官方說明:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures,
seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time,
although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.
Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
一、安裝
sudo apt-get install fail2ban
二、設定
設定檔在/etc/fail2ban
fail2ban安裝完成預設指監控ssh服務需自行設定監控其他服務
在/etc/fail2ban/jail.conf可找到
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
enabled = true此文字用來設定啟用監控ssh服務
預設監控ssh是啟用的
但為了避免fail2ban升級後覆蓋掉您的設定
在jail.conf中建議複製jail.conf為jail.local
並希望使用者不要直接修改jail.conf
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
jail.conf文內說明
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
常見參數說明:
maxretry -- 密碼錯誤次數幾次以後就要封鎖ip
bantime -- 要封鎖ip多久時間其單位為(秒)
--排除信任網段 例如內部網段192.168.1.0/24--
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3
設定管理者信箱有異常時會寄信通知--
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
--啟用apache 、postfix 、sasl、 ssh-ddos、 dovecot--
[apache] enabled = true [postfix] enabled = true [sasl] enabled = true [ssh-ddos] enabled = true [dovecot] enabled = true三、常用指令
.顯示目前設定
fail2ban-client status
.啟動
sudo service fail2ban start
.重新啟動
sudo service fail2ban restart
.停止
sudo service fail2ban stop
四、檢視紀錄檔
紀錄檔位置在 /var/log/fail2ban.log
參考資料:
http://www.fail2ban.org/wiki/index.php/Main_Page
http://www.fail2ban.org/wiki/index.php/Category:Configuration