Fail2ban 防止暴力破解centos服务器的SSH或者FTP账户

第一次将CentOS服务器配上外网可访问的网络配置，发现每次通过外网地址登陆ssh，链接时间长，同时爆出以下信息，显示从上一次登陆成功到本次登陆成功，中间有3896次尝试登陆root账户失败的情况。【说明服务器被攻击了】
Last failed login: Sat Mar 19 09:34:18 CST 2016 from 222.186.15.82 on ssh:nottyThere were 3896 failed login attempts since the last successful login.Last login: Sat Mar 19 09:12:33 2016 from 117.114.129.166
基于CentOS 6或者7版本的系统，我们可以安装Fail2ban工具来阻止一定的暴力破解SSH或者FTP账户问题，也许不能足够的解决问题，但至少可以解决一般的问题。第一、Fail2ban安装

A - CentOS 6

B - CentOS 7

[说明]执行以上第一句，若找不到是因为版本更新后，旧版本就删除了。所有打开“http://dl.fedoraproject.org/pub/epel/7/x86_64/e/”找找相应的rpm
第二、Fail2ban设置

（1）各配置文件用途

/etc/fail2ban/action.d            #动作文件夹，内含默认文件。iptables以及mail等动作配置

/etc/fail2ban/fail2ban.conf        #定义了fai2ban日志级别、日志位置及sock文件位置

/etc/fail2ban/filter.d            #条件文件夹，内含默认文件。过滤日志关键内容设置

/etc/fail2ban/jail.conf            #主要配置文件，模块化。主要设置启用ban动作的服务及动作阀值

/etc/rc.d/init.d/fail2ban          #启动脚本文件

[/code]

（2）、fail2ban.conf一般不用改，再确认以下几项：

vi /etc/fail2ban/fail2ban.conf

[Definition]

loglevel =3

logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log，方便用来记录日志信息

socket =/var/run/fail2ban/fail2ban.sock

[/code]
（3）编辑/etc/fail2b an/jail.conf文件，修改或添加防攻击规则。(后面有规则的举例)【特别说明】 （1）“[INCLUDES]”以前的不要动（都是注释），否则fail2ban服务就无法启动。可以用命令来检查语法错误 #fail2ban-client -v -v start（2）“[DEFAULT]”里的 “enabled = false”不能改为true，否则fail2ban服务就无法启动。

centos Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details

[/code]

第三、重启Fail2ban服务，立即生效。
systemctl restart fail2ban.service第四、防攻击规则，举例关键词

[DEFAULT]               #全局设置

ignoreip = 127.0.0.1       #忽略的IP列表,不受设置限制，多个以空格隔开

bantime  = 600             #屏蔽时间，单位：秒

findtime  = 600             #这个时间段内超过规定次数会被ban掉

maxretry = 3                #最大尝试次数

backend = auto            #日志修改检测机制（gamin、polling和auto这三种）

[sshd]                   #单个服务检查设置，如设置bantime、findtime、maxretry和全局冲突，服务优先级大于全局设置。

enabled  = true             #是否激活此项（true/false）

filter   = sshd              #过滤规则filter的名字，对应filter.d目录下的sshd.conf

action   = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数，对应action.d/iptables.conf文件

logpath  = /var/log/secure         #检测的日志文件path

bantime  = 3600

findtime  = 300

maxretry = 3

[/code]
防攻击规则参见：(1)SSH防攻击规则

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]

logpath  = /var/log/secure

maxretry = 5

[ssh-ddos]

enabled = true

filter  = sshd-ddos

action  = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]

logpath  = /var/log/messages

maxretry = 2

[osx-ssh-ipfw]

enabled  = true

filter   = sshd

action   = osx-ipfw

logpath  = /var/log/secure.log

maxretry = 5

[ssh-apf]

enabled = true

filter  = sshd

action  = apf[name=SSH]

logpath = /var/log/secure

maxretry = 5

[osx-ssh-afctl]

enabled  = true

filter   = sshd

action   = osx-afctl[bantime=600]

logpath  = /var/log/secure.log

maxretry = 5

[selinux-ssh]

enabled = true

filter  = selinux-ssh

action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath  = /var/log/audit/audit.log

maxretry = 5

[/code](2)proftp防攻击规则

[proftpd-iptables]

enabled  = true

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

[/code]
(3)邮件防攻击规则

[sasl-iptables]

enabled  = true

filter   = postfix-sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

sendmail-whois[name=sasl, dest=you@example.com]

logpath  = /var/log/mail.log

[dovecot]

enabled = true

filter  = dovecot

action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath = /var/log/mail.log

[dovecot-auth]

enabled = true

filter  = dovecot

action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath = /var/log/secure

[perdition]

enabled = true

filter  = perdition

action  = iptables-multiport[name=perdition,port="110,143,993,995"]

logpath = /var/log/maillog

[uwimap-auth]

enabled = true

filter  = uwimap-auth

action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath = /var/log/maillog

[/code](4)apache防攻击规则

[apache-tcpwrapper]

enabled  = true

filter  = apache-auth

action   = hostsdeny

logpath  = /var/log/httpd/error_log

maxretry = 6

[apache-badbots]

enabled  = true

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath  = /var/log/httpd/access_log

bantime  = 172800

maxretry = 1

[apache-shorewall]

enabled  = true

filter   = apache-noscript

action   = shorewall

sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/httpd/error_log

[/code](5)nginx防攻击规则

[nginx-http-auth]

enabled = true

filter  = nginx-http-auth

action  = iptables-multiport[name=nginx-http-auth,port="80,443"]

logpath = /var/log/nginx/error.log

[/code](6)lighttpd防规击规则

[suhosin]

enabled  = true

filter   = suhosin

action   = iptables-multiport[name=suhosin, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

[lighttpd-auth]

enabled  = true

filter   = lighttpd-auth

action   = iptables-multiport[name=lighttpd-auth, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

[/code](7)vsftpd防攻击规则

[vsftpd-notification]

enabled  = true

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

[vsftpd-iptables]

enabled  = true

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

[/code](8)pure-ftpd防攻击规则

[pure-ftpd]

enabled  = true

filter   = pure-ftpd

action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]

logpath  = /var/log/pureftpd.log

maxretry = 2

bantime  = 86400

[/code](9)mysql防攻击规则

[mysqld-iptables]

enabled  = true

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/mysqld.log

maxretry = 5

[/code](10)apache phpmyadmin防攻击规则

[apache-phpmyadmin]

enabled  = true

filter   = apache-phpmyadmin

action  = iptables[name=phpmyadmin, port=http,https protocol=tcp]

logpath  = /var/log/httpd/error_log

maxretry = 3

# /etc/fail2ban/filter.d/apache-phpmyadmin.conf

将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.

# Fail2Ban configuration file

#

# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.

#

# Author: Gina Haeussge

#

[Definition]

docroot = /var/www

badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2

# Option:  failregex

# Notes.:  Regexp to match often probed and not available phpmyadmin paths.

# Values:  TEXT

#

failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

# service fail2ban restart

[/code]第五、新建防攻击规则 以nginx为例，具体设置方法如下：（1）首先在jail.conf文件下追加以下内容：

[nginx]    ;规则名字

enabled = true ;是否户用

port = http,https ;监控端口

filter = nginx    ;需要过滤匹配规则

logpath = /var/log/nginx/access_log; 日志路径

findtime =60    ;检测周期 单位秒 以下一样

bantime =300    ;iptable封禁IP时间

maxretry =10    ;最大尝试次数

action = iptables[name=nginx, port=http, protocal=tcp] ;发现暴力破解采取iptalbes封禁IP的措施

sendmail[name=nginx, dest=my-email@xx.com]    ;发现暴力破解后采取sendmail发送邮件的措施，需要注意的是：iptables和sendmail必须对齐，要不然会发生错误；不要问我为什么会知道。

[/code]（2）然后创建 /etc/fail2ban/filter.d/nginx.conf文件，并添加以下内容：

[Definition]

failregex =<HOST>.*-.*-.*POST.*/login_check.do.* HTTP\/1.*http://test.com.*$ ;需要匹配日志发现攻击行为的正则,<HOST>为fail2ban内置变量匹配IP，不可修改

ignoreregex =    ;需要忽略的正则

[/code]（3）systemctl restart fail2ban 立即生效。第六、查询限制列表 iptables -L --line-numbers红色的表示已经由fail2ban限制了。

[root@bogon ~]# iptables -L --line-numbers

Chain INPUT (policy ACCEPT)

num  target     prot opt source               destination

1    f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:ssh

2    f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:ssh

3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

5    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

7    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

8    ACCEPT     all  --  anywhere             anywhere

9    INPUT_direct  all  --  anywhere             anywhere

10   INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

11   INPUT_ZONES  all  --  anywhere             anywhere

12   ACCEPT     icmp --  anywhere             anywhere

13   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain f2b-SSH (2 references)

num  target     prot opt source               destination

1    REJECT     all  --  58.218.211.38        anywhere             reject-with icmp-port-unreachable

2    RETURN     all  --  anywhere             anywhere

You have new mail in /var/spool/mail/root

[/code]
第七、解除fail2ban绑定的IP
查询限制列表

# iptables -L --line-numbers

Chain f2b-SSH (2 references)

num  target     prot opt source               destination

1    REJECT     all  --  58.218.211.38        anywhere             reject-with icmp-port-unreachable

2    RETURN     all  --  anywhere             anywhere

[/code]解除限制

# iptables -D f2b-SSH 1

上面是解除第一个拒绝的IP

[/code]
第八、统计登陆失败的IP

[root@bogon ~]#find /var/log -name 'secure*' -type f | while read line;do awk '/Failed/{print $(NF-3)}' $line;done | awk '{a[$0]++}END{for (j in a) if(a[j] > 20) print j"="a[j]}' | sort -n -t'=' -k 2

202.99.172.155=24

123.126.110.69=25

222.74.228.85=136

5.189.139.232=557

222.178.229.67=1005

222.186.15.82=1883

59.63.188.44=6748

58.218.211.38=6752

[root@bogon ~]#

[/code]有上面几个IP尝试通过不同的端口攻击我的服务器另外给root账户设置24位随机密码：

rootpass=`date +%s | sha256sum | base64 | head -c 24` && echo root:$rootpass  | chpasswd && echo $rootpass

[/code]

来自为知笔记(Wiz)