在本文中,我们将学习如何在CentOS 7上使用Fail2ban安装和配置以确保SSH连接的安全,因为我们所有人都使用受保护的SSH连接到服务器,并且SSH会暴露于Internet才能正常工作,在那里如果我们看到这些服务的日志,则可能会有被这种方式定位的风险。我们经常看到使用蛮力攻击的重复登录。
由于Fail2ban在官方CentOS存储库中不可用,因此我们需要使用EPEL项目更新和安装软件包,然后我们将安装fail2ban并启用fail2ban在系统启动时启动。
# yum update # yum install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: kodeterbuka.beritagar.id * extras: mirrors.nhanhoa.com * updates: mirrors.nhanhoa.com Resolving Dependencies ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: fail2ban noarch 0.9.3-1.el7 epel 9.7 k Installing for dependencies: ebtables x86_64 2.0.10-13.el7 base 122 k fail2ban-firewalld noarch 0.9.3-1.el7 epel 9.9 k fail2ban-sendmail noarch 0.9.3-1.el7 epel 13 k fail2ban-server noarch 0.9.3-1.el7 epel 395 k firewalld noarch 0.3.9-14.el7 base 476 k ipset x86_64 6.19-4.el7 base 36 k ipset-libs x86_64 6.19-4.el7 base 46 k libselinux-python x86_64 2.2.2-6.el7 base 247 k python-slip noarch 0.4.0-2.el7 base 30 k python-slip-dbus noarch 0.4.0-2.el7 base 31 k systemd-python x86_64 219-19.el7_2.11 updates 99 k Updating for dependencies: libgudev1 x86_64 219-19.el7_2.11 updates 66 k systemd x86_64 219-19.el7_2.11 updates 5.1 M systemd-libs x86_64 219-19.el7_2.11 updates 358 k systemd-sysv x86_64 219-19.el7_2.11 updates 53 k Transaction Summary ================================================================================ Install 1 Package (+11 Dependent packages) Upgrade ( 4 Dependent packages) Total download size: 7.1 M Is this ok [y/d/N]: y Downloading packages: --> Running transaction check Installed: fail2ban.noarch 0:0.9.3-1.el7 Dependency Installed: ebtables.x86_64 0:2.0.10-13.el7 fail2ban-firewalld.noarch 0:0.9.3-1.el7 fail2ban-sendmail.noarch 0:0.9.3-1.el7 fail2ban-server.noarch 0:0.9.3-1.el7 firewalld.noarch 0:0.3.9-14.el7 ipset.x86_64 0:6.19-4.el7 ipset-libs.x86_64 0:6.19-4.el7 libselinux-python.x86_64 0:2.2.2-6.el7 python-slip.noarch 0:0.4.0-2.el7 python-slip-dbus.noarch 0:0.4.0-2.el7 systemd-python.x86_64 0:219-19.el7_2.11 Dependency Updated: libgudev1.x86_64 0:219-19.el7_2.11 systemd.x86_64 0:219-19.el7_2.11 systemd-libs.x86_64 0:219-19.el7_2.11 systemd-sysv.x86_64 0:219-19.el7_2.11 Complete!
现在,我们将启动fail2ban服务,并使它们能够在引导时启动。
# systemctl start fail2ban # systemctl enable fail2ban
安装完Fail2ban后,我们需要针对我们的环境自定义配置文件,fail2ban将所有配置文件放在/ etc / fail2ban中。我们将从/ etc / fail2ban / jail .conf中的jail.com复制配置到/etc/fail2ban/jail.local,下面是复制配置的命令
# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
现在,我们将相应地自定义配置文件。
# vi /etc/fail2ban/jail.local [DEFAULT] # # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more informationignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned to do ssh . bantime = 1200 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Ignoreip:此选项用于设置允许的IP,IP列表应带有空格分隔符,这用于设置您的IP地址。
Bantime:此选项设置禁止主机访问所需的秒数。
Findtime:此选项用于检查禁止的主机列表,该列表将检查禁止的主机的最后查找时间。
Maxretry:此选项用于设置主机尝试重试次数的限制,以使其超出禁止主机的限制。
我们将使用以下命令创建一个新的sshd配置文件,并将添加fail2ban配置文件。
# vi /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 25 bantime = 36000
启用->此选项将启用设置为true,以启用保护和停用我们可以将其设置为false。这将在/ etc / fail2ban / filters中检查sshd配置。d / sshd.conf
操作->此选项用于定义/ etc / fail2ban / action中使用的禁止的IP地址。d / firewallcmd – ipset.conf 。
端口->当我们更改ssh的端口时使用此选项,sshd的默认端口为22,因此,如果您尚未更改默认端口,则无需更改此选项。
Logpath –>此选项用于允许我们存储fail2ban扫描的日志以存储在特定位置。
Maxretry –>此选项用于设置最大值。失败登录所允许的限制。
Bantime- >此选项用于设置禁止主机的秒数。
现在所有配置都已完成,我们需要重新启动fail2ban服务。
# systemctl restart fail2ban
以下是用于检查fail2ban状态的命令
# fail2ban-client status Status |- Number of jail: 2 `- Jail list: sshd
以下是检查使用SSH端口登录服务器的失败尝试的命令。
# cat /var/log/secure | grep ‘Failed password’ Jul 18 16:41:12 htf sshd[5487]: Failed password for root from 54.46.23.45 port 23421 ssh2 Jul 18 16:41:15 htf sshd[1254]: Failed password for root from 54.46.23.45 port 15286 ssh2 Jul 18 16:41:16 htf sshd[1254]: Failed password for root from 54.46.23.45 port 24157 ssh2 Jul 18 16:41:18 htf sshd[1254]: Failed password for root from 54.46.23.45 port 24057 ssh2 Jul 18 16:41:19 htf sshd[1254]: Failed password for root from 54.46.23.45 port 27286 ssh2 Jul 18 16:41:22 htf sshd[1254]: Failed password for root from 54.46.23.45 port 13486 ssh2
如果我们想从禁止列表中删除IP地址,则必须将IPADDRESS替换为允许的IP允许列表。名称“ sshd”是在以下示例中使用的监狱名称,以下是用于允许IP的命令。
一般语法
# fail2ban-client set sshd unbanip IPADDRESS
Example: # fail2ban-client set sshd unbanip 192.168.1.22 # fail2ban-client set sshd unbanip 54.46.23.45
我们可以对fail2ban日志进行故障排除,因为下面的最后启动时间是查找日志的命令
# journalctl -b -u fail2ban -- Logs begin at Mon 2016-07-18 08:20:57 EDT, end at Mon 2016-07-18 11:47:19 EDT Jul 18 17:47:19 centos-linux-1.shared systemd[1]: Starting Fail2Ban Service... Jul 18 17:47:19 centos-linux-1.shared fail2ban-client[2542]: 2016-07-18 11:47:19 Jul 18 17:47:19 centos-linux-1.shared fail2ban-client[2542]: 2016-07-18 11:47:19 Jul 18 17:47:19 centos-linux-1.shared systemd[1]: Started Fail2Ban Service.
通过上述配置和设置,我们现在可以使用Fail2ban配置服务的基本禁止策略,并且设置起来非常容易,并且我们还可以保护任何类型的服务都不能使用fail2ban。