Linux之CentOS 6.6 安装Fail2Ban实现调用iptables Ban暴力破解SSH FTP等密码的IP

  • A+
所属分类:Linux

先看看使用Fail2Ban后的效果

[root@Linode-JP-35 /var/log]# awk '/fail2ban/{ if ($4~/Linode-JP/) {$4="Linode-JP-35" }print}' /var/log/messages
Jul 12 21:12:38 Linode-JP-35 yum[29167]: Installed: fail2ban-0.8.14-2.el6.noarch
Jul 12 21:17:47 Linode-JP-35 fail2ban.server[29235]: INFO Changed logging target to SYSLOG for Fail2ban v0.8.14
Jul 12 21:17:47 Linode-JP-35 fail2ban.jail[29235]: INFO Creating new jail 'ssh-iptables'
Jul 12 21:17:47 Linode-JP-35 fail2ban.jail[29235]: INFO Jail 'ssh-iptables' uses pyinotify
Jul 12 21:17:47 Linode-JP-35 fail2ban.jail[29235]: INFO Initiated 'pyinotify' backend
Jul 12 21:17:47 Linode-JP-35 fail2ban.filter[29235]: INFO Added logfile = /var/log/secure
Jul 12 21:17:47 Linode-JP-35 fail2ban.filter[29235]: INFO Set maxRetry = 5
Jul 12 21:17:47 Linode-JP-35 fail2ban.filter[29235]: INFO Set findtime = 600
Jul 12 21:17:47 Linode-JP-35 fail2ban.actions[29235]: INFO Set banTime = 3600
Jul 12 21:17:48 Linode-JP-35 fail2ban.jail[29235]: INFO Jail 'ssh-iptables' started
Jul 12 21:32:39 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 82.147.214.162
Jul 12 21:39:12 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 59.63.192.196
Jul 12 22:32:39 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 82.147.214.162
Jul 12 22:39:12 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 59.63.192.196
Jul 12 23:16:17 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 218.87.111.110
Jul 13 00:16:17 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 218.87.111.110
Jul 13 03:31:47 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 61.160.213.5
Jul 13 04:31:47 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 61.160.213.5
Jul 13 06:52:30 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 218.87.111.108
Jul 13 07:52:30 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 218.87.111.108
Jul 13 09:31:06 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 141.138.157.61
Jul 13 10:30:06 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 221.203.3.18
Jul 13 10:31:06 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 141.138.157.61
Jul 13 11:30:06 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 221.203.3.18
Jul 13 11:44:14 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 218.87.111.108
Jul 13 12:44:14 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 218.87.111.108
Jul 13 15:10:17 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 49.86.104.59
Jul 13 15:17:10 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 119.206.193.143
Jul 13 15:21:00 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 59.63.192.196
Jul 13 16:10:17 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 49.86.104.59
Jul 13 16:17:10 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 119.206.193.143
Jul 13 16:21:00 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 59.63.192.196
Jul 13 17:40:57 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Ban 61.160.213.5
Jul 13 18:40:57 Linode-JP-35 fail2ban.actions[29235]: WARNING [ssh-iptables] Unban 61.160.213.5
Jul 13 20:54:43 Linode-JP-35 fail2ban.server[29235]: INFO Stopping all jails
Jul 13 20:54:44 Linode-JP-35 fail2ban.jail[29235]: INFO Jail 'ssh-iptables' stopped

再来看看服务器上被多少人 多少IP 暴力破解过IP

#下面这个记录是才开机不到一周的Linode VPS,前面是IP 后面是保留破解次数,低于20次的我都不好意思贴出来
[root@Linode-JP-35 /var/log]# find /var/log -name 'secure*' -type f | while read line;do awk '/Failed/{print $(NF-3)}' $line;done |awk '{a[b[$0]++]}END{for(i=length(a);i>0;i--)for(j in b)if(b[j]==i){c++;if(c<=20)print j,i}}'
89.248.168.5=30
124.206.188.170=33
193.107.17.72=36
185.11.144.190=50
206.191.151.226=53
180.210.234.87=54
58.218.211.166=63
120.209.204.94=88
222.186.21.198=95
218.87.111.109=96
60.28.186.142=99
117.21.173.151=108
218.6.168.220=124
218.87.111.117=141
193.107.16.206=146
222.186.15.61=188
31.184.236.44=192
117.79.146.58=200
218.16.129.142=210
61.160.213.5=238
113.195.145.12=261
113.195.145.79=354
113.195.145.70=417
112.213.119.172=438
218.87.111.116=501
218.87.109.62=806
182.100.67.114=963
182.100.67.112=1056
182.100.67.102=1212
121.12.125.23=1274
218.65.30.92=1617
218.87.109.60=1617
59.63.192.199=1617
218.87.111.108=1628
59.63.192.198=1645
218.87.111.110=1790
14.32.81.75=4127
[root@Linode-JP-35 /var/log]# 

下面来说说CentOS上安装Fail2Ban吧

#需要配置EPEL源哦。。。。这里就不说怎么配置EPEL源了
[root@LookBack ~]# yum install fail2ban -y
#修改配置文件,可以参考我的
[root@Linode-JP-35 ~]# grep -Ev '^$|^#' /etc/fail2ban/fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
[root@Linode-JP-35 ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[root@Linode-JP-35 ~]# grep -Ev '^$|^#' /etc/fail2ban/jail.local 
[DEFAULT]
ignoreip = 127.0.0.1/8
#忽略的IP列表,不受设置限制(白名单)
ignorecommand =
bantime  = 3600
#屏蔽时间,单位:秒
findtime  = 600
#这个时间段内超过规定次数会被ban掉
maxretry = 3
#最大尝试次数
backend = auto
#日志修改检测机制(gamin、polling和auto这三种)
usedns = warn
[pam-generic]
enabled = false
filter  = pam-generic
action  = iptables-allports[name=pam,protocol=all]
logpath = /var/log/secure
[xinetd-fail]
enabled = false
filter  = xinetd-fail
action  = iptables-allports[name=xinetd,protocol=all]
logpath = /var/log/messages
[ssh-iptables]
#针对各服务的检查配置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置
enabled  = true
#是否激活此项(true/false)
filter   = sshd
#过滤规则filter的名字,对应filter.d目录下的sshd.conf
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#动作的相关参数
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
#触发报警的收件人
logpath  = /var/log/secure
#检测的系统的登陆日志文件
maxretry = 5
#最大尝试次数
[ssh-ddos]
enabled  = false
filter   = sshd-ddos
action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 2
[dropbear]
enabled  = false
filter   = dropbear
action   = iptables[name=dropbear, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
[gssftpd-iptables]
enabled  = false
filter   = gssftpd
action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
           sendmail-whois[name=GSSFTPd, dest=you@example.com]
logpath  = /var/log/messages
maxretry = 6
[pure-ftpd]
enabled  = true
#激活pure-ftpd监测
filter   = pure-ftpd
action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6
[wuftpd]
enabled  = false
filter   = wuftpd
action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6
[sendmail-auth]
enabled  = false
filter   = sendmail-auth
action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath  = /var/log/maillog
[sendmail-reject]
enabled  = false
filter   = sendmail-reject
action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath  = /var/log/maillog
[sasl-iptables]
enabled  = false
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath  = /var/log/maillog
[assp]
enabled = false
filter  = assp
action  = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt
[ssh-tcpwrapper]
enabled     = false
filter      = sshd
action      = hostsdeny[daemon_list=sshd]
              sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath     = /var/log/secure
[ssh-route]
enabled  = false
filter   = sshd
action   = route
logpath  = /var/log/secure
maxretry = 5
[ssh-iptables-ipset4]
enabled  = false
filter   = sshd
action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5
[ssh-iptables-ipset6]
enabled  = false
filter   = sshd
action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath  = /var/log/secure
maxretry = 5
[ssh-bsd-ipfw]
enabled  = false
filter   = sshd
action   = bsd-ipfw[port=ssh,table=1]
logpath  = /var/log/secure
maxretry = 5
[apache-tcpwrapper]
enabled  = false
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/*error_log
           /home/www/myhomepage/error.log
maxretry = 6
[apache-modsecurity]
enabled  = false
filter   = apache-modsecurity
action   = iptables-multiport[name=apache-modsecurity,port="80,443"]
logpath  = /var/log/httpd/*error_log
           /home/www/myhomepage/error.log
maxretry = 2
[apache-overflows]
enabled  = false
filter   = apache-overflows
action   = iptables-multiport[name=apache-overflows,port="80,443"]
logpath  = /var/log/httpd/*error_log
           /home/www/myhomepage/error.log
maxretry = 2
[apache-nohome]
enabled  = false
filter   = apache-nohome
action   = iptables-multiport[name=apache-nohome,port="80,443"]
logpath  = /var/log/httpd/*error_log
           /home/www/myhomepage/error.log
maxretry = 2

[nginx-http-auth]
enabled = ture
#激活nginx的登录认证
filter  = nginx-http-auth
action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /home/wwwlogs/error_nginx.log

#[nginx-ddos]
##来个Nginx防ddos的
## Based on apache-badbots but a simple IP check (any IP requesting more than
## 240 pages in 60 seconds, or 4p/s average, is suspicious)
## Block for two full days.
## @author Yannick Warnier
#enabled = true
#port    = http,https
#filter  = nginx-dos
#logpath = /home/wwwlogs/access_nginx.log
#findtime = 60
#bantime  = 3600
#maxretry = 240

[squid]
enabled = false
filter  = squid
action  = iptables-multiport[name=squid,port="80,443,8080"]
logpath = /var/log/httpd/*access_log
[postfix-tcpwrapper]
enabled  = false
filter   = postfix
action   = hostsdeny
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/maillog
bantime  = 300
[cyrus-imap]
enabled = false
filter  = cyrus-imap
action  = iptables-multiport[name=cyrus-imap,port="143,993"]
logpath = /var/log/mail*log
[courierlogin]
enabled = false
filter  = courierlogin
action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
logpath = /var/log/mail*log
[couriersmtp]
enabled = false
filter  = couriersmtp
action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
logpath = /var/log/mail*log
[qmail-rbl]
enabled = false
filter  = qmail
action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
logpath = /service/qmail/log/main/current
[sieve]
enabled = false
filter  = sieve
action  = iptables-multiport[name=sieve,port="25,465,587"]
logpath = /var/log/mail*log
[vsftpd-notification]
enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
[vsftpd-iptables]
enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
[apache-badbots]
enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath  = /var/log/httpd/*access_log
bantime  = 172800
maxretry = 1
[apache-shorewall]
enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/httpd/*error_log
[roundcube-iptables]
enabled  = false
filter   = roundcube-auth
action   = iptables-multiport[name=RoundCube, port="http,https"]
logpath  = /var/log/roundcube/userlogins
[sogo-iptables]
enabled  = false
filter   = sogo-auth
action   = iptables-multiport[name=SOGo, port="http,https"]
logpath  = /var/log/sogo/sogo.log
[groupoffice]
enabled  = false
filter   = groupoffice
action   = iptables-multiport[name=groupoffice, port="http,https"]
logpath  = /home/groupoffice/log/info.log 
[openwebmail]
enabled  = false
filter   = openwebmail
logpath  = /var/log/openwebmail.log
action   = ipfw
           sendmail-whois[name=openwebmail, dest=you@example.com]
maxretry = 5
[horde]
enabled  = false
filter   = horde
logpath  = /var/log/horde/horde.log
action   = iptables-multiport[name=horde, port="http,https"]
maxretry = 5
[php-url-fopen]
enabled  = false
action   = iptables-multiport[name=php-url-open, port="http,https"]
filter   = php-url-fopen
logpath  = /var/log/httpd/*access_log
maxretry = 1
[suhosin]
enabled  = false
filter   = suhosin
action   = iptables-multiport[name=suhosin, port="http,https"]
logpath  = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled  = false
filter   = lighttpd-auth
action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
logpath  = /var/log/lighttpd/error.log
maxretry = 2
[ssh-ipfw]
enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1
[named-refused-tcp]
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@example.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1
[nsd]
enabled = false
filter  = nsd
action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
logpath = /var/log/nsd.log
[asterisk]
enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
enabled  = false
filter   = freeswitch
logpath  = /var/log/freeswitch.log
maxretry = 10
action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
[ejabberd-auth]
enabled = false
filter = ejabberd-auth
logpath = /var/log/ejabberd/ejabberd.log
action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]
[asterisk-tcp]
enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10
[asterisk-udp]
enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10
[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5
[mysqld-syslog]
enabled  = false
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5
[recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/messages
action   = iptables-allports[name=recidive,protocol=all]
           sendmail-whois-lines[name=recidive, logpath=/var/log/messages]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5
[ssh-pf]
enabled  = false
filter   = sshd
action   = pf
logpath  = /var/log/secure
maxretry = 5
[3proxy]
enabled = false
filter  = 3proxy
action  = iptables[name=3proxy, port=3128, protocol=tcp]
logpath = /var/log/3proxy.log
[exim]
enabled = false
filter  = exim
action  = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim/mainlog
[exim-spam]
enabled = false
filter  = exim-spam
action  = iptables-multiport[name=exim-spam,port="25,465,587"]
logpath = /var/log/exim/mainlog
[perdition]
enabled = false
filter  = perdition
action  = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog
[uwimap-auth]
enabled = false
filter  = uwimap-auth
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog
[osx-ssh-ipfw]
enabled  = false
filter   = sshd
action   = osx-ipfw
logpath  = /var/log/secure
maxretry = 5
[ssh-apf]
enabled = false
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
[osx-ssh-afctl]
enabled  = false
filter   = sshd
action   = osx-afctl[bantime=600]
logpath  = /var/log/secure
maxretry = 5
[webmin-auth]
enabled = false
filter  = webmin-auth
action  = iptables-multiport[name=webmin,port="10000"]
logpath = /var/log/secure
[dovecot]
enabled = false
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/maillog
[dovecot-auth]
enabled = false
filter  = dovecot
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/secure
[solid-pop3d]
enabled = false
filter  = solid-pop3d
action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
logpath = /var/log/maillog
[selinux-ssh]
enabled  = false
filter   = selinux-ssh
action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath  = /var/log/audit/audit.log
maxretry = 5
[ssh-blocklist]
enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
logpath  = /var/log/secure
maxretry = 20
[nagios]
enabled  = false
filter   = nagios
action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
maxretry = 1

启动Fail2Ban和设置开机启动

[root@Linode-JP-35 ~]# chkconfig fail2ban on
[root@Linode-JP-35 ~]# chkconfig --list fail2ban 
fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@Linode-JP-35 ~]# service fail2ban start
[root@Linode-JP-35 ~]# ps aux | grep [f]ail2ban
root     29235  0.0  1.4 570408 14196 ?        Sl   Jul12   0:21 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
从上面可以看出fail2ban已经正常运行了

Linux之CentOS 6.6 安装Fail2Ban实现调用iptables Ban暴力破解SSH FTP等密码的IP

lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: