CentOS7 fail2ban+firewalld
系统5年前 (2018-09-27)
在CentOS7.5中使用fail2ban+firewalld方式,防御nginx、wordpress和ssh防止爆破攻击
安装fail2ban
yum install epel-release yum install fail2ban fail2ban-systemd
设置自启
systemctl start fail2ban.service systemctl enable fail2ban.service
生成新配置文件
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
配置fail2ban
vi /etc/fail2ban/jail.local
# "bantime" is the number of seconds that a host is banned. bantime = 600 改为 bantime = 86400
# A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 改为 findtime = 3600
# Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto 改为 backend = systemd
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
改为
destemail = root
sender = root
# Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports 改为 banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports
保护SSH
vi /etc/fail2ban/jail.d/sshd.local
找到[sshd]节点,改为如下
[sshd] enabled = true port = ssh maxretry = 3 logpath = %(sshd_log)s action = firewallcmd-ipset bantime = 86400
使其生效
systemctl restart fail2ban
查看ssh登录失败的记录
tail -f /var/log/secure grep 'sshd.*Failed password for' /var/log/secure
查看被ban的IP
fail2ban-client status sshd iptables -L -n
查看运行状态
fail2ban-client status
删除被ban地址
fail2ban-client set sshd unbanip 192.168.1.100
查看日志
cat /var/log/fail2ban.log
保护nginx
阻止对服务器进行过多访问
vi /etc/fail2ban/filter.d/nginx-auth.conf 添加 # # Blocks IPs that makes too much accesses to the server # [Definition] failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" ignoreregex =
ddos防护
vi /etc/fail2ban/filter.d/nginx-dos.conf 添加 # # Block IPs trying to ddos the server. # [Definition] failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" ignoreregex =
阻止过多ip使用Web应用程序登录页面进行身份验证
vi /etc/fail2ban/filter.d/nginx-login.conf 添加 # # Blocks IPs that fail to authenticate using web application's log in page # Scan access log for HTTP 200 + POST /sessions => failed log in # [Definition] failregex = ^<HOST> -.*POST /wp-login.php.* HTTP/1\.." 200 ignoreregex =
阻止过多ip尝试执行脚本
vi /etc/fail2ban/filter.d/nginx-noscript.conf 添加 # # Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts. # [Definition] failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) ignoreregex =
阻止过多ip使用反向代理
vi /etc/fail2ban/filter.d/nginx-proxy.conf 添加 # # Block IPs trying to use server as proxy. # [Definition] failregex = ^<HOST> -.*GET http.* ignoreregex =
添加到jail文件中
vi /etc/fail2ban/jail.local # HTTP servers节点下添加 [nginx-auth] enabled = true filter = nginx-auth action = %(action_mwl)s logpath = /home/wwwlogs/*error*.log [nginx-login] enabled = false filter = nginx-login action = %(action_mwl)s logpath = /home/wwwlogs/*access*.log [nginx-badbots] enabled = true filter = apache-badbots action = %(action_mwl)s logpath = /home/wwwlogs/*access*.log maxretry = 1 [nginx-proxy] enabled = true action = %(action_mwl)s filter = nginx-proxy logpath = /home/wwwlogs/*access*.log maxretry = 0 [nginx-dos] enabled = true port = http filter = nginx-dos logpath = /home/wwwlogs/*access*.log findtime = 120 maxretry = 200 [nginx-noscript] enabled = true port = http,https filter = nginx-noscript logpath = /home/wwwlogs/error.log maxretry = 1 findtime = 60 bantime = 7200
保护wordpress
vi /etc/fail2ban/filter.d/wordpress.conf 添加 [Definition] failregex = ^ .*POST .*xmlrpc\.php.* ^ .*POST .*login\.php.* ignoreregex =
添加到jail文件中
vi /etc/fail2ban/jail.local 添加 [wordpress] enabled = true port = http,https filter = wordpress action = %(action_mwl)s logpath = /home/wwwlogs/access.log maxretry = 3 findtime = 60 bantime = 3600
使其生效
service fail2ban restart 如果出错,使用journalctl -xe进行排错
查看生效的规则
fail2ban-client status
本站所有文章均可随意转载,转载时请保留原文链接及作者。
,想必也是非常愉悦的事!
