Fail2ban阻止SSH,FTP,mail暴力入侵

jsjzhang

                                                                                相必大家系统日志中无论是ssh还是ftp等总是经常被人猜口令吧?Fail2ban就是由此而生
源码可以在这里下载到:
http://sourceforge.net/project/showfiles.php?group_id=121032&package_id=132537
1.安装在RHEL5上
tar -jxvf
fail2ban-0.8.3.tar.bz2
然后进入目录cd fail2ban-0.8.3/
用root用户执行
./setup.py install
现在config文件已经安装在/etc/fail2ban下面
接下来
cp fail2ban-0.8.3/files/suse-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban
Integrate fail2ban into logrotate:
create file "/etc/logrotate.d/fail2ban":
/var/log/fail2ban.log {
weekly
    rotate 7
   
missingok
   
compress
    postrotate
/usr/bin/fail2ban-client reload 1>/dev/null || true
    endscript
}
注：
The path to your fail2ban-client needs to be adjusted (# whereis fail2ban-client)
# 忽悠 IP范围 如果有二组以上以空白做为间隔 192.168.10.0/24
ignoreip = 127.0.0.1
# 设定 IP 被封锁的时间(秒)，如果值为 -1，代表永远封锁
bantime  = 600
# 设定在多少时间内达到 maxretry 的次数就封锁
findtime  = 600
# 允许尝试的次数
maxretry = 3
#分类设置
#针对sshd暴力入侵防护
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           mail-whois[name=SSH, dest=root]
logpath  = /var/log/secure
# 如果有个别的次数设定就设在这里
maxretry = 5
#针对vsftpd暴力入侵防护
[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/secure
maxretry = 3
bantime  = 1800
建议设置成maxretry为 3 表示3次错误就封锁
2.现在启动fail2ban进行测试用一个IP不断尝试登录ssh
下面是secure的一个小段，修改过的
Did not receive identification string from 192.168.11.2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41017 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41096 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41162 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41209 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41267 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41323 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41376 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41433 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 port 41484 ssh2
我们再来看看fail2ban的log
fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.11.2
fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.11.2
已经起到作用了.这只是一小部分应用更详细的可以参照官方网站
http://www.fail2ban.org/
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/30312/showart_1168658.html

hmily36

不错，收藏