AI加油站

fail2ban的设置

1.安装,设定,启动fail2ban

最简单的例子就是有效化nginx-http-auth。

jail.conf:全局设定

jail.local:个别设定,所以要copy一个来编辑。

udo apt -y install fail2ban
cd /etc/fail2ban/
sudo cp jail.conf jail.local
sudo vi jail.local
  [nginx-http-auth]
  enabled = true

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban

2.ban的基本设定

默认的设定值在jail.conf的[DEFAULT]里有定义。

bantime  = 10m #"bantime" is the number of seconds that a host is banned.
findtime  = 10m #A host is banned if it has generated "maxretry" during the last "findtime" secs
maxretry = 5

基本上就是,某个客户端在findtime的时间间隔里尝试了maxretry次失败后,被我🈲了bantime时间。

3.ban的个别设定(nginx-http-auth例)

ban个别的2件套:jail.local的有效化定义(有消化),filter的过滤检出定义

jail.local的有效化定义:

[nginx-http-auth]
enabled = true   #这个必须的
backend = pyinotify   #指定监视log文件的backend
port    = http,https  #指定监视的端口
logpath = /var/log/nginx/error*.log #指定监视的log文件
#filter =  使用fail2ban事先定义好的filter。在目录filter.d下

filter的过滤检出定义:

完整的参照/etc/fail2ban/filter.d/nginx-http-auth.conf

[Definition]
mode = normal
mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>

4.恶意访问ban的设定例子

通常是通过监视nginx的access.log中的400/403/404 HTTP_STATUS来设定ban的过滤规则。

在filter.d/下创建一个nginx-404.conf的文件:

[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (400|403|404) .*$
ignoreregex =

在jail.local中有效化该ban:

[nginx-404]
backend = pyinotify
enabled = true
port = http,https
filter = nginx-404
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 20
bantime = 10d

5.查看ban的状态

通常利用下面的命令来查看设定了多少个ban:

fail2ban-client status

Status
|- Number of jail: 4
`- Jail list: nginx-404, nginx-http-auth, recidive, sshd

查看某个ban的状态:

fail2ban-client status nginx-404

Status for the jail: nginx-404
|- Filter
| |- Currently failed: 0
| |- Total failed: 45
| - File list: /var/log/nginx/access.log – Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 1.12.31.46

查看iptable的ban的状态:

iptables -nvL

Chain f2b-404 (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT 0 — * * 1.12.31.46 0.0.0.0/0 reject-with icmp-port-unreachable

6.解除ban

首先,现在jain.conf或则jian.local的[DEFAULT]段定义一个例外的ip段——通常是内网或特殊IP(比如自己的)。

比如下面通常的设定:

[DEFAULT]
banaction = iptables-multiport
#banaction_allports = iptables-allport
bantime = 30m
bantime.increment = true
bantime.maxtime = 24h
bantime.overalljails = true
bantime.rndtime = 10m
ignoreip = 127.0.0.1/8 MY-IP-HERE/32
findtime = 5
maxretry = 3

如果误ban了某些ip,用下面的命令即可解除:

fail2ban-client set [Jail名] unbanip [IP地址]
fail2ban-client set nginx-404 unbanip 192.168.2.150
fail2ban-client reload [Jail名]
fail2ban-client reload nginx-404

上面的解除操作后,也自动反映到iptables里。

In

, ,