Ubuntu12.04安裝fail2ban防止惡意的破解密碼網路連線

Ubuntu12.04安裝fail2ban防止惡意的破解密碼網路連線 @ K '隨手記 :

官方說明:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures,

seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time,

although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.

Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

sudo apt-get install fail2ban

設定檔在/etc/fail2ban

fail2ban安裝完成預設指監控ssh服務需自行設定監控其他服務

在/etc/fail2ban/jail.conf可找到

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

enabled = true此文字用來設定啟用監控ssh服務

預設監控ssh是啟用的

但為了避免fail2ban升級後覆蓋掉您的設定

在jail.conf中建議複製jail.conf為jail.local

並希望使用者不要直接修改jail.conf

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

jail.conf文內說明

# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local

常見參數說明:

maxretry -- 密碼錯誤次數幾次以後就要封鎖ip

bantime -- 要封鎖ip多久時間其單位為(秒)

--排除信任網段 例如內部網段192.168.1.0/24--

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3

設定管理者信箱有異常時會寄信通知--

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

--啟用apache postfix 、sasl ssh-ddos、 dovecot--

[apache]
enabled = true

[postfix]
enabled = true

[sasl]
enabled = true

[ssh-ddos]
enabled = true

[dovecot]
enabled = true

常用指令

.顯示目前設定

fail2ban-client status

sudo service fail2ban start

.重新啟動

sudo service fail2ban restart

sudo service fail2ban stop

檢視紀錄檔

紀錄檔位置在 /var/log/fail2ban.log

參考資料:

http://www.fail2ban.org/wiki/index.php/Main_Page

http://www.fail2ban.org/wiki/index.php/Category:Configuration

來源網址