fail2ban实验

last demo2025-12-01 16:16

fail2ban实验

文章目录

fail2ban介绍

基于Python编写的日志管理工具,主要用于防止恶意软件攻击,它通过监控系统日志,发现异常行为并将其添加到黑名单中,从而阻止这些行为的发生,Fail2Ban可以根据不同的攻击类型和频率自动调整过滤规则,以提高系统的安全性。

实验准备

bash 复制代码 
#部署 firewall

[root@server ~ 13:42:48]# systemctl enable firewalld.service --now

#部署 fail2ban

[root@server ~ 13:43:18]# yum install -y fail2ban

[root@server ~ 13:45:36]# systemctl enable fail2ban.service --now
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2bato /usr/lib/systemd/system/fail2ban.service.

#fail2ban 由 epel 仓库提供

#fail2ban 配置文件位于/etc/fail2ban,其中jail.conf是主配置文件,filter.d是相关匹配规则

[root@server ~ 13:45:47]# ls /etc/fail2ban/
action.d       fail2ban.d  jail.conf  paths-common.conf
fail2ban.conf  filter.d    jail.d     paths-fedora.conf

防止 SSH 爆破

bash 复制代码 
#新建jail.local覆盖fail2ban的一些默认规则

[root@server ~ 14:08:49]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

[root@server ~ 13:51:54]# ls /etc/fail2ban/filter.d/sshd.conf 
/etc/fail2ban/filter.d/sshd.conf

[root@server ~ 13:52:14]# systemctl restart fail2ban.service 

#验证

[root@server ~ 13:52:26]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

[root@server ~ 13:53:17]# watch 'fail2ban-client status sshd'

#查看新增防火墙规则

[root@server ~ 14:08:52]# firewall-cmd --direct --get-all-rules 
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable

[root@server ~ 14:09:28]# fail2ban-client unban 10.1.8.11
1

[root@server ~ 14:09:56]# watch 'fail2ban-client status sshd'

防止 Nginx 恶意访问

bash 复制代码 
[root@server ~ 15:14:22]# fail2ban-client unban 10.1.8.11
[root@server ~ 15:19:34]# cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 60
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 5
findtime = 60
bantime = 3600
logpath = /var/log/nginx/access.log

[root@server ~ 15:22:37]# cat /etc/fail2ban/filter.d/nginx-cc.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =

[root@server ~ 15:11:22]# systemctl restart  fail2ban.service 

[root@server ~ 15:17:49]# firewall-cmd --add-service=http
success

[root@server ~ 15:18:09]# watch fail2ban-client status nginx-cc
You have new mail in /var/spool/mail/root

[root@server ~ 15:19:07]# firewall-cmd --list-all

防止 Wordpress 爆破

bash 复制代码 
#touch一个文件代替即可

#新建一个nginx日志匹配规则

[root@server ~]# vim /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> -.* /wp-login.php.* HTTP/1\.."
ignoreregex =

#在/etc/fail2ban/jail.local中追加如下内容

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = %(action_mwl)s
maxretry = 20
findtime = 60
bantime = 3600
logpath = /usr/local/nginx/logs/access.log

client端验证

bash 复制代码 
#ssh远程登陆10.1.8.10
[root@client ~ 13:55:59]# ssh root@10.1.8.10
ssh: connect to host 10.1.8.10 port 22: Connection refused

[root@client ~ 14:10:06]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:15]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:17]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:20]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:23]# sshpass -p '456' ssh root@10.1.8.10 hostname
Permission denied, please try again.
[root@client ~ 14:10:26]# sshpass -p '456' ssh root@10.1.8.10 hostname
ssh: connect to host 10.1.8.10 port 22: Connection refused


#web访问限制

[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:25]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
xxx
[root@client ~ 15:18:26]# curl 10.1.8.10
curl: (7) Failed connect to 10.1.8.10:80; Connection refused

root@client \~ 15:18:26\]# curl 10.1.8.10 xxx \[root@client \~ 15:18:26\]# curl 10.1.8.10 xxx \[root@client \~ 15:18:26\]# curl 10.1.8.10 curl: (7) Failed connect to 10.1.8.10:80; Connection refused ``` ```

相关推荐
googleccsdn2 小时前
ENSP Pro Lab笔记:配置STP/RSTP/MSTP(7)
网络·笔记·网络协议
toughboy2 小时前
CENTOS7 重置ROOT密码
linux
用户7227868123442 小时前
Linux的binfmt_misc机制
linux
源梦想2 小时前
火柴人龙拳网页格斗小游戏Linux部署演示
linux·运维·服务器
BD_Marathon3 小时前
【Zookeeper】搭建Zookeeper服务器
linux·服务器·zookeeper
Bruce_Liuxiaowei3 小时前
Windows安全事件4625分析:检测登录失败与防范暴力破解
运维·windows·安全·网络安全
Fortinet_CHINA3 小时前
2026 年度 CISO 预测报告
网络·安全·ai
星尘库3 小时前
怎么实现js混淆加密 每隔一段时间 会失效 需要重新加密使用
java·服务器·前端
new_daimond3 小时前
WAF(Web Application Firewall)详解
网络·web app
热门推荐
01GitHub 镜像站点02BongoCat - 跨平台键盘猫动画工具03UV安装并设置国内源04Linux下V2Ray安装配置指南05安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)06【保姆级教程】免费使用Gemini3的5种方法!免翻墙/国内直连0746个Nano-banana 精选提示词,持续更新中08本地部署阿里最新开源的Z-Image09Meta第三代“分割一切”模型——SAM 3本地部署教程:首支持文本提示分割,400万概念、30毫秒响应,检测分割追踪一网打尽10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)