通过fail2ban来提升服务器稳定性

fail2ban

简介

仓库地址:github.com/fail2ban/fa...

Fail2Ban通过扫描日志文件,如/var/log/auth.log,通过更新系统防火墙规则,在一段可配置的时间内来禁止IP地址进行过多的失败尝试。通过使用fail2ban可以大大提高系统的安全性。

安装

shell 复制代码
$ sudo ln -sf /usr/bin/python3.7 /usr/bin/python
$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban/
$ python setup.py install
$ cp files/debian-initd /etc/init.d/fail2ban
$ update-rc.d fail2ban defaults
$ service fail2ban start

默认日志:/var/log/fail2ban.log

参考配置:/etc/fail2ban/jail.conf

防止SSH暴力破解

对于开放在公网的SSH服务一直是被攻击的重点对象,我们可以通过fail2ban来防止暴力破解

shell 复制代码
$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 1046
filter = sshd
logpath = /var/log/auth.log
ignoreip = 127.0.0.1/8 ::1
findtime = 600 # 间隔时间
maxretry = 3 # 最大失败次数
bantime = 60 # 封禁时间

重启服务

shell 复制代码
$ systemctl restart fail2ban
$ fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

我们在反复测试ssh失败,3次后查看iptables

shell 复制代码
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1046

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	9
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	3
   `- Banned IP list:	10.246.250.26

手工去掉封禁

shell 复制代码
$ fail2ban-client unban 10.246.250.26

防止nginx被爆破

配置nginx和fail2ban

shell 复制代码
$ printf "test:$(openssl passwd -1 testpassword)\n" > /etc/nginx/conf.d/.passwd
$ cat /etc/nginx/sites-enabled/test.conf
server {
    listen 80 ;
    server_name test.netease.com;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
port    = http,https
filter  = nginx-http-auth
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 3
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:test # 失败3次后就被封了
curl: (7) Failed to connect to test.netease.com port 80: Connection refused
# 服务端上可以看到
$ tail -f  /var/log/fail2ban.log
2024-03-29 14:09:31,083 fail2ban.filter   [40602]: INFO    [nginx-http-auth] Found 10.246.250.26 - 2024-03-29 14:09:31
2024-03-29 14:09:31,850 fail2ban.actions  [40602]: NOTICE  [nginx-http-auth] Ban 10.246.250.26
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-http-auth  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-http-auth (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

防止nginx被刷

配置nginx和fail2ban,虽然通过limit_req可以返回给用户503,但是大量的503还是会给服务器造成压力,所以通过fail2ban添加iptables直接封禁

shell 复制代码
$ cat /etc/nginx/sites-enabled/test.conf
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; # 测试需要调整为1秒1个请求

server {
    listen 80 ;
    server_name test.netease.com;
    limit_req zone=perip burst=1 nodelay;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-limit-req]
enabled = true
port    = http,https
filter  = nginx-limit-req
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 1
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码
$ for i in `seq 10`;do curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword ;done
# 服务端上可以看到
$ tail  -f /var/log/fail2ban.log
2024-03-29 14:32:04,414 fail2ban.filter         [14526]: INFO    [nginx-limit-req] Found 10.246.250.26 - 2024-03-29 14:31:29
2024-03-29 14:32:04,449 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] Ban 10.246.250.26
2024-03-29 14:32:04,478 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] 10.246.250.26 already banned
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-limit-req  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-limit-req (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
相关推荐
hjjdebug2 分钟前
linux 下 signal() 函数的用法,信号类型在哪里定义的?
linux·signal
其乐无涯3 分钟前
服务器技术(一)--Linux基础入门
linux·运维·服务器
Diamond技术流4 分钟前
从0开始学习Linux——网络配置
linux·运维·网络·学习·安全·centos
斑布斑布7 分钟前
【linux学习2】linux基本命令行操作总结
linux·运维·服务器·学习
Spring_java_gg17 分钟前
如何抵御 Linux 服务器黑客威胁和攻击
linux·服务器·网络·安全·web安全
✿ ༺ ོIT技术༻18 分钟前
Linux:认识文件系统
linux·运维·服务器
会掉头发1 小时前
Linux进程通信之共享内存
linux·运维·共享内存·进程通信
我言秋日胜春朝★1 小时前
【Linux】冯诺依曼体系、再谈操作系统
linux·运维·服务器
饮啦冰美式1 小时前
22.04Ubuntu---ROS2使用rclcpp编写节点
linux·运维·ubuntu