通过fail2ban来提升服务器稳定性

义达2024-03-29 15:09

fail2ban

简介

仓库地址:github.com/fail2ban/fa...

Fail2Ban通过扫描日志文件,如/var/log/auth.log,通过更新系统防火墙规则,在一段可配置的时间内来禁止IP地址进行过多的失败尝试。通过使用fail2ban可以大大提高系统的安全性。

安装

shell 复制代码 
$ sudo ln -sf /usr/bin/python3.7 /usr/bin/python
$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban/
$ python setup.py install
$ cp files/debian-initd /etc/init.d/fail2ban
$ update-rc.d fail2ban defaults
$ service fail2ban start

默认日志:/var/log/fail2ban.log

参考配置:/etc/fail2ban/jail.conf

防止SSH暴力破解

对于开放在公网的SSH服务一直是被攻击的重点对象,我们可以通过fail2ban来防止暴力破解

shell 复制代码 
$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 1046
filter = sshd
logpath = /var/log/auth.log
ignoreip = 127.0.0.1/8 ::1
findtime = 600 # 间隔时间
maxretry = 3 # 最大失败次数
bantime = 60 # 封禁时间

重启服务

shell 复制代码 
$ systemctl restart fail2ban
$ fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

我们在反复测试ssh失败,3次后查看iptables

shell 复制代码 
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1046

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	9
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	3
   `- Banned IP list:	10.246.250.26

手工去掉封禁

shell 复制代码 
$ fail2ban-client unban 10.246.250.26

防止nginx被爆破

配置nginx和fail2ban

shell 复制代码 
$ printf "test:$(openssl passwd -1 testpassword)\n" > /etc/nginx/conf.d/.passwd
$ cat /etc/nginx/sites-enabled/test.conf
server {
    listen 80 ;
    server_name test.netease.com;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
port    = http,https
filter  = nginx-http-auth
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 3
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码 
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:test # 失败3次后就被封了
curl: (7) Failed to connect to test.netease.com port 80: Connection refused
# 服务端上可以看到
$ tail -f  /var/log/fail2ban.log
2024-03-29 14:09:31,083 fail2ban.filter   [40602]: INFO    [nginx-http-auth] Found 10.246.250.26 - 2024-03-29 14:09:31
2024-03-29 14:09:31,850 fail2ban.actions  [40602]: NOTICE  [nginx-http-auth] Ban 10.246.250.26
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-http-auth  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-http-auth (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

防止nginx被刷

配置nginx和fail2ban,虽然通过limit_req可以返回给用户503,但是大量的503还是会给服务器造成压力,所以通过fail2ban添加iptables直接封禁

shell 复制代码 
$ cat /etc/nginx/sites-enabled/test.conf
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; # 测试需要调整为1秒1个请求

server {
    listen 80 ;
    server_name test.netease.com;
    limit_req zone=perip burst=1 nodelay;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-limit-req]
enabled = true
port    = http,https
filter  = nginx-limit-req
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 1
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码 
$ for i in `seq 10`;do curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword ;done
# 服务端上可以看到
$ tail  -f /var/log/fail2ban.log
2024-03-29 14:32:04,414 fail2ban.filter         [14526]: INFO    [nginx-limit-req] Found 10.246.250.26 - 2024-03-29 14:31:29
2024-03-29 14:32:04,449 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] Ban 10.246.250.26
2024-03-29 14:32:04,478 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] 10.246.250.26 already banned
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-limit-req  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-limit-req (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
相关推荐
小米里的大麦2 小时前
022 基础 IO —— 文件
linux
Xの哲學2 小时前
Perf使用详解
linux·网络·网络协议·算法·架构
门前灯2 小时前
Linux系统之iprconfig 命令详解
linux·运维·服务器·iprconfig
tb_first3 小时前
k8sday09
linux·云原生·容器·kubernetes
忧郁的橙子.3 小时前
三、k8s 1.29 之 安装2
linux·运维·服务器
huangyuchi.3 小时前
【Linux系统】动静态库的制作
linux·运维·服务器·动态库·静态库·库的简单制作
jim写博客4 小时前
Linux进程概念(四)环境地址变量
linux·运维·服务器
稚辉君.MCA_P8_Java4 小时前
豆包 Java的23种设计模式
java·linux·jvm·设计模式·kubernetes
Nie_Xun5 小时前
ubuntu网络共享
linux·运维·ubuntu
花小璇学linux5 小时前
imx6ull-驱动开发篇22——Linux 时间管理和内核定时器
linux·运维·驱动开发
热门推荐
01UV安装并设置国内源02KGG转MP3工具|非KGM文件|解密音频03【2025.08.06最新版】Android Studio下载、安装及配置记录(自动下载sdk)04Qwen3-Coder 快速上手教程 | Qwen Code + Claude Code052025最新国内服务器可用docker源仓库地址大全(2025年8月更新)06蜘蛛磁力 搜索引擎大全,如何使用蜘蛛磁力查找磁力链接07TRAE 规则(Rules)配置指南:个人习惯、团队规范与最佳实践08NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南09阿里开源首个图像生成基础模型——Qwen-Image本地部署教程,超强中文渲染能力刷新SOTA!10TRAE Rules 实践:为项目配置 6A 工作流