标题:用fail2ban阻止SSH和VSFTP暴力破解密码 出处:沧海一粟 时间:Sat, 01 Jan 2011 12:32:16 +0000 作者:jed 地址:http://www.dzhope.com/post/738/ 内容: 一、下载安装 #wget http://cdnetworks-kr-2.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2 #tar xvfj fail2ban-0.8.4.tar.bz2 #cd fail2ban-0.8.4 #python setup.py install #cd files # cp ./redhat-initd /etc/init.d/fail2ban # chkconfig –add fail2ban #service fail2ban start 注意:如果重起iptables 记的一定还要重起fail2ban,不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的。 二、配置 1、fail2ban本身配置 默认fail2ban.conf里面就三个参数,而且都有注释。 #默认日志的级别 loglevel = 3 #日志的存放路径 logtarget = /var/log/fail2ban.log #socket的位置 socket = /tmp/fail2ban.sock 2、fail2ban防护配置 全局设置 # vi /etc/fail2ban/jail.conf # 忽悠 IP范围 如果有二组以上用空白做为间隔 ignoreip = 127.0.0.1 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁 bantime = 86400 # 设定在多少时间内达到 maxretry 的次数就封锁 findtime = 600 # 设定在多少时间内达到 maxretry 的次数就封锁 maxretry = 3 # 允许尝试的次数 分类设置 #针对sshd暴力入侵防护 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com] logpath = /var/log/secure # 如果有个别的次数设定就设在这里 maxretry = 3 #针对vsftpd暴力入侵防护 [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /var/log/secure maxretry = 3 建议设置成maxretry为 3 表示3次错误就封锁,另外logpath(Centos5和Rhel5中)要改成/var/log/secure。 然后我们设置启动服务: #chkconfig –level 345 fail2ban on #service fail2ban start 三、测试: 查看iptables 的规则多出了 iptables-ssh的规则 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp — anywhere anywhere tcp dpt:ssh fail2ban-SSH tcp — anywhere anywhere tcp dpt:ssh Chain fail2ban-SSH (2 references) target prot opt source destination Drop all — 122.102.64.54 anywhere # 这有一个被阻止的IP 拒绝时间根据在你的配置文件设置时间有关 我设置的是一天 RETURN all — anywhere anywhere ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 在其他的机器上ssh 192.168.1.2 连续三次输错密码 使用命令fail2ban-client status ssh-iptables 查看阻止状态 或者 fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh-iptables 测试结果: #fail2ban-client status ssh-iptables Status for the jail: ssh-iptables |- filter | |- File list: /var/log/secure | |- Currently failed: 0 | `- Total failed: 3 `- action |- Currently banned: 1 | `- IP list: 192.168.1.1 `- Total banned: 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 我们在来看看fail2ban的日志记录 2010-05-17 16:57:23,964 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.1 2010-05-17 21:35:00,449 fail2ban.actions: WARNING [ssh-iptables] Ban 218.108.85.244 2010-05-18 03:56:34,986 fail2ban.actions: WARNING [ssh-iptables] Ban 59.39.66.30 记录了被阻止的IP,成功阻止了ssh 密码猜测 这里只是只介绍了保护SSH和VPSFTP方法,配置文件中还有其他的服务配置,有时间了大家可以自己研究一下。 Generated by Bo-blog 2.1.1 Release