fail2ban 使用IPtables防止惡意的破解密碼網路連線(brute-force attack)
1.安裝 yum install fail2ban
2.建立fail2ban記錄檔存放目錄
[root@dns ~]# mkdir /var/log/fail2ban
3. /etc/fail2ban/fail2ban.conf
請依需求設定,若無則維持原狀
#更改fail2ban記錄檔位置
#logtarget = SYSLOG
logtarget = /var/log/fail2ban/fail2ban.log
4.設定 /etc/fail2ban/jail.conf
#先設定全域預設值
#bantime+findtime+maxretry三個規則的意義是:在 60秒鐘內,錯誤登入3次,則禁止連線 600 秒
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
#設定全域[DEFAULT]的參數設定值,此設定值可被其他服務項目設定的相同參數覆寫
[DEFAULT]
#設定不檢查ip白名單
ignoreip = 127.0.0.1/8 你信任的IP
#被禁止連線的時間,單位為秒
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
#在多少時間內,嘗試連線次數錯誤會被禁止連線,單位為秒
findtime = 60
#嘗試登入錯誤次數
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
#記錄檔修改的機制,共有pyinotify、gamin、polling、auto四種,預設為自動
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
#保護SSH
[ssh-iptables]
enabled = true
filter = sshd #對應/etc/fail2ban/filter.d/sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] #系統使用的防火牆是iptables,所以action參數後面接iptables
sendmail-whois[name=SSH, dest=你的電子郵件, sender=root]
logpath = /var/log/fail2ban/sshd.log
maxretry = 5
#保護電子郵件sasl
[sasl-iptables]
enabled = true
filter = sasl #對應/erc/fail2ban/filter.d/sasl.conf
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=你的電子郵件]
logpath = /var/log/fail2ban/sasl-mail.log
#保護mysql
# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/fail2ban/mysqld.log
# log-warning = 2
[mysqld-iptables]
enabled = true
filter = mysqld-auth #對應/etc/fail2ban/filter.d/mysqld-auth.conf
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=你的電子郵件, sender=root]
logpath = /var/log/mysqld.log
maxretry = 5
#保護roundcube web mail server
# Monitor roundcube server
[roundcube-iptables]
enabled = true
filter = roundcube-auth #對應/etc/fail2ban/filter.d/roundcube-auth.conf
action = iptables[name=RoundCube, port="http,https"]
logpath = /var/log/fail2ban/roundcube-userlogins
#保護電子郵件dovecot服務
[dovecot-check]
enabled = true
filter = dovecot #對應/etc/fail2ban/filter.d/dovecot.conf
action = ipfilter[name=dovecot-check,port="pop3,pop3s,imap,imaps,protocol=tcp"]
sendmail-whois[name=DOVECOT,dest=你的電子郵件]
logpath = /var/log/fail2ban/dovecot-check.log
ignoreip = 127.0.0.1
#保護webmin服務
[webmin]
enabled = true
filter = webmin-auth #對應/etc/fail2ban/filter.d/webmin-auth.conf
action = iptables[name=Webmin, port=10000, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=root]
logpath = /var/log/fail2ban/webmin-auth.log
5.更新fail2ban可能會異動設定檔jail.conf,官方建議備份jail.conf為jail.local,並直接修改jail.local
6.重啟動fail2ban
service fail2ban restart
7.設定為開機自動啟動
chkconfig fail2ban on
8.檢視目前設定
[root@dns fail2ban]# fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: mysqld-iptables, dovecot-check, roundcube-iptables, ssh-iptables, sasl-iptables
或是執行
[root@dns fail2ban]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/fail2ban/fail2ban.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
9.檢查iptable目前狀況,執行下列指令:
[root@dns fail2ban]# iptables -L -nv
在最底下應該要有下列訊息:
Chain fail2ban-RoundCube (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
42 3176 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-dovecot-check (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-mysql (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-sasl (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
留言列表
軟體開發 (1)
{{ article.title }}