官方說明:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures,

seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time,

although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.

Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

一、安裝

    sudo apt-get install fail2ban

二、設定

    設定檔在/etc/fail2ban

    fail2ban安裝完成預設指監控ssh服務需自行設定監控其他服務

    在/etc/fail2ban/jail.conf可找到

       [ssh]
       enabled  = true
       port     = ssh
       filter   = sshd
       logpath  = /var/log/auth.log
       maxretry = 6

    enabled  = true此文字用來設定啟用監控ssh服務

    預設監控ssh是啟用的

    但為了避免fail2ban升級後覆蓋掉您的設定

    在jail.conf中建議複製jail.conf為jail.local

    並希望使用者不要直接修改jail.conf

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local    

         jail.conf文內說明

            # To avoid merges during upgrades DO NOT MODIFY THIS FILE
            # and rather provide your changes in /etc/fail2ban/jail.local

 

     常見參數說明:

           maxretry -- 密碼錯誤次數幾次以後就要封鎖ip

           bantime  -- 要封鎖ip多久時間其單位為(秒)

 

         --排除信任網段 例如內部網段192.168.1.0/24--

            # "ignoreip" can be an IP address, a CIDR mask or a DNS host
            ignoreip = 127.0.0.1/8 192.168.1.0/24
            bantime  = 600
            maxretry = 3

         設定管理者信箱有異常時會寄信通知--

         #
         # Destination email address used solely for the interpolations in
         # jail.{conf,local} configuration files.
         destemail = root@localhost

         --啟用apachepostfix 、sasl、 ssh-ddos、 dovecot--

          [apache]
          enabled  = true

          [postfix]
          enabled  = true

          [sasl]
          enabled  = true

          [ssh-ddos]
          enabled  = true

          [dovecot]
          enabled = true  

三、常用指令

    .顯示目前設定

         fail2ban-client status

    .啟動

      sudo service fail2ban start

       .重新啟動

      sudo service fail2ban restart

       .停止

     sudo service fail2ban stop

檢視紀錄檔

        紀錄檔位置在 /var/log/fail2ban.log

 

 

參考資料:

http://www.fail2ban.org/wiki/index.php/Main_Page

http://www.fail2ban.org/wiki/index.php/Category:Configuration

,

K 發表在 痞客邦 PIXNET 留言(0) 人氣()