件, sender=root]
logpath  = /var/log/fail2ban/sshd.log
maxretry = 5

#保護電子郵件sasl

[sasl-iptables]

enabled  = true
filter = sasl #對應/erc/fail2ban/filter.d/sasl.conf
backend  = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=你的電子郵件]
logpath = /var/log/fail2ban/sasl-mail.log

#保護mysql

# To log wrong MySQL access attempts add to /etc/my.cnf:

# log-error=/var/log/fail2ban/mysqld.log

# log-warning = 2

[mysqld-iptables]

enabled  = true

filter = mysqld-auth #對應/etc/fail2ban/filter.d/mysqld-auth.conf

action   = iptables[name=mysql, port=3306, protocol=tcp]

           sendmail-whois[name=MySQL, dest=你的電子郵件, sender=root]

logpath  = /var/log/mysqld.log

maxretry = 5

#保護roundcube web mail server

# Monitor roundcube server

[roundcube-iptables]

enabled  = true

filter = roundcube-auth #對應/etc/fail2ban/filter.d/roundcube-auth.conf

action = iptables[name=RoundCube, port="http,https"]

logpath = /var/log/fail2ban/roundcube-userlogins

#保護電子郵件dovecot服務

[dovecot-check]
enabled = true
filter = dovecot #對應/etc/fail2ban/filter.d/dovecot.conf
action = ipfilter[name=dovecot-check,port="pop3,pop3s,imap,imaps,protocol=tcp"]
sendmail-whois[name=DOVECOT,dest=你的電子郵件]
logpath = /var/log/fail2ban/dovecot-check.log
ignoreip = 127.0.0.1

#保護webmin服務

[webmin]
enabled = true
filter = webmin-auth #對應/etc/fail2ban/filter.d/webmin-auth.conf
action = iptables[name=Webmin, port=10000, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=root]
logpath = /var/log/fail2ban/webmin-auth.log

  

5.更新fail2ban可能會異動設定檔jail.conf,官方建議備份jail.conf為jail.local,並直接修改jail.local

6.重啟動fail2ban

   service fail2ban restart

7.設定為開機自動啟動 

   chkconfig fail2ban on 

8.檢視目前設定

[root@dns fail2ban]# fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: mysqld-iptables, dovecot-check, roundcube-iptables, ssh-iptables, sasl-iptables

或是執行

[root@dns fail2ban]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/fail2ban/fail2ban.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0

 

9.檢查iptable目前狀況,執行下列指令:

[root@dns fail2ban]# iptables -L -nv

在最底下應該要有下列訊息:

Chain fail2ban-RoundCube (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
42 3176 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-dovecot-check (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-mysql (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-sasl (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

 



,

K 發表在 痞客邦 PIXNET 留言(0) 人氣()