Fail2ban 介绍
Fail2ban可以监视你的系统日志,然后匹配日志的错误信息执行相应的屏蔽动作。CentOS 7已经自带Firewalld,所以我们也可以利用Fail2ban+firewalld来防CC攻击和SSH爆破。
firewalld状态
Fail2ban 安装
1
2
3
4
|
yum -y install epel-release
yum -y install fail2ban
|
配置规则sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| vim /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure
|
可以尝试连接输入密码错误,然后fail2ban-client status sshd 查看被ban ip。
Fail2ban常用命令
启动
1
| systemctl start fail2ban
|
开机启动
1
| systemctl enable fail2ban
|
停止
重启
1
| systemctl restart fail2ban
|
查看被ban ip
1
2
| fail2ban-client status sshd
|
删除被ban ip
1
| fail2ban-client set sshd unbanip 192.168.0.104
|
添加白名单
1
| fail2ban-client set sshd addignoreip 192.168.0.104
|
删除白名单
1
| fail2ban-client set sshd delignoreip 192.168.0.104
|
查看版本
1
| fail2ban-client -server -V
|
Nginx 防CC攻击
在 /etc/fail2ban/jail.local 里添加规则
1
2
3
4
5
6
7
8
9
| [nginx-cc]
enabled = true
filter = nginx-cc
port = http,https
action = %(action_mwl)s
maxretry = 5
findtime = 60
bantime = 3600
logpath = /usr/local/openresty/nginx/logs/access.log
|
上面的配置意思是如果在60s内,同一IP达到5次请求,则将其IP ban 1小时,上面只是为了测试,请根据自己的实际情况修改。logpath为nginx日志路径。
在filter.d中新建nginx-cc.conf
1
2
3
| [Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
|
重启fail2ban使之生效
可以查看状态
1
| fail2ban-client status nginx-cc
|
防止Wordpress爆破
在 /etc/fail2ban/jail.local 里添加规则
1
2
3
4
5
6
7
8
9
| [wordpress]
enabled = true
filter = wordpress
port = http,https
action = %(action_mwl)s
maxretry = 5
findtime = 60
bantime = 3600
logpath = /usr/local/openresty/nginx/logs/wordpress.access.log
|
在filter.d中新建wordpress.conf
1
2
3
| [Definition]
failregex = <HOST> -.*- .*/wp-login.php HTTP/1.* .* .*$
ignoreregex =
|
重启fail2ban使之生效
可以查看状态
1
| fail2ban-client status wordpress
|