今天小编跟大家讲解下有关科技常识:centos下fail2ban安装与配置详解,相信小伙伴们对这个话题应该也很关注吧,小编也收集到了有关科技常识:centos下fail2ban安装与配置详解的相关资料,希望小伙伴会喜欢也能够帮助大家。
一、fail2ban简介
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。3、在logpath选项中支持通配符4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn复制代码 代码如下:# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2banor复制代码 代码如下:# yum install gamin-python python-inotify python-ctypes# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpmor复制代码 代码如下:# yum install gamin-python python-inotify python-ctypes# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm
2:源码包安装复制代码 代码如下:# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0# tar -xzvf fail2ban-0.9.0.tar.gz# cd# ./setup.py# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban# chmod +x /lib/svc/method/svc-fail2ban安装路径复制代码 代码如下:/etc/fail2banaction.d filter.d fail2ban.conf jail.conf我们主要编辑jail.conf这个配置文件,其他的不要去管它.复制代码 代码如下:# vi /etc/fail2ban.conf
SSH防攻击规则复制代码 代码如下:[ssh-iptables]
enabled = truefilter = sshdaction = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]logpath = /var/log/securemaxretry = 5
[ssh-ddos]enabled = truefilter = sshd-ddosaction = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]logpath = /var/log/messagesmaxretry = 2
[osx-ssh-ipfw]
enabled = truefilter = sshdaction = osx-ipfwlogpath = /var/log/secure.logmaxretry = 5
[ssh-apf]
enabled = truefilter = sshdaction = apf[name=SSH]logpath = /var/log/securemaxretry = 5
[osx-ssh-afctl]
enabled = truefilter = sshdaction = osx-afctl[bantime=600]logpath = /var/log/secure.logmaxretry = 5
[selinux-ssh]enabled = truefilter = selinux-sshaction = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]logpath = /var/log/audit/audit.logmaxretry = 5proftp防攻击规则复制代码 代码如下:[proftpd-iptables]
enabled = truefilter = proftpdaction = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com]logpath = /var/log/proftpd/proftpd.logmaxretry = 6邮件防攻击规则复制代码 代码如下:[sasl-iptables]
enabled = truefilter = postfix-saslbackend = pollingaction = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com]logpath = /var/log/mail.log
[dovecot]
enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/mail.log
[dovecot-auth]
enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/secure
[perdition]
enabled = truefilter = perditionaction = iptables-multiport[name=perdition,port="110,143,993,995"]logpath = /var/log/maillog
[uwimap-auth]
enabled = truefilter = uwimap-authaction = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]logpath = /var/log/maillogapache防攻击规则复制代码 代码如下:[apache-tcpwrapper]
enabled = truefilter = apache-authaction = hostsdenylogpath = /var/log/httpd/error_logmaxretry = 6
[apache-badbots]
enabled = truefilter = apache-badbotsaction = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]logpath = /var/log/httpd/access_logbantime = 172800maxretry = 1
[apache-shorewall]
enabled = truefilter = apache-noscriptaction = shorewall sendmail[name=Postfix, dest=you@example.com]logpath = /var/log/httpd/error_lognginx防攻击规则复制代码 代码如下:[nginx-http-auth]
enabled = truefilter = nginx-http-authaction = iptables-multiport[name=nginx-http-auth,port="80,443"]logpath = /var/log/nginx/error.loglighttpd防规击规则复制代码 代码如下:[suhosin]
enabled = truefilter = suhosinaction = iptables-multiport[name=suhosin, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
[lighttpd-auth]
enabled = truefilter = lighttpd-authaction = iptables-multiport[name=lighttpd-auth, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2vsftpd防攻击规则复制代码 代码如下:[vsftpd-notification]
enabled = truefilter = vsftpdaction = sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
[vsftpd-iptables]
enabled = truefilter = vsftpdaction = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800pure-ftpd防攻击规则复制代码 代码如下:[pure-ftpd]enabled = truefilter = pure-ftpdaction = iptables[name=pure-ftpd, port=ftp, protocol=tcp]logpath = /var/log/pureftpd.logmaxretry = 2bantime = 86400mysql防攻击规则复制代码 代码如下:[mysqld-iptables]
enabled = truefilter = mysqld-authaction = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]logpath = /var/log/mysqld.logmaxretry = 5apache phpmyadmin防攻击规则复制代码 代码如下:[apache-phpmyadmin]enabled = truefilter = apache-phpmyadminaction = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath = /var/log/httpd/error_logmaxretry = 3# /etc/fail2ban/filter.d/apache-phpmyadmin.conf将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file## Bans bots scanning for non-existing phpMyAdmin installations on your webhost.## Author: Gina Haeussge#[Definition]docroot = /var/wwwbadadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2# Option: failregex# Notes.: Regexp to match often probed and not available phpmyadmin paths.# Values: TEXT#failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =# service fail2ban restart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.
来源:爱蒂网