centos下fail2ban安装与配置详解
<p><strong>一、fail2ban简介</strong></p>
<p>
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!</p>
<p>
<strong>二、简单来介绍一下fail2ban的功能和特性</strong></p>
<p>
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等<br>
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。<br>
3、在logpath选项中支持通配符<br>
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)<br>
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail</p>
<p>
<strong>三、fail2ban安装与配置操作实例</strong></p>
<p>
1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code40418">
# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban</div>
<p>
<br>
or</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code32132">
# yum install gamin-python python-inotify python-ctypes<br>
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm<br>
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm</div>
<p>
<br>
or</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code10106">
# yum install gamin-python python-inotify python-ctypes<br>
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm<br>
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm</div>
<p>
</p>
<p>
2:源码包安装</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code49627">
<br>
# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0<br>
# tar -xzvf fail2ban-0.9.0.tar.gz<br>
# cd<br>
# ./setup.py<br>
# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban<br>
# chmod +x /lib/svc/method/svc-fail2ban</div>
<p>
<br>
安装路径</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code31064">
<br>
/etc/fail2ban<br>
action.d filter.d fail2ban.conf jail.conf</div>
<p>
<br>
我们主要编辑jail.conf这个配置文件,其他的不要去管它.</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code13310">
<br>
# vi /etc/fail2ban.conf</div>
<p>
</p>
<p>
SSH防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code40014">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = sshd<br>
action = iptables<br>
sendmail-whois<br>
logpath = /var/log/secure<br>
maxretry = 5</p>
<p>
<br>
enabled = true<br>
filter = sshd-ddos<br>
action = iptables<br>
logpath = /var/log/messages<br>
maxretry = 2</p>
<p>
</p>
<p>
enabled = true<br>
filter = sshd<br>
action = osx-ipfw<br>
logpath = /var/log/secure.log<br>
maxretry = 5</p>
<p>
</p>
<p>
enabled = true<br>
filter = sshd<br>
action = apf<br>
logpath = /var/log/secure<br>
maxretry = 5</p>
<p>
</p>
<p>
enabled = true<br>
filter = sshd<br>
action = osx-afctl<br>
logpath = /var/log/secure.log<br>
maxretry = 5</p>
<p>
<br>
enabled = true<br>
filter = selinux-ssh<br>
action = iptables<br>
logpath = /var/log/audit/audit.log<br>
maxretry = 5</p>
</div>
<p>
<br>
proftp防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code59904">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = proftpd<br>
action = iptables<br>
sendmail-whois<br>
logpath = /var/log/proftpd/proftpd.log<br>
maxretry = 6</p>
</div>
<p>
<br>
邮件防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code26792">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = postfix-sasl<br>
backend = polling<br>
action = iptables<br>
sendmail-whois<br>
logpath = /var/log/mail.log</p>
<p>
</p>
<p>
enabled = true<br>
filter = dovecot<br>
action = iptables-multiport<br>
logpath = /var/log/mail.log</p>
<p>
</p>
<p>
enabled = true<br>
filter = dovecot<br>
action = iptables-multiport<br>
logpath = /var/log/secure</p>
<p>
</p>
<p>
enabled = true<br>
filter = perdition<br>
action = iptables-multiport<br>
logpath = /var/log/maillog</p>
<p>
<br>
</p>
<p>
enabled = true<br>
filter = uwimap-auth<br>
action = iptables-multiport<br>
logpath = /var/log/maillog</p>
</div>
<p>
<br>
apache防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code26128">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = apache-auth<br>
action = hostsdeny<br>
logpath = /var/log/httpd/error_log<br>
maxretry = 6</p>
<p>
</p>
<p>
enabled = true<br>
filter = apache-badbots<br>
action = iptables-multiport<br>
sendmail-buffered<br>
logpath = /var/log/httpd/access_log<br>
bantime = 172800<br>
maxretry = 1</p>
<p>
</p>
<p>
enabled = true<br>
filter = apache-noscript<br>
action = shorewall<br>
sendmail<br>
logpath = /var/log/httpd/error_log</p>
</div>
<p>
<br>
nginx防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code1561">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = nginx-http-auth<br>
action = iptables-multiport<br>
logpath = /var/log/nginx/error.log</p>
</div>
<p>
<br>
lighttpd防规击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code75262">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = suhosin<br>
action = iptables-multiport<br>
# adapt the following two items as needed<br>
logpath = /var/log/lighttpd/error.log<br>
maxretry = 2</p>
<p>
</p>
<p>
enabled = true<br>
filter = lighttpd-auth<br>
action = iptables-multiport<br>
# adapt the following two items as needed<br>
logpath = /var/log/lighttpd/error.log<br>
maxretry = 2</p>
</div>
<p>
<br>
vsftpd防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code27601">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = vsftpd<br>
action = sendmail-whois<br>
logpath = /var/log/vsftpd.log<br>
maxretry = 5<br>
bantime = 1800</p>
<p>
</p>
<p>
enabled = true<br>
filter = vsftpd<br>
action = iptables<br>
sendmail-whois<br>
logpath = /var/log/vsftpd.log<br>
maxretry = 5<br>
bantime = 1800</p>
</div>
<p>
<br>
pure-ftpd防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code70585">
<br>
<br>
enabled = true<br>
filter = pure-ftpd<br>
action = iptables<br>
logpath = /var/log/pureftpd.log<br>
maxretry = 2<br>
bantime = 86400</div>
<p>
<br>
mysql防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code94748">
<p>
<br>
</p>
<p>
</p>
<p>
enabled = true<br>
filter = mysqld-auth<br>
action = iptables<br>
sendmail-whois<br>
logpath = /var/log/mysqld.log<br>
maxretry = 5</p>
</div>
<p>
<br>
apache phpmyadmin防攻击规则</p>
<div class="codetitle">
<span><u>复制代码</u></span> 代码如下:</div>
<div class="codebody" id="code22260">
<p>
<br>
<br>
enabled = true<br>
filter = apache-phpmyadmin<br>
action = iptables<br>
logpath = /var/log/httpd/error_log<br>
maxretry = 3<br>
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf<br>
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.</p>
<p>
</p>
<p>
# Fail2Ban configuration file<br>
#<br>
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.<br>
#<br>
# Author: Gina Haeussge<br>
#<br><br>
<br><br>
docroot = /var/www<br>
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2<br><br>
# Option: failregex<br>
# Notes.: Regexp to match often probed and not available phpmyadmin paths.<br>
# Values: TEXT<br>
#<br>
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)<br><br>
# Option: ignoreregex<br>
# Notes.: regex to ignore. If this regex matches, the line is ignored.<br>
# Values: TEXT<br>
#<br>
ignoreregex =<br>
# service fail2ban restart</p>
</div>
<p>
</p>
<p>
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.</p>
頁:
[1]