fail2ban的使用以及防暴力破解与邮件预警


通过开源的防护软件来防护安全

使用背景:

最近公网网站一直被别人暴力破解sshd服务密码。虽然没有成功,但会导致系统负载很高,原因是在暴力破解的时候,系统会不断地认证用户,从而增加了系统资源额外开销,导致访问公司网站速度很慢。

fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,很好、很实用、很强大!


ban (bæn)禁令
简单来说其功能就是防止暴力破解。工作的原理是通过分析一定时间内的相关服务日志,将满足动作的相关IP利用iptables加入到dorp列表一定时间。
所以 使用fail2ban先安装iptables


准备工作

Centos7.X 开始,系统自带的防火墙是firewalld,但是也同样支持iptables
–关闭firewall:

[root@ssh1 ~]# systemctl stop firewalld.service          #停止firewall  
[root@ssh1 ~]# systemctl disable firewalld.service       #禁止firewall开机启动  

–安装安装iptables防火墙

[root@ssh1 ~]# yum install iptables-services              #安装

注:重启iptables服务的话,所有DORP将重置。
配置文件位置:

[root@ssh1 ~]# ls /etc/sysconfig/iptables
/etc/sysconfig/iptables

启动服务

[root@ssh1 ~]# systemctl start iptables.service
[root@ssh1 ~]# systemctl enable iptables.service

安装配置

1.下载软件包:

http://www.fail2ban.org     http://www.fail2ban.org/wiki/index.php/Downloads  

2.解压查看readme文件

[root@ssh1 ~]# tar xf fail2ban-0.9.4.tar.gz
[root@ssh1 fail2ban-0.9.4]# vim README.md  #查看以下内容

3.安装:

[root@redis fail2ban-0.9.4]# python setup.py install

4.管理文件结构介绍

1)/etc/fail2ban/action.d
动作文件夹,内含默认文件。iptables以及mail等动作配置
2)/etc/fail2ban/fail2ban.conf
定义fail2ban日志级别,日志位置及sock文件位置
3)/etc/fail2ban/filter.d
条件文件夹,内含默认文件。过滤日志关键内容设置
4)/etc/fail2ban/jail.conf
主配置文件、模块化。主要设置启用ban动作的服务以及动作阀值。
5)/etc/rc.d/init.d/fail2ban
fail2ban服务的启动脚本

5.生成服务启动脚本:

[root@ssh1 ~]# cp fail2ban-0.9.4/files/redhat-initd /etc/rc.d/init.d/fail2ban
[root@ssh1 ~]# chkconfig --add fail2ban     //开机自启

6.fail2ban配置

/etc/fail2ban/fail2ban.conf

[Definition]  
loglevel = INFO  
logtarget = SYSLOG  
syslogsocket = auto  
socket = /var/run/fail2ban/fail2ban.sock  
pidfile = /var/run/fail2ban/fail2ban.pid  
dbfile = /var/lib/fail2ban/fail2ban.sqlite3  
dbpurgeage = 86400  
注:以上不做任何修改

/etc/fail2ban/jail.conf

邮件发送 : 注意的是:iptables和sendmail必须对齐,要不然会发生错误;

[sshd]                   #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。
enabled  = true             #是否激活此项(true/false)
filter   = sshd              #过滤规则filter的名字,对应filter.d目录下的sshd.conf
action   = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件
logpath  = /var/log/secure         #检测的日志文件path
bantime  = 3600
findtime  = 300
maxretry = 3

防攻击规则参见:

 # (1)SSH防攻击规则
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

[ssh-ddos]
enabled = true
filter  = sshd-ddos
action  = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath  = /var/log/messages
maxretry = 2

[osx-ssh-ipfw]
enabled  = true
filter   = sshd
action   = osx-ipfw
logpath  = /var/log/secure.log
maxretry = 5

[ssh-apf]
enabled = true
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

[osx-ssh-afctl]
enabled  = true
filter   = sshd
action   = osx-afctl[bantime=600]
logpath  = /var/log/secure.log
maxretry = 5

[selinux-ssh]
enabled = true
filter  = selinux-ssh
action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath  = /var/log/audit/audit.log
maxretry = 5

(2)proftp防攻击规则
[proftpd-iptables]
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

(3)邮件防攻击规则
[sasl-iptables]
enabled  = true
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath  = /var/log/mail.log
[dovecot]
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log
[dovecot-auth]
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure
[perdition]
enabled = true
filter  = perdition
vaction  = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog

[uwimap-auth]
enabled = true
filter  = uwimap-auth
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog

(4)apache防攻击规则
[apache-tcpwrapper]
enabled  = true
filter  = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/error_log
maxretry = 6
[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1
[apache-shorewall]
enabled  = true
filter   = apache-noscript
action   = shorewall
       sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/httpd/error_log

(5)nginx防攻击规则
[nginx-http-auth]
enabled = true
filter  = nginx-http-auth
action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log

(6)lighttpd防规击规则
[suhosin]
enabled  = true
filter   = suhosin
action   = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled  = true
filter   = lighttpd-auth
action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2

(7)vsftpd防攻击规则
[vsftpd-notification]
enabled  = true
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
(8)pure-ftpd防攻击规则
[pure-ftpd]
enabled  = true
filter   = pure-ftpd
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath  = /var/log/pureftpd.log
maxretry = 2
bantime  = 86400

(9)mysql防攻击规则
[mysqld-iptables]
enabled  = true
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5

(10)apache phpmyadmin防攻击规则
[apache-phpmyadmin]
enabled  = true
filter   = apache-phpmyadmin
action  = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath  = /var/log/httpd/error_log
maxretry = 3


# /etc/fail2ban/filter.d/apache-phpmyadmin.conf    
将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.
# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
[Definition]
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
# Option:  failregex
# Notes.:  Regexp to match often probed and not available phpmyadmin paths.
# Values:  TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

7.服务启动

[root@ssh1 ~]# systemctl restart fail2ban

注:fail2ban一定后于iptables启动,即重启iptables一定要重启fail2ban,相反重启fail2ban不用重新启iptables。

8.查询限制列表 红色表示由fail2ban限制

[root@ssh1 ~]#  iptables -L --line-numbers

9.解除fail2ban绑定的IP

[root@ssh1 ~]#  iptables -D f2b-ssh 1

解除第一个拒绝的IP

10 . 统计登陆失败的IP

[root@ssh1 ~]# find /var/log -name 'secure*' -type f | while read line;do awk '/Failed/{print $(NF-3)}' $line;done | awk '{a[$0]++}END{for (j in a) if(a[j] > 20) print j"="a[j]}' | sort -n -t'=' -k 2
    10.10.11.19=67
    202.99.172.155=24
   222.178.229.67=1005

fail2ban状态监控脚本
因为重启iptables需要重启fai2ban服务,故而我们需要增加此监控脚本防止管理员疏忽。
1)增加脚本文件夹

mkdir ~/script

2)vim编辑~/script/f2bAutoRestart.sh加入如下内容

 #!/bin/bash
 fl=$(iptables -L -v -n | grep 'Chain f' | wc -l)#echo $flif [ $fl -eq 0 ]; then
 echo 'restart fai2band'
 /etc/init.d/fail2ban restart
fi

3)添加计划任务

crontab -e

添加如下内容:

*/5 * * * * sh ~/script/f2bAutoRestart.sh