用fail2ban保护LINUX主机
<p>fail2ban是一个通过读取相关网络软件的日志IP信息分析后联动操作IPTABLES主动进行防御的小软件,对于网络入侵防御极为有用。以下为安装使用方法:</p><p> </p><p>centos 5 下:fail2ban</p><p> </p><p>yum –y install fail2ban</p><p>安装成功</p><p>cd /etc/fail2ban</p><p>nano jail.conf</p><p>配置修改如下:</p><p>本站主要防御SSH ,VSFTPD ,apache-badbots</p><p> </p><p># cat jail.conf <br /># Fail2Ban configuration file <br /># <br /># Author: Cyril Jaquier <br /># <br /># $Revision: 747 $ <br />#</p><p># The DEFAULT allows a global definition of the options. They can be override <br /># in each jail afterwards.</p><p></p><p># "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not <br /># ban a host which matches an address in this list. Several addresses can be <br /># defined using space separator. <br />ignoreip = 127.0.0.1</p><p># "bantime" is the number of seconds that a host is banned. <br />bantime = 600</p><p># A host is banned if it has generated "maxretry" during the last "findtime" <br /># seconds. <br />findtime = 600</p><p># "maxretry" is the number of failures before a host get banned. <br />maxretry = 3</p><p># "backend" specifies the backend used to get files modification. Available <br /># options are "gamin", "polling" and "auto". This option can be overridden in <br /># each jail too (use "gamin" for a jail and "polling" for another). <br /># <br /># gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin <br /># is not installed, Fail2ban will use polling. <br /># polling: uses a polling algorithm which does not require external libraries. <br /># auto: will choose Gamin if available and polling otherwise. <br />backend = auto</p><p> <br /># This jail corresponds to the standard configuration in Fail2ban 0.6. <br /># The mail-whois action send a notification e-mail with a whois request <br /># in the body.</p><p></p><p>enabled = true <br />filter = sshd <br />action = iptables <br /> sendmail-whois <br />logpath = /var/log/secure <br />maxretry = 5</p><p></p><p>enabled = false <br />filter = proftpd <br />action = iptables <br /> sendmail-whois <br />logpath = /var/log/proftpd/proftpd.log <br />maxretry = 6</p><p># This jail forces the backend to "polling".</p><p></p><p>enabled = false <br />filter = sasl <br />backend = polling <br />action = iptables <br /> sendmail-whois <br />logpath = /var/log/mail.log</p><p># Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is <br /># used to avoid banning the user "myuser".</p><p></p><p>enabled = false <br />filter = sshd <br />action = hostsdeny <br /> sendmail-whois <br />ignoreregex = for myuser from <br />logpath = /var/log/sshd.log</p><p># This jail demonstrates the use of wildcards in "logpath". <br /># Moreover, it is possible to give other files on a new line.</p><p></p><p>enabled = false <br />filter = apache-auth <br />action = hostsdeny <br />logpath = /var/log/apache*/*error.log <br /> /home/www/myhomepage/error.log <br />maxretry = 6</p><p># The hosts.deny path can be defined with the "file" argument if it is <br /># not in /etc.</p><p></p><p>enabled = false <br />filter = postfix <br />action = hostsdeny <br /> sendmail <br />logpath = /var/log/postfix.log <br />bantime = 300</p><p># Do not ban anybody. Just report information about the remote host. <br /># A notification is sent at most every 600 seconds (bantime).</p><p></p><p>enabled = false <br />filter = vsftpd <br />action = sendmail-whois <br />logpath = /var/log/vsftpd.log <br />maxretry = 5 <br />bantime = 1800</p><p># Same as above but with banning the IP address.</p><p></p><p>enabled = true <br />filter = vsftpd <br />action = iptables <br /> sendmail-whois <br />logpath = /var/log/vsftpd.log <br />maxretry = 5 <br />bantime = 1800</p><p># Ban hosts which agent identifies spammer robots crawling the web <br /># for email addresses. The mail outputs are buffered.</p><p></p><p>enabled = true <br />filter = apache-badbots <br />action = iptables-multiport <br /> sendmail-buffered <br />logpath = /var/log/nginx/access.log <br />bantime = 172800 <br />maxretry = 1</p><p># Use shorewall instead of iptables.</p><p></p><p>enabled = false <br />filter = apache-noscript <br />action = shorewall <br /> sendmail <br />logpath = /var/log/apache2/error_log</p><p># Ban attackers that try to use PHP's URL-fopen() functionality <br /># through GET/POST variables. - Experimental, with more than a year <br /># of usage in production environments.</p><p></p><p>enabled = false <br />port = http,https <br />filter = php-url-fopen <br />logpath = /var/log/nginx/access.log <br />maxretry = 1</p><p># A simple PHP-fastcgi jail which works with lighttpd. <br /># If you run a lighttpd server, then you probably will <br /># find these kinds of messages in your error_log: <br /># ALERT – tried to register forbidden variable ‘GLOBALS’ <br /># through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') <br /># This jail would block the IP 1.2.3.4.</p><p></p><p>enabled = false <br />port = http,https <br />filter = lighttpd-fastcgi <br /># adapt the following two items as needed <br />logpath = /var/log/lighttpd/error.log <br />maxretry = 2</p><p># This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" <br /># option is overridden in this jail. Moreover, the action "mail-whois" defines <br /># the variable "name" which contains a comma using "". The characters '' are <br /># valid too.</p><p></p><p>enabled = false <br />filter = sshd <br />action = ipfw <br /> sendmail-whois <br />logpath = /var/log/auth.log <br />ignoreip = 168.192.0.1</p><p># These jails block attacks against named (bind9). By default, logging is off <br /># with bind9 installation. You will need something like this: <br /># <br /># logging { <br /># channel security_file { <br /># file "/var/log/named/security.log" versions 3 size 30m; <br /># severity dynamic; <br /># print-time yes; <br /># }; <br /># category security { <br /># security_file; <br /># }; <br /># }; <br /># <br /># in your named.conf to provide proper logging. <br /># This jail blocks UDP traffic for DNS requests.</p><p></p><p>enabled = false <br />filter = named-refused <br />action = iptables-multiport <br /> sendmail-whois <br />logpath = /var/log/named/security.log <br />ignoreip = 168.192.0.1</p><p># This jail blocks TCP traffic for DNS requests.</p><p></p><p>enabled = false <br />filter = named-refused <br />action = iptables-multiport <br /> sendmail-whois <br />logpath = /var/log/named/security.log <br />ignoreip = 168.192.0.1 </p>
页:
[1]