内容纲要
Fail2ban安装视频
Fail2ban 简介
Fail2Ban 是一个用来提高服务器安全性的开源入侵防御工具。它通过监控日志文件来检测重复的失败登录尝试等可疑活动,并自动采取行动,如临时阻止可疑的IP地址。Fail2Ban最常用于防止暴力破解攻击,尤其是在SSH、FTP、HTTP等服务上。
一般VPS开通后一直有人扫 22 端口进行爆破,看看我DMIT一天被扫的记录
root@localhost:~# lastb
lijinjia ssh:notty 87.120.117.175 Fri Oct 11 11:29 - 11:29 (00:00)
teste ssh:notty 194.169.175.37 Fri Oct 11 10:39 - 10:39 (00:00)
admin ssh:notty 80.64.30.139 Fri Oct 11 10:31 - 10:31 (00:00)
default ssh:notty 194.169.175.38 Fri Oct 11 09:59 - 09:59 (00:00)
dspace ssh:notty 92.205.239.111 Fri Oct 11 09:53 - 09:53 (00:00)
ansadmin ssh:notty 92.205.239.111 Fri Oct 11 09:53 - 09:53 (00:00)
ftpuser ssh:notty 194.169.175.37 Fri Oct 11 09:45 - 09:45 (00:00)
admin ssh:notty 92.255.85.253 Fri Oct 11 09:36 - 09:36 (00:00)
dspace ssh:notty 210.106.114.183 Fri Oct 11 09:18 - 09:18 (00:00)
ansadmin ssh:notty 210.106.114.183 Fri Oct 11 09:18 - 09:18 (00:00)
mysql ssh:notty 194.169.175.37 Fri Oct 11 08:50 - 08:50 (00:00)
admin ssh:notty 80.64.30.139 Fri Oct 11 08:22 - 08:22 (00:00)
ubnt ssh:notty 194.169.175.38 Fri Oct 11 08:08 - 08:08 (00:00)
ftpd ssh:notty 112.6.122.181 Fri Oct 11 07:55 - 07:55 (00:00)
lw ssh:notty 125.91.34.106 Fri Oct 11 07:55 - 07:55 (00:00)
xy ssh:notty 197.5.145.102 Fri Oct 11 07:55 - 07:55 (00:00)
admin ssh:notty 43.130.16.82 Fri Oct 11 07:55 - 07:55 (00:00)
guest ssh:notty 209.126.9.57 Fri Oct 11 07:55 - 07:55 (00:00)
lw ssh:notty 112.6.122.181 Fri Oct 11 07:54 - 07:54 (00:00)
user ssh:notty 43.130.16.82 Fri Oct 11 07:54 - 07:54 (00:00)
lw ssh:notty 197.5.145.102 Fri Oct 11 07:54 - 07:54 (00:00)
mata ssh:notty 209.126.9.57 Fri Oct 11 07:54 - 07:54 (00:00)
laptop ssh:notty 125.91.34.106 Fri Oct 11 07:54 - 07:54 (00:00)
gzj ssh:notty 87.120.117.175 Fri Oct 11 07:24 - 07:24 (00:00)
system ssh:notty 194.169.175.37 Fri Oct 11 07:20 - 07:20 (00:00)
default ssh:notty 194.169.175.38 Fri Oct 11 07:06 - 07:06 (00:00)
user ssh:notty 80.64.30.139 Fri Oct 11 06:39 - 06:39 (00:00)
download ssh:notty 220.180.112.208 Fri Oct 11 06:31 - 06:31 (00:00)
carrano ssh:notty 189.79.29.156 Fri Oct 11 06:30 - 06:30 (00:00)
admin ssh:notty 115.241.83.2 Fri Oct 11 06:29 - 06:29 (00:00)
willy ssh:notty 137.184.88.74 Fri Oct 11 06:28 - 06:28 (00:00)
german ssh:notty 81.192.87.130 Fri Oct 11 06:28 - 06:28 (00:00)
tobias ssh:notty 115.241.83.2 Fri Oct 11 06:28 - 06:28 (00:00)
anaconda ssh:notty 137.184.88.74 Fri Oct 11 06:28 - 06:28 (00:00)
demetrio ssh:notty 117.50.193.188 Fri Oct 11 06:25 - 06:25 (00:00)
glbux ssh:notty 117.50.193.188 Fri Oct 11 06:24 - 06:24 (00:00)
xzhao ssh:notty 139.59.127.178 Fri Oct 11 06:23 - 06:23 (00:00)
minakh ssh:notty 193.70.85.215 Fri Oct 11 06:23 - 06:23 (00:00)
george ssh:notty 81.192.87.130 Fri Oct 11 06:22 - 06:22 (00:00)
luorui ssh:notty 220.180.112.208 Fri Oct 11 06:22 - 06:22 (00:00)
b2buser ssh:notty 193.70.85.215 Fri Oct 11 06:22 - 06:22 (00:00)
hanie ssh:notty 189.79.29.156 Fri Oct 11 06:21 - 06:21 (00:00)
arka ssh:notty 198.199.71.30 Fri Oct 11 06:20 - 06:20 (00:00)
carlitos ssh:notty 139.59.127.178 Fri Oct 11 06:19 - 06:19 (00:00)
wanghong ssh:notty 198.199.71.30 Fri Oct 11 06:19 - 06:19 (00:00)
arka ssh:notty 117.50.193.188 Fri Oct 11 06:14 - 06:14 (00:00)
sshadmin ssh:notty 194.169.175.38 Fri Oct 11 06:09 - 06:09 (00:00)
admin ssh:notty 80.64.30.138 Fri Oct 11 05:51 - 05:51 (00:00)
max ssh:notty 111.67.199.21 Fri Oct 11 05:43 - 05:43 (00:00)
naveen ssh:notty 111.67.199.21 Fri Oct 11 05:43 - 05:43 (00:00)
Administ ssh:notty 80.64.30.139 Fri Oct 11 05:20 - 05:20 (00:00)
matrix ssh:notty 80.64.30.138 Fri Oct 11 05:06 - 05:06 (00:00)
admin ssh:notty 80.64.30.139 Fri Oct 11 04:54 - 04:54 (00:00)
Administ ssh:notty 80.64.30.139 Fri Oct 11 04:39 - 04:39 (00:00)
backups ssh:notty 80.64.30.139 Fri Oct 11 04:25 - 04:25 (00:00)
daniel ssh:notty 80.64.30.139 Fri Oct 11 04:15 - 04:15 (00:00)
manager ssh:notty 80.64.30.138 Fri Oct 11 03:59 - 03:59 (00:00)
aref ssh:notty 120.48.100.91 Fri Oct 11 03:51 - 03:51 (00:00)
admin ssh:notty 80.64.30.138 Fri Oct 11 03:45 - 03:45 (00:00)
juanc ssh:notty 20.113.181.175 Fri Oct 11 03:44 - 03:44 (00:00)
pwcchate ssh:notty 170.51.24.116 Fri Oct 11 03:44 - 03:44 (00:00)
djb ssh:notty 191.242.105.131 Fri Oct 11 03:43 - 03:43 (00:00)
yasinima ssh:notty 172.188.59.232 Fri Oct 11 03:43 - 03:43 (00:00)
liujx ssh:notty 182.253.238.218 Fri Oct 11 03:43 - 03:43 (00:00)
prashant ssh:notty 206.189.62.213 Fri Oct 11 03:43 - 03:43 (00:00)
djb ssh:notty 120.48.100.91 Fri Oct 11 03:41 - 03:41 (00:00)
testhub ssh:notty 172.188.59.232 Fri Oct 11 03:41 - 03:41 (00:00)
jfelix ssh:notty 170.51.24.116 Fri Oct 11 03:41 - 03:41 (00:00)
freshte ssh:notty 20.113.181.175 Fri Oct 11 03:38 - 03:38 (00:00)
vmssroot ssh:notty 191.242.105.131 Fri Oct 11 03:38 - 03:38 (00:00)
dev ssh:notty 182.253.238.218 Fri Oct 11 03:37 - 03:37 (00:00)
peel ssh:notty 206.189.62.213 Fri Oct 11 03:37 - 03:37 (00:00)
image ssh:notty 92.55.190.215 Fri Oct 11 03:30 - 03:30 (00:00)
db2admin ssh:notty 92.55.190.215 Fri Oct 11 03:23 - 03:23 (00:00)
admin ssh:notty 80.64.30.139 Fri Oct 11 03:04 - 03:04 (00:00)
root1235 ssh:notty 211.210.152.106 Fri Oct 11 02:59 - 02:59 (00:00)
root1235 ssh:notty 157.245.193.228 Fri Oct 11 02:57 - 02:57 (00:00)
tongxinx ssh:notty 223.137.93.83 Fri Oct 11 02:56 - 02:56 (00:00)
maas ssh:notty 210.158.43.49 Fri Oct 11 02:49 - 02:49 (00:00)
nafar ssh:notty 121.142.87.218 Fri Oct 11 02:48 - 02:48 (00:00)
hingridi ssh:notty 125.88.241.99 Fri Oct 11 02:48 - 02:48 (00:00)
barbara ssh:notty 27.223.86.30 Fri Oct 11 02:48 - 02:48 (00:00)
bos ssh:notty 163.44.196.189 Fri Oct 11 02:48 - 02:48 (00:00)
remco ssh:notty 200.175.17.42 Fri Oct 11 02:48 - 02:48 (00:00)
user ssh:notty 80.64.30.139 Fri Oct 11 02:47 - 02:47 (00:00)
tatapowe ssh:notty 223.137.93.83 Fri Oct 11 02:46 - 02:46 (00:00)
ailin ssh:notty 163.44.196.189 Fri Oct 11 02:46 - 02:46 (00:00)
minikube ssh:notty 200.175.17.42 Fri Oct 11 02:45 - 02:45 (00:00)
bos ssh:notty 125.88.241.99 Fri Oct 11 02:45 - 02:45 (00:00)
maas ssh:notty 121.142.87.218 Fri Oct 11 02:45 - 02:45 (00:00)
jhanson ssh:notty 210.158.43.49 Fri Oct 11 02:44 - 02:44 (00:00)
vafa ssh:notty 181.115.171.211 Fri Oct 11 02:43 - 02:43 (00:00)
robotlin ssh:notty 27.223.86.30 Fri Oct 11 02:43 - 02:43 (00:00)
robotlin ssh:notty 181.115.171.211 Fri Oct 11 02:42 - 02:42 (00:00)
bos ssh:notty 58.33.58.37 Fri Oct 11 02:41 - 02:41 (00:00)
user1 ssh:notty 80.64.30.138 Fri Oct 11 02:33 - 02:33 (00:00)
prueba ssh:notty 80.64.30.138 Fri Oct 11 02:21 - 02:21 (00:00)
alex ssh:notty 190.85.15.251 Fri Oct 11 02:15 - 02:15 (00:00)
iqbal ssh:notty 190.85.15.251 Fri Oct 11 02:13 - 02:13 (00:00)
freeswit ssh:notty 117.33.255.79 Fri Oct 11 02:11 - 02:11 (00:00)
celso ssh:notty 117.33.255.79 Fri Oct 11 02:10 - 02:10 (00:00)
ncs ssh:notty 8.219.251.4 Fri Oct 11 02:07 - 02:07 (00:00)
chenlin ssh:notty 211.72.129.212 Fri Oct 11 02:07 - 02:07 (00:00)
giovanni ssh:notty 35.224.42.65 Fri Oct 11 02:07 - 02:07 (00:00)
tool ssh:notty 47.236.67.255 Fri Oct 11 02:06 - 02:06 (00:00)
chenlin ssh:notty 95.255.108.3 Fri Oct 11 02:06 - 02:06 (00:00)
liu ssh:notty 35.224.42.65 Fri Oct 11 02:05 - 02:05 (00:00)
giovanni ssh:notty 51.79.165.182 Fri Oct 11 02:05 - 02:05 (00:00)
giovanni ssh:notty 179.40.112.6 Fri Oct 11 02:05 - 02:05 (00:00)
wp-user ssh:notty 47.236.67.255 Fri Oct 11 02:04 - 02:04 (00:00)
freeswit ssh:notty 8.219.251.4 Fri Oct 11 02:02 - 02:02 (00:00)
zhaowei ssh:notty 51.79.165.182 Fri Oct 11 02:01 - 02:01 (00:00)
iqbal ssh:notty 95.255.108.3 Fri Oct 11 02:01 - 02:01 (00:00)
backups ssh:notty 179.40.112.6 Fri Oct 11 01:59 - 01:59 (00:00)
usuario ssh:notty 80.64.30.138 Fri Oct 11 01:55 - 01:55 (00:00)
ubnt ssh:notty 194.169.175.38 Fri Oct 11 01:40 - 01:40 (00:00)
matt ssh:notty 59.103.237.35 Fri Oct 11 01:32 - 01:32 (00:00)
admin ssh:notty 80.64.30.138 Fri Oct 11 01:26 - 01:26 (00:00)
chenjun ssh:notty 59.103.237.35 Fri Oct 11 01:25 - 01:25 (00:00)
coremail ssh:notty 36.138.68.30 Fri Oct 11 01:17 - 01:17 (00:00)
nick ssh:notty 36.138.68.30 Fri Oct 11 01:13 - 01:13 (00:00)
test ssh:notty 80.64.30.139 Fri Oct 11 01:09 - 01:09 (00:00)
support ssh:notty 80.64.30.138 Fri Oct 11 00:54 - 00:54 (00:00)
fayeqrad ssh:notty 89.97.218.142 Fri Oct 11 00:51 - 00:51 (00:00)
spam ssh:notty 52.161.123.84 Fri Oct 11 00:51 - 00:51 (00:00)
msho ssh:notty 180.167.153.230 Fri Oct 11 00:51 - 00:51 (00:00)
shila ssh:notty 187.251.150.198 Fri Oct 11 00:51 - 00:51 (00:00)
green ssh:notty 187.136.160.172 Fri Oct 11 00:50 - 00:50 (00:00)
jingqi ssh:notty 89.97.218.142 Fri Oct 11 00:49 - 00:49 (00:00)
shila ssh:notty 52.161.123.84 Fri Oct 11 00:49 - 00:49 (00:00)
m1 ssh:notty 180.167.153.230 Fri Oct 11 00:46 - 00:46 (00:00)
farzane ssh:notty 187.136.160.172 Fri Oct 11 00:45 - 00:45 (00:00)
jingqi ssh:notty 187.251.150.198 Fri Oct 11 00:44 - 00:44 (00:00)
ssh:notty 66.240.192.85 Fri Oct 11 00:42 - 00:42 (00:00)
ubnt ssh:notty 80.64.30.139 Fri Oct 11 00:25 - 00:25 (00:00)
hardik ssh:notty 47.115.220.212 Fri Oct 11 00:14 - 00:14 (00:00)
swapnil ssh:notty 27.71.21.224 Fri Oct 11 00:11 - 00:11 (00:00)
lippolis ssh:notty 106.13.3.158 Fri Oct 11 00:11 - 00:11 (00:00)
abniki ssh:notty 14.116.200.5 Fri Oct 11 00:11 - 00:11 (00:00)
mkclean ssh:notty 101.36.127.102 Fri Oct 11 00:11 - 00:11 (00:00)
khelende ssh:notty 119.28.111.112 Fri Oct 11 00:11 - 00:11 (00:00)
satis ssh:notty 43.153.215.191 Fri Oct 11 00:10 - 00:10 (00:00)
sidibe ssh:notty 27.71.21.224 Fri Oct 11 00:10 - 00:10 (00:00)
pmariabe ssh:notty 47.115.220.212 Fri Oct 11 00:10 - 00:10 (00:00)
mypc ssh:notty 101.36.127.102 Fri Oct 11 00:08 - 00:08 (00:00)
pmariabe ssh:notty 14.116.200.5 Fri Oct 11 00:07 - 00:07 (00:00)
satis ssh:notty 119.28.111.112 Fri Oct 11 00:07 - 00:07 (00:00)
hardik ssh:notty 43.153.215.191 Fri Oct 11 00:06 - 00:06 (00:00)
kovalev ssh:notty 106.13.3.158 Fri Oct 11 00:06 - 00:06 (00:00)安装Fail2ban
#更新
apt update && apt upgrade -y#安装Fail2ban
apt install fail2ban -y配置 Fail2ban
使用包管理安装配置文件都在/etc/fail2ban目录下,目录结构如下
drwxr-xr-x 6 root root 4096 Oct 8 18:06 .
drwxr-xr-x 75 root root 4096 Oct 8 17:03 ..
drwxr-xr-x 2 root root 4096 Oct 8 17:03 action.d
-rw-r--r-- 1 root root 3017 Nov 9 2022 fail2ban.conf
drwxr-xr-x 2 root root 4096 Apr 21 2023 fail2ban.d
drwxr-xr-x 3 root root 4096 Oct 8 17:03 filter.d
-rw-r--r-- 1 root root 25640 Oct 8 18:06 jail.conf
drwxr-xr-x 2 root root 4096 Oct 8 17:03 jail.d
-rw-r--r-- 1 root root 645 Nov 9 2022 paths-arch.conf
-rw-r--r-- 1 root root 2728 Nov 9 2022 paths-common.conf
-rw-r--r-- 1 root root 627 Nov 9 2022 paths-debian.conf
-rw-r--r-- 1 root root 738 Nov 9 2022 paths-opensuse.confFail2ban 配置文件目录结构
| action.d | 目录下存放了当触发规则时执行的操作配置文件 |
| fail2ban.conf | 是 Fail2ban.conf 配置文件 |
| fail2ban.d | Fail2ban 的额外配置文件 |
| filter.d | Fail2ban 规则 / 过滤器目录,里面是定义日志过滤规则的配置文件这里有官方写好的规则,当然你可以在这里定义自己的拦截过滤规则,比如拦截 frp 内网穿透等 |
| jail.conf | Fail2ban 官方监狱示列配置文件,定义了对服务或协议进行监控和防御的规则、调用过滤器和动作。 |
| jail.d | 存放监狱(jail)的额外配置文件,Fail2ban 在启动时会加载 jail.local 文件以及 jail.d 目录下的所有配置文件 |
给的示列配置文件放在jail.conf中,不建议直接修改给的配置文件,而是根据所需根据给的示列配置文件,编辑自己的jail.local,jail.conf 示列配置文件定义的监狱规则都默认被禁用,需要我们手动开启。
jail 配置文件
[DEFAULT]
# 该标签下是对jail监狱规则进行全局配置,全局设置可以被覆盖
...
# 被封禁的时间,默认以秒为单位,bantime = 10m 表示被封禁的时间为 10 分钟。
bantime = 10m
# 用于确定是否封禁IP的时间段,以秒为单位。findtime = 10m表示在过去的10分钟内进行的登录失败大于等于maxretry次数将被封禁。
findtime = 10m
# 允许的最大登录失败次数,如果在findtime时间段内某个IP地址的登录失败次数达到或超过maxretry次,该IP地址将被封禁。
maxretry = 5
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s
# 用于获取文件修改的后端。这个选项指定了 Fail2ban 使用的监视文件变化的机制。
# 可以选择的后端包括:pyinotify、gamin、polling、systemd 和 auto。
# 如果未指定后端,Fail2ban 将尝试按照顺序使用这些后端,直到找到可用的后端为止。
# backend = auto 表示 Fail2ban 将尝试使用pyinotify、gamin、polling、systemd这几种后端中的一种。
backend = auto
# 启用ssh
[sshd]
# 使用nftables封禁ip
banaction = nftables-multiport
banaction_allports = nftables-allports
# 客户端主机被禁止的时长 单位:秒
bantime = 86400
# 客户端主机被禁止前允许失败的次数
maxretry = 3
# 查找失败次数的时长 单位:秒
findtime = 600
backend = systemd
enable=true这里需要注意下,Fail2ban 是需要分析日志文件,在部分 Linux 发行版本中,ssh 登陆日志已经被 systemd 所替代,所以不配置backend = systemd启动会直接报下面的错误
ERROR Failed during configuration: Have not found any log file for sshd jailFail2ban 命令
# 重启
sudo systemctl restart fail2ban
# 停止
sudo systemctl stop fail2ban
# 启动
sudo systemctl start fail2ban
# 开机启动
sudo systemctl enable fail2ban
# 关闭开机启动
sudo systemctl disable fail2banFail2ban常用命令
#查看Fail2ban当前监控的Jail以及状态
fail2ban-client status
#查看fail2bande 封禁信息
fail2ban-client status sshd
#手动解封P
fail2ban-client unban <IP>