通过fail2ban来提升服务器稳定性

义达2024-03-29 15:09

fail2ban

简介

仓库地址:github.com/fail2ban/fa...

Fail2Ban通过扫描日志文件,如/var/log/auth.log,通过更新系统防火墙规则,在一段可配置的时间内来禁止IP地址进行过多的失败尝试。通过使用fail2ban可以大大提高系统的安全性。

安装

shell 复制代码 
$ sudo ln -sf /usr/bin/python3.7 /usr/bin/python
$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban/
$ python setup.py install
$ cp files/debian-initd /etc/init.d/fail2ban
$ update-rc.d fail2ban defaults
$ service fail2ban start

默认日志:/var/log/fail2ban.log

参考配置:/etc/fail2ban/jail.conf

防止SSH暴力破解

对于开放在公网的SSH服务一直是被攻击的重点对象,我们可以通过fail2ban来防止暴力破解

shell 复制代码 
$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 1046
filter = sshd
logpath = /var/log/auth.log
ignoreip = 127.0.0.1/8 ::1
findtime = 600 # 间隔时间
maxretry = 3 # 最大失败次数
bantime = 60 # 封禁时间

重启服务

shell 复制代码 
$ systemctl restart fail2ban
$ fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

我们在反复测试ssh失败,3次后查看iptables

shell 复制代码 
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1046

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	9
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	3
   `- Banned IP list:	10.246.250.26

手工去掉封禁

shell 复制代码 
$ fail2ban-client unban 10.246.250.26

防止nginx被爆破

配置nginx和fail2ban

shell 复制代码 
$ printf "test:$(openssl passwd -1 testpassword)\n" > /etc/nginx/conf.d/.passwd
$ cat /etc/nginx/sites-enabled/test.conf
server {
    listen 80 ;
    server_name test.netease.com;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
port    = http,https
filter  = nginx-http-auth
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 3
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码 
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:test # 失败3次后就被封了
curl: (7) Failed to connect to test.netease.com port 80: Connection refused
# 服务端上可以看到
$ tail -f  /var/log/fail2ban.log
2024-03-29 14:09:31,083 fail2ban.filter   [40602]: INFO    [nginx-http-auth] Found 10.246.250.26 - 2024-03-29 14:09:31
2024-03-29 14:09:31,850 fail2ban.actions  [40602]: NOTICE  [nginx-http-auth] Ban 10.246.250.26
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-http-auth  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-http-auth (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

防止nginx被刷

配置nginx和fail2ban,虽然通过limit_req可以返回给用户503,但是大量的503还是会给服务器造成压力,所以通过fail2ban添加iptables直接封禁

shell 复制代码 
$ cat /etc/nginx/sites-enabled/test.conf
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; # 测试需要调整为1秒1个请求

server {
    listen 80 ;
    server_name test.netease.com;
    limit_req zone=perip burst=1 nodelay;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-limit-req]
enabled = true
port    = http,https
filter  = nginx-limit-req
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 1
bantime = 60
$ systemctl restart fail2ban

测试

shell 复制代码 
$ for i in `seq 10`;do curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword ;done
# 服务端上可以看到
$ tail  -f /var/log/fail2ban.log
2024-03-29 14:32:04,414 fail2ban.filter         [14526]: INFO    [nginx-limit-req] Found 10.246.250.26 - 2024-03-29 14:31:29
2024-03-29 14:32:04,449 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] Ban 10.246.250.26
2024-03-29 14:32:04,478 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] 10.246.250.26 already banned
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-limit-req  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-limit-req (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
相关推荐
hsjcjh3 小时前
Nodemailer使用教程:在Node.js中发送电子邮件
linux·运维·node.js
不怕犯错,就怕不做4 小时前
linux 如何查看自己的帐号密码及samba的帐号和密码
linux·运维·服务器
地下核武4 小时前
Ubuntu 24.04 在线安装 Qt 6.10.2 后 Qt Creator 无法启动问题记录与解决
linux·qt·ubuntu
张3235 小时前
Linux 启动过程
linux·运维
三万棵雪松5 小时前
【Linux 物联网网关主控系统-Linux主控部分(二)】
linux·嵌入式linux
chinesegf5 小时前
ubuntu建虚拟环境制作docker容器
linux·ubuntu·docker
Stack Overflow?Tan905 小时前
标注软件labelImg在linux下鼠标滚轮闪退解决办法
linux·labelimg
李彦亮老师(本人)5 小时前
Rocky Linux 9.x 新特性详解
linux·运维·服务器·centos·rocky linux
NiKick5 小时前
在Linux系统上使用nmcli命令配置各种网络(有线、无线、vlan、vxlan、路由、网桥等)
linux·服务器·网络
biubiubiu07066 小时前
Python 环境安装与 Linux 控制入门
linux·开发语言·python
热门推荐
01GitHub 镜像站点022026年3月AI领域大事件:DeepSeek引领开源风暴03Qwen3.5-Omni与Qwen3.6模型全面解析(含测评/案例/使用教程)04Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services05UV安装并设置国内源06如何解决 OpenClaw “Pairing required” 报错:两种官方解决方案详解07让 Trae IDE 智能体 “读懂”文档 Excel+PDF+DOCX :mcp-documents-reader 工具使用指南08深扒 Claude Code Buddy 模式:一只仙人掌背后的确定性随机算法09AI 编程效率翻倍:Superpowers Skills 上手清单 + 完整指南10“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)