官网地址:http://www.fail2ban.org/wiki/index.php/Main_Page
download fail2ban-0.10.tar.gz,然后rz到服务器,
tar -xvf fail2ban-0.10.tar.gz
进入解压后的目录,查看README
[[email protected] tmp]# cd fail2ban-0.10/ [[email protected] fail2ban-0.10]# cat README.md #查看python版本是否满足 [[email protected] fail2ban-0.10]# python --version Python 2.7.5
安装fail2ban
[[email protected] fail2ban-0.10]#python setup.py install
添加系统服务
fail2ban.service 服务脚本配置文件
[Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) After=network.target iptables.service firewalld.service PartOf=iptables.service firewalld.service [Service] Type=simple ExecStartPre=/bin/mkdir -p /var/run/fail2ban ExecStart=/usr/bin/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload PIDFile=/var/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 [Install] WantedBy=multi-user.target
把配置文件加入systemd
[[email protected] system]# ls f* final.target firewalld.service fprintd.service fstrim.service fstrim.timer #拷贝文件到服务统一位置/usr/lib/systemd/system [[email protected] system]# cp /tmp/fail2ban-0.10/files/fail2ban.service /usr/lib/systemd/system
[[email protected] system]# ls -l /etc/systemd/system/fail2ban.service lrwxrwxrwx. 1 root root 16 Jul 14 17:41 /etc/systemd/system/fail2ban.service -> fail2ban.service [[email protected] multi-user.target.wants]# ln -s /usr/lib/systemd/system/fail2ban.service ./multi-user.target.wants/ [[email protected]st multi-user.target.wants]# systemctl list-unit-files -t service |grep fail2ban.service fail2ban.service enabled
[[email protected] files]# systemctl start fail2ban.service [[email protected] files]# systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-07-14 18:04:26 CST; 12s ago Docs: man:fail2ban(1) Process: 72114 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 72116 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─72116 /usr/bin/python /usr/bin/fail2ban-server -xf start
配置文件
[[email protected] fail2ban]# ls -1 action.d #定义fail2ban的操作,iptables、mails、 fail2ban.conf #定义日志级别、日志位置、socket文件位置 fail2ban.d filter.d #条件,过滤日志设置 jail.conf #主要配置文件,模块。启动ban动作服务和动作阀值 jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-fedora.conf paths-freebsd.conf paths-opensuse.conf patahs-osx.conf
修改 fail2ban.conf配置文件
[[email protected] files]# vim /etc/fail2ban/jail.conf 限制时间 # "bantime" is the number of seconds that a host is banned. bantime = 3600 #默认为秒,指定分钟后面m,这里指定的是1小时 时间间隔 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 60 次数 # "maxretry" is the number of failures before a host get banned. maxretry = 200 backend # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # HTTP servers # [apache-auth] #检测验证失败 port = http,https logpath = %(apache_error_log)s [apache-badbots] #检测抓取邮件地址的爬虫 # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript] #漏洞和PHP脆弱性扫描 port = http,https logpath = %(apache_error_log)s [apache-overflows] #溢出检测 port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] #检测在服务器查找主目录 port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log
日志过滤器存放位置
/etc/fail2ban/filter.d [[email protected] filter.d]# cd /etc/fail2ban/filter.d [[email protected] filter.d]# ls 3proxy.conf domino-smtp.conf mysqld-auth.conf selinux-common.conf apache-auth.conf dovecot.conf nagios.conf selinux-ssh.conf apache-badbots.conf dropbear.conf named-refused.conf sendmail-auth.conf apache-botsearch.conf drupal-auth.conf nginx-botsearch.conf sendmail-reject.conf apache-common.conf ejabberd-auth.conf nginx-http-auth.conf sieve.conf apache-fakegooglebot.conf exim-common.conf nginx-limit-req.conf slapd.conf apache-modsecurity.conf exim.conf nsd.conf sogo-auth.conf apache-nohome.conf exim-spam.conf openhab.conf solid-pop3d.conf
action目录:
/etc/fail2ban/action.d
[[email protected] action.d]# cd /etc/fail2ban/action.d [[email protected] action.d]# ls abuseipdb.conf mail-buffered.conf apf.conf mail.conf badips.conf mail-whois-common.conf badips.py mail-whois.conf blocklist_de.conf mail-whois-lines.conf bsd-ipfw.conf mynetwatchman.conf cloudflare.conf netscaler.conf complain.conf nftables-allports.conf dshield.conf nftables-common.conf
时间: 2024-10-10 13:10:31