fail2ban实验
文章目录
- fail2ban实验
-
- fail2ban介绍
- 实验准备
- [防止 SSH 爆破](#防止 SSH 爆破)
- [防止 Nginx 恶意访问](#防止 Nginx 恶意访问)
- [防止 Wordpress 爆破](#防止 Wordpress 爆破)
- client端验证
fail2ban介绍
基于Python编写的日志管理工具,主要用于防止恶意软件攻击,它通过监控系统日志,发现异常行为并将其添加到黑名单中,从而阻止这些行为的发生,Fail2Ban可以根据不同的攻击类型和频率自动调整过滤规则,以提高系统的安全性。
实验准备
bash
#部署 firewall
[root@server ~ 13:42:48]# systemctl enable firewalld.service --now
#部署 fail2ban
[root@server ~ 13:43:18]# yum install -y fail2ban
[root@server ~ 13:45:36]# systemctl enable fail2ban.service --now
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2bato /usr/lib/systemd/system/fail2ban.service.
#fail2ban 由 epel 仓库提供
#fail2ban 配置文件位于/etc/fail2ban,其中jail.conf是主配置文件,filter.d是相关匹配规则
[root@server ~ 13:45:47]# ls /etc/fail2ban/
action.d fail2ban.d jail.conf paths-common.conf
fail2ban.conf filter.d jail.d paths-fedora.conf防止 SSH 爆破
bash
#新建jail.local覆盖fail2ban的一些默认规则
[root@server ~ 14:08:49]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure
[root@server ~ 13:51:54]# ls /etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/filter.d/sshd.conf
[root@server ~ 13:52:14]# systemctl restart fail2ban.service
#验证
[root@server ~ 13:52:26]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
[root@server ~ 13:53:17]# watch 'fail2ban-client status sshd'
#查看新增防火墙规则
[root@server ~ 14:08:52]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
[root@server ~ 14:09:28]# fail2ban-client unban 10.1.8.11
1
[root@server ~ 14:09:56]# watch 'fail2ban-client status sshd'防止 Nginx 恶意访问
bash
[root@server ~ 15:14:22]# fail2ban-client unban 10.1.8.11
[root@server ~ 15:19:34]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure
[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 5
findtime = 60
bantime = 3600
logpath = /var/log/nginx/access.log
[root@server ~ 15:22:37]# cat /etc/fail2ban/filter.d/nginx-cc.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
[root@server ~ 15:11:22]# systemctl restart fail2ban.service
[root@server ~ 15:17:49]# firewall-cmd --add-service=http
success
[root@server ~ 15:18:09]# watch fail2ban-client status nginx-cc
You have new mail in /var/spool/mail/root
[root@server ~ 15:19:07]# firewall-cmd --list-all防止 Wordpress 爆破
bash
#touch一个文件代替即可
#新建一个nginx日志匹配规则
[root@server ~]# vim /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> -.* /wp-login.php.* HTTP/1\.."
ignoreregex =
#在/etc/fail2ban/jail.local中追加如下内容
[wordpress]
enabled = true
port = http,https
filter = wordpress
action = %(action_mwl)s
maxretry = 20
findtime = 60
bantime = 3600
logpath = /usr/local/nginx/logs/access.logclient端验证
bash
#ssh远程登陆10.1.8.10
[root@client ~ 13:55:59]# ssh root@10.1.8.10
ssh: connect to host 10.1.8.10 port 22: Connection refused
[root@client ~ 14:10:06]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:15]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:17]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:20]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:23]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:26]# sshpass -p '456' ssh root@10.1.8.10 hostname
ssh: connect to host 10.1.8.10 port 22: Connection refused
#web访问限制
[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
curl: (7) Failed connect to 10.1.8.10:80; Connection refusedroot@client \~ 15:18:26# curl 10.1.8.10
xxx
root@client \~ 15:18:26# curl 10.1.8.10
xxx
root@client \~ 15:18:26# curl 10.1.8.10
curl: (7) Failed connect to 10.1.8.10:80; Connection refused