fail2ban实验

last demo2025-12-01 16:16

fail2ban实验

文章目录

fail2ban介绍

基于Python编写的日志管理工具,主要用于防止恶意软件攻击,它通过监控系统日志,发现异常行为并将其添加到黑名单中,从而阻止这些行为的发生,Fail2Ban可以根据不同的攻击类型和频率自动调整过滤规则,以提高系统的安全性。

实验准备

bash 复制代码 
#部署 firewall

[root@server ~ 13:42:48]# systemctl enable firewalld.service --now

#部署 fail2ban

[root@server ~ 13:43:18]# yum install -y fail2ban

[root@server ~ 13:45:36]# systemctl enable fail2ban.service --now
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2bato /usr/lib/systemd/system/fail2ban.service.

#fail2ban 由 epel 仓库提供

#fail2ban 配置文件位于/etc/fail2ban,其中jail.conf是主配置文件,filter.d是相关匹配规则

[root@server ~ 13:45:47]# ls /etc/fail2ban/
action.d       fail2ban.d  jail.conf  paths-common.conf
fail2ban.conf  filter.d    jail.d     paths-fedora.conf

防止 SSH 爆破

bash 复制代码 
#新建jail.local覆盖fail2ban的一些默认规则

[root@server ~ 14:08:49]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

[root@server ~ 13:51:54]# ls /etc/fail2ban/filter.d/sshd.conf 
/etc/fail2ban/filter.d/sshd.conf

[root@server ~ 13:52:14]# systemctl restart fail2ban.service 

#验证

[root@server ~ 13:52:26]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

[root@server ~ 13:53:17]# watch 'fail2ban-client status sshd'

#查看新增防火墙规则

[root@server ~ 14:08:52]# firewall-cmd --direct --get-all-rules 
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable

[root@server ~ 14:09:28]# fail2ban-client unban 10.1.8.11
1

[root@server ~ 14:09:56]# watch 'fail2ban-client status sshd'

防止 Nginx 恶意访问

bash 复制代码 
[root@server ~ 15:14:22]# fail2ban-client unban 10.1.8.11
[root@server ~ 15:19:34]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 5
findtime = 60
bantime = 3600
logpath = /var/log/nginx/access.log

[root@server ~ 15:22:37]# cat /etc/fail2ban/filter.d/nginx-cc.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =

[root@server ~ 15:11:22]# systemctl restart  fail2ban.service 

[root@server ~ 15:17:49]# firewall-cmd --add-service=http
success

[root@server ~ 15:18:09]# watch fail2ban-client status nginx-cc
You have new mail in /var/spool/mail/root

[root@server ~ 15:19:07]# firewall-cmd --list-all

防止 Wordpress 爆破

bash 复制代码 
#touch一个文件代替即可

#新建一个nginx日志匹配规则

[root@server ~]# vim /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> -.* /wp-login.php.* HTTP/1\.."
ignoreregex =

#在/etc/fail2ban/jail.local中追加如下内容

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = %(action_mwl)s
maxretry = 20
findtime = 60
bantime = 3600
logpath = /usr/local/nginx/logs/access.log

client端验证

bash 复制代码 
#ssh远程登陆10.1.8.10
[root@client ~ 13:55:59]# ssh root@10.1.8.10
ssh: connect to host 10.1.8.10 port 22: Connection refused

[root@client ~ 14:10:06]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:15]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:17]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:20]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:23]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:26]# sshpass -p '456' ssh root@10.1.8.10 hostname
ssh: connect to host 10.1.8.10 port 22: Connection refused


#web访问限制

[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
curl: (7) Failed connect to 10.1.8.10:80; Connection refused

root@client \~ 15:18:26\]# curl 10.1.8.10 xxx \[root@client \~ 15:18:26\]# curl 10.1.8.10 xxx \[root@client \~ 15:18:26\]# curl 10.1.8.10 curl: (7) Failed connect to 10.1.8.10:80; Connection refused ``` ```

相关推荐
聆风吟º2 小时前
CANN开源项目深度实践:基于amct-toolkit实现自动化模型量化与精度保障策略
运维·开源·自动化·cann
Coder个人博客3 小时前
Linux6.19-ARM64 mm mmu子模块深入分析
大数据·linux·车载系统·系统架构·系统安全·鸿蒙系统
较劲男子汉5 小时前
CANN Runtime零拷贝传输技术源码实战 彻底打通Host与Device的数据传输壁垒
运维·服务器·数据库·cann
Doro再努力5 小时前
Vim 快速上手实操手册:从入门到生产环境实战
linux·编辑器·vim
wypywyp6 小时前
8. ubuntu 虚拟机 linux 服务器 TCP/IP 概念辨析
linux·服务器·ubuntu
风流倜傥唐伯虎6 小时前
Spring Boot Jar包生产级启停脚本
java·运维·spring boot
Doro再努力6 小时前
【Linux操作系统10】Makefile深度解析:从依赖推导到有效编译
android·linux·运维·服务器·编辑器·vim
senijusene6 小时前
Linux软件编程:IO编程,标准IO(1)
linux·运维·服务器
不像程序员的程序媛6 小时前
Nginx日志切分
服务器·前端·nginx
忧郁的橙子.6 小时前
02-本地部署Ollama、Python
linux·运维·服务器
热门推荐
01GitHub 镜像站点02Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services03OpenClaw Chrome扩展使用教程 - 浏览器中继控制04Linux下V2Ray安装配置指南05使用 1panel面板 部署 php网站06UV安装并设置国内源07从零搭建一个 PHP 登录注册系统(含完整源码)08openclaw配置教程(linux+局域网ollama)09Vue-skills的中文文档10让 Trae IDE 智能体 “读懂”文档 Excel+PDF+DOCX :mcp-documents-reader 工具使用指南