fail2ban 简介

fail2ban 可以监视你的系统日志，然后匹配日志的错误信息（正则式匹配）执行相应的屏蔽动作（一般情况下是调用防火墙屏蔽），比如:当有人在试探你的SSH、SMTP、FTP密码，只要达到你预设的次数，fail2ban就会调用防火墙屏蔽这个IP，而且可以发送e-mail通知系统管理员，是一款很实用、很强大的软件。

####功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注：Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件，那必需安装postfix/sendmail

####安装和配置
如果是 CentOS，可以直接yum install fail2ban
如果是 Ubuntu，可以直接apt install fail2ban

功能:

/etc/fail2ban/action.d            #动作文件夹，内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf        #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d            #条件文件夹，内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf            #主要配置文件，模块化。主要设置启用ban动作的服务及动作阀值
/etc/rc.d/init.d/fail2ban          #启动脚本文件

主要配置:
vi /etc/fail2ban/fail2ban.conf

[Definition] 
loglevel =3 
logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log，方便用来记录日志信息 
socket =/var/run/fail2ban/fail2ban.sock

vi /etc/fail2ban/jail.conf

[DEFAULT]              #全局设置
ignoreip = 127.0.0.1      #忽略的IP列表,不受设置限制
bantime  = 600            #屏蔽时间，单位：秒
findtime  = 600           #这个时间段内超过规定次数会被ban掉
maxretry = 3              #最大尝试次数
backend = auto            #日志修改检测机制（gamin、polling和auto这三种）
 
[sshd]                     #单个服务检查设置，如设置bantime、findtime、maxretry和全局冲突，服务优先级大于全局设置。
enabled  = true               #是否激活此项（true/false）
filter   = sshd               #过滤规则filter的名字，对应filter.d目录下的sshd.conf
action   = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数，对应action.d/iptables.conf文件
logpath  = /var/log/secure     #检测的日志文件path
bantime  = 3600
findtime  = 300 
maxretry = 3                   #最大尝试次数  

启动 fail2ban
service fail2ban start

解除fail2ban绑定的IP

查询限制列表

# iptables -L --line-numbers

Chain fail2ban-SSH (1references)
num  target    prot opt source            destination
1    DROP      all  -- 118.152.158.61.ha.cnc anywhere
2    RETURN    all  -- anywhere           anywhere
解除限制
# iptables -D fail2ban-SSH 1

vi /etc/fail2ban.conf

SSH防攻击规则:

ssh-iptables]enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5
[ssh-ddos]
enabled = true
filter  = sshd-ddos
action  = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath  = /var/log/messages
maxretry = 2
[osx-ssh-ipfw]
enabled  = true
filter   = sshd
action   = osx-ipfw
logpath  = /var/log/secure.log
maxretry = 5
[ssh-apf]
enabled = true
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
[osx-ssh-afctl]
enabled  = true
filter   = sshd
action   = osx-afctl[bantime=600]
logpath  = /var/log/secure.log
maxretry = 5
[selinux-ssh]
enabled = true
filter  = selinux-ssh
action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath  = /var/log/audit/audit.log
maxretry = 5

proftp防攻击规则
  
 
[proftpd-iptables]
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, [email protected]]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
 
邮件防攻击规则
  
 
[sasl-iptables]
enabled  = true
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, [email protected]]
logpath  = /var/log/mail.log
[dovecot]
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log
[dovecot-auth]
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure
[perdition]
enabled = true
filter  = perdition
action  = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog
 
[uwimap-auth]
enabled = true
filter  = uwimap-auth
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog
 
apache防攻击规则
  
 
[apache-tcpwrapper]
enabled  = true
filter  = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/error_log
maxretry = 6
[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, [email protected]]
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1
[apache-shorewall]
enabled  = true
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, [email protected]]
logpath  = /var/log/httpd/error_log
 
nginx防攻击规则
  
 
[nginx-http-auth]
enabled = true
filter  = nginx-http-auth
action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
 
lighttpd防规击规则
  
 
[suhosin]
enabled  = true
filter   = suhosin
action   = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled  = true
filter   = lighttpd-auth
action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2
 
vsftpd防攻击规则
  
 
[vsftpd-notification]
enabled  = true
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, [email protected]]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, [email protected]]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
 
pure-ftpd防攻击规则
  
 
[pure-ftpd]
enabled  = true
filter   = pure-ftpd
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath  = /var/log/pureftpd.log
maxretry = 2
bantime  = 86400
 
mysql防攻击规则
  
 
[mysqld-iptables]
enabled  = true
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, [email protected]]
logpath  = /var/log/mysqld.log
maxretry = 5
 
apache phpmyadmin 防攻击规则
 
[apache-phpmyadmin]
enabled  = true
filter   = apache-phpmyadmin
action  = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath  = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
 
[Definition]
 
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
 
# Option:  failregex
# Notes.:  Regexp to match often probed and not available phpmyadmin paths.
# Values:  TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

重启 fail2ban 服务：
service fail2ban restart

PS：
写在最后，在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动，因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动，而配置完规则后却不能够正常启动，请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件，或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径， 如果你的缓存目录里没有这个文件，那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban，这样一般不会有什么错误了

fail2ban的介绍