fail2ban

使用 fail2ban 防范暴力破解ssh vsftp 与CC攻击

Posted by Sunday on 2018-06-11

简介

Fail2ban是入侵防御框架,与服务器上防火墙iptables配合使用,通常用于在尝试失败后阻止连接尝试。它通过监视特定类型条目的日志文件来运行,并根据其结果运行预定的操作。

环境

系统:Ubuntu 16.04
软件:fail2ban 0.11

防火墙设置

ubuntu

1
2
3
4
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22/tcp
ufw allow 21/tcp

centos

1
2
3
4
5
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A INPUT -j DROP

下载安装

#https://github.com/fail2ban/fail2ban 注: 官网版本已过时,最新在github下载

1
2
3
4
5
6
7
8
git clone git@github.com:fail2ban/fail2ban.git
cd fail2ban
sudo python setup.py install
cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
update-rc.d fail2ban enable
/etc/init.d/fail2ban start
#/etc/init.d/fail2ban reload

jail.conf

默认规则

1
cat /etc/fail2ban/jail.conf

1
2
3
4
5
6
7
8
9
[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 110.165.17.232/29 #忽略IP,用空格隔开不同IP
ignorecommand =
bantime  = 1800 #封锁时间,单位:秒:600=10分钟,以为-1表示永久封锁
findtime  = 600 #在多久的时间内:单位:秒
maxretry = 3 #登陆失败次数封锁

ssh vsftp配置

1
cat /etc/fail2ban/jail.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[sshd]
enabled =  true
port    = ssh
action = %(action_mwl)s
logpath = %(sshd_log)s
backend = %(sshd_backend)s
bantime  = 86400 #封锁24小时

[vsftpd]
port     = ftp,ftp-data,ftps,ftps-data
enabled = true
filter = vsftpd
action = %(action_mwl)s
logpath  = %(vsftpd_log)s #路径在paths.debian.conf include paths.common.conf定义了
#logpath = /var/log/vsftpd.log
maxretry = 7 # 登陆失败5次封锁
bantime  = 3600 # 封锁时间1小时
  • [vsftp]:名称,可以随便填写
  • filter:规则名称,必须填写位于filter.d目录里面的规则,vsftpd是fail2ban内置规则
  • port:对应的端口
  • action:采取的行动,如发送邮件
  • logpath:需要监视的日志路径
  • maxretry: 登陆失败几次封锁
  • bantime: 封锁时间多久
1
systemctl reload fail2ban

匹配测试

1
2
#fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Running tests
=============

Use   failregex filter file : vsftpd, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/vsftpd.log
Use         encoding : UTF-8

Results
=======

Failregex: 18 total
|-  #) [# of hits] regular expression
|   2) [18] ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [73] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 73 lines, 0 ignored, 18 matched, 55 missed
[processed in 0.01 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 55 lines

查看封锁状态

1
fail2ban-client status vsftpd
1
2
3
4
5
6
7
8
9
Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/vsftpd.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   112.96.115.148


1
iptables --list | grep REJECT

1
2
REJECT     all  --  112.96.115.148       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

解锁IP

1
2
3
4
5
sudo fail2ban-client set <jail> banip/unbanip <ip address>
# For example
sudo fail2ban-client set vsftpd unbanip 112.96.115.148

sudo iptables -D fail2ban-SSH -s 112.96.115.148 -j DROP

防止CC攻击

这里仅以Nginx为例,使用fail2ban来监视nginx日志,匹配短时间内频繁请求的IP,并使用firewalld将其IP屏蔽,达到CC防护的作用。

#需要先新建一个nginx日志匹配规则

1
2
3
4
5
vi /etc/fail2ban/filter.d/nginx-cc.conf

[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =

1
2
3
4
5
6
7
8
9
10
11
vim /etc/fail2ban/jail.local

[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 120
findtime = 60
bantime = 3600
logpath = /data/logs/nginx/*.log

上面的配置意思是如果在60s内,同一IP达到120次请求,则将其IP 封锁1小时,可以将maxretry修改为10进行测试。刷新网页10次就会封锁。

防止Wordpress爆破

如果您经常分析日志会发现有大量机器人在扫描wordpress登录页面wp-login.php,虽然对方可能没成功,但是为了避免万一还是将他IP干掉为好。

1
2
3
4
5
vim /etc/fail2ban/filter.d/wordpress.conf

[Definition]
failregex = ^<HOST> -.* /wp-login.php.* HTTP/1\.."
ignoreregex =

1
2
3
4
5
6
7
8
9
10
11
vim /etc/fail2ban/jail.local

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = %(action_mwl)s
maxretry = 20
findtime = 60
bantime = 3600
logpath = /data/logs/nginx/*.log

http://www.vixual.net/blog/archives/252
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
使用 NGINX 流控和 fail2ban 防止 CC 攻击

CATALOG
    FEATURED TAGS
    fail2ban
    FRIENDS