fail2ban
简介
仓库地址:github.com/fail2ban/fa...
Fail2Ban通过扫描日志文件,如/var/log/auth.log,通过更新系统防火墙规则,在一段可配置的时间内来禁止IP地址进行过多的失败尝试。通过使用fail2ban可以大大提高系统的安全性。
安装
shell
$ sudo ln -sf /usr/bin/python3.7 /usr/bin/python
$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban/
$ python setup.py install
$ cp files/debian-initd /etc/init.d/fail2ban
$ update-rc.d fail2ban defaults
$ service fail2ban start
默认日志:/var/log/fail2ban.log
参考配置:/etc/fail2ban/jail.conf
防止SSH暴力破解
对于开放在公网的SSH服务一直是被攻击的重点对象,我们可以通过fail2ban来防止暴力破解
shell
$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 1046
filter = sshd
logpath = /var/log/auth.log
ignoreip = 127.0.0.1/8 ::1
findtime = 600 # 间隔时间
maxretry = 3 # 最大失败次数
bantime = 60 # 封禁时间
重启服务
shell
$ systemctl restart fail2ban
$ fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
我们在反复测试ssh失败,3次后查看iptables
shell
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 1046
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 10.246.250.26 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 9
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 3
`- Banned IP list: 10.246.250.26
手工去掉封禁
shell
$ fail2ban-client unban 10.246.250.26
防止nginx被爆破
配置nginx和fail2ban
shell
$ printf "test:$(openssl passwd -1 testpassword)\n" > /etc/nginx/conf.d/.passwd
$ cat /etc/nginx/sites-enabled/test.conf
server {
listen 80 ;
server_name test.netease.com;
location / {
auth_basic "you must have correct access";
auth_basic_user_file conf.d/.passwd;
autoindex on;
autoindex_localtime on;
alias /data/;
}
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 3
bantime = 60
$ systemctl restart fail2ban
测试
shell
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:test # 失败3次后就被封了
curl: (7) Failed to connect to test.netease.com port 80: Connection refused
# 服务端上可以看到
$ tail -f /var/log/fail2ban.log
2024-03-29 14:09:31,083 fail2ban.filter [40602]: INFO [nginx-http-auth] Found 10.246.250.26 - 2024-03-29 14:09:31
2024-03-29 14:09:31,850 fail2ban.actions [40602]: NOTICE [nginx-http-auth] Ban 10.246.250.26
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-nginx-http-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain f2b-nginx-http-auth (1 references)
target prot opt source destination
REJECT all -- 10.246.250.26 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
防止nginx被刷
配置nginx和fail2ban,虽然通过limit_req可以返回给用户503,但是大量的503还是会给服务器造成压力,所以通过fail2ban添加iptables直接封禁
shell
$ cat /etc/nginx/sites-enabled/test.conf
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; # 测试需要调整为1秒1个请求
server {
listen 80 ;
server_name test.netease.com;
limit_req zone=perip burst=1 nodelay;
location / {
auth_basic "you must have correct access";
auth_basic_user_file conf.d/.passwd;
autoindex on;
autoindex_localtime on;
alias /data/;
}
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 1
bantime = 60
$ systemctl restart fail2ban
测试
shell
$ for i in `seq 10`;do curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword ;done
# 服务端上可以看到
$ tail -f /var/log/fail2ban.log
2024-03-29 14:32:04,414 fail2ban.filter [14526]: INFO [nginx-limit-req] Found 10.246.250.26 - 2024-03-29 14:31:29
2024-03-29 14:32:04,449 fail2ban.actions [14526]: NOTICE [nginx-limit-req] Ban 10.246.250.26
2024-03-29 14:32:04,478 fail2ban.actions [14526]: NOTICE [nginx-limit-req] 10.246.250.26 already banned
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-nginx-limit-req tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain f2b-nginx-limit-req (1 references)
target prot opt source destination
REJECT all -- 10.246.250.26 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0