这篇文章主要介绍了centos下fail2ban安装与配置实例,fail2ban是一个实用、强大的Linux安全软件,可以监控大多数常用服务器软件,需要的朋友可以参考下
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作(一般情况下是防火墙),而且可以发送e-mail通知系统管理员,是不是很好、很实用、很强大!
二、简单来介绍一下fail2ban的功能和特性
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,shorewall,Gamin。如果想要发邮件,那必需安装postfix/sendmail
三、fail2ban安装与配置操作实例
1:安装epel更新源:http://fedoraproject.org/wiki/EPEL/zh-cn
#yuminstallshorewallgamin-pythonshorewall-shellshorewall-perlshorewall-commonpython-inotifypython-ctypesfail2ban
or
#yuminstallgamin-pythonpython-inotifypython-ctypes #wgethttp://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm #rpm-ivhfail2ban-0.8.11-2.el6.noarch.rpm
or
#yuminstallgamin-pythonpython-inotifypython-ctypes #wgethttp://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm #rpm-ivhfail2ban-0.8.4-29.el5.noarch.rpm
2:源码包安装
#wgethttps://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0 #tar-xzvffail2ban-0.9.0.tar.gz #cd #./setup.py #cpfiles/solaris-svc-fail2ban/lib/svc/method/svc-fail2ban #chmod+x/lib/svc/method/svc-fail2ban
安装路径
/etc/fail2ban action.dfilter.dfail2ban.confjail.conf
我们主要编辑jail.conf这个配置文件,其他的不要去管它.
#vi/etc/fail2ban.conf
SSH防攻击规则:
[ssh-iptables] enabled=true filter=sshd action=iptables[name=SSH,port=ssh,protocol=tcp] sendmail-whois[name=SSH,dest=root,sender=fail2ban@example.com,sendername="Fail2Ban"] logpath=/var/log/secure maxretry=5 [ssh-ddos] enabled=true filter=sshd-ddos action=iptables[name=ssh-ddos,sftpprotocol=tcp,udp] logpath=/var/log/messages maxretry=2 [osx-ssh-ipfw] enabled=true filter=sshd action=osx-ipfw logpath=/var/log/secure.log maxretry=5 [ssh-apf] enabled=true filter=sshd action=apf[name=SSH] logpath=/var/log/secure maxretry=5 [osx-ssh-afctl] enabled=true filter=sshd action=osx-afctl[bantime=600] logpath=/var/log/secure.log maxretry=5 [selinux-ssh] enabled=true filter=selinux-ssh action=iptables[name=SELINUX-SSH,protocol=tcp] logpath=/var/log/audit/audit.log maxretry=5
proftp防攻击规则
[proftpd-iptables] enabled=true filter=proftpd action=iptables[name=ProFTPD,port=ftp,protocol=tcp] sendmail-whois[name=ProFTPD,dest=you@example.com] logpath=/var/log/proftpd/proftpd.log maxretry=6
邮件防攻击规则
[sasl-iptables] enabled=true filter=postfix-sasl backend=polling action=iptables[name=sasl,port=smtp,protocol=tcp] sendmail-whois[name=sasl,dest=you@example.com] logpath=/var/log/mail.log [dovecot] enabled=true filter=dovecot action=iptables-multiport[name=dovecot,port="pop3,pop3s,imap,imaps,submission,smtps,sieve",protocol=tcp] logpath=/var/log/mail.log [dovecot-auth] enabled=true filter=dovecot action=iptables-multiport[name=dovecot-auth,protocol=tcp] logpath=/var/log/secure [perdition] enabled=true filter=perdition action=iptables-multiport[name=perdition,port="110,143,993,995"] logpath=/var/log/maillog [uwimap-auth] enabled=true filter=uwimap-auth action=iptables-multiport[name=uwimap-auth,995"] logpath=/var/log/maillog
apache防攻击规则
[apache-tcpwrapper] enabled=true filter=apache-auth action=hostsdeny logpath=/var/log/httpd/error_log maxretry=6 [apache-badbots] enabled=true filter=apache-badbots action=iptables-multiport[name=BadBots,port="http,https"] sendmail-buffered[name=BadBots,lines=5,dest=you@example.com] logpath=/var/log/httpd/access_log bantime=172800 maxretry=1 [apache-shorewall] enabled=true filter=apache-noscript action=shorewall sendmail[name=Postfix,dest=you@example.com] logpath=/var/log/httpd/error_log
Nginx防攻击规则
[Nginx-http-auth] enabled=true filter=Nginx-http-auth action=iptables-multiport[name=Nginx-http-auth,port="80,443"] logpath=/var/log/Nginx/error.log
lighttpd防规击规则
[suhosin] enabled=true filter=suhosin action=iptables-multiport[name=suhosin,https"] #adaptthefollowingtwoitemsasneeded logpath=/var/log/lighttpd/error.log maxretry=2 [lighttpd-auth] enabled=true filter=lighttpd-auth action=iptables-multiport[name=lighttpd-auth,https"] #adaptthefollowingtwoitemsasneeded logpath=/var/log/lighttpd/error.log maxretry=2
vsftpd防攻击规则
[vsftpd-notification] enabled=true filter=vsftpd action=sendmail-whois[name=VSFTPD,dest=you@example.com] logpath=/var/log/vsftpd.log maxretry=5 bantime=1800 [vsftpd-iptables] enabled=true filter=vsftpd action=iptables[name=VSFTPD,protocol=tcp] sendmail-whois[name=VSFTPD,dest=you@example.com] logpath=/var/log/vsftpd.log maxretry=5 bantime=1800
pure-ftpd防攻击规则
[pure-ftpd] enabled=true filter=pure-ftpd action=iptables[name=pure-ftpd,protocol=tcp] logpath=/var/log/pureftpd.log maxretry=2 bantime=86400
MysqL防攻击规则
[MysqLd-iptables] enabled=true filter=MysqLd-auth action=iptables[name=MysqL,port=3306,protocol=tcp] sendmail-whois[name=MysqL,sender=fail2ban@example.com] logpath=/var/log/MysqLd.log maxretry=5
apache PHPmyadmin防攻击规则
[apache-PHPmyadmin] enabled=true filter=apache-PHPmyadmin action=iptables[name=PHPmyadmin,port=http,httpsprotocol=tcp] logpath=/var/log/httpd/error_log maxretry=3 #/etc/fail2ban/filter.d/apache-PHPmyadmin.conf 将以下内容粘贴到apache-PHPmyadmin.conf里保存即可以创建一个apache-PHPmyadmin.conf文件. #Fail2Banconfigurationfile # #Bansbotsscanningfornon-existingPHPMyAdmininstallationsonyourwebhost. # #Author:GinaHaeussge # [Definition] docroot=/var/www badadmin=PMA|PHPmyadmin|myadmin|MysqL|MysqLadmin|sqladmin|mypma|admin|xampp|MysqLdb|mydb|db|pmadb|PHPmyadmin1|PHPmyadmin2 #Option:failregex #Notes.:RegexptomatchoftenprobedandnotavailablePHPmyadminpaths. #Values:TEXT # failregex=[[]client[]]Filedoesnotexist:%(docroot)s/(?:%(badadmin)s) #Option:ignoreregex #Notes.:regextoignore.Ifthisregexmatches,thelineisignored. #Values:TEXT # ignoreregex= #servicefail2banrestart
写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.
转载自:http://www.jb51.net/article/48591.htm