Shunze ¾Ç¶é >¹q¸£¸ê°T¾Ç¨t >¦Y³n¤£¦Yµw > ¡m¤À¨É¡nUbuntu¦w¸Ëfail2ban «¢Åo¡AÁÙ¨S¦³µù¥U©ÎªÌµn¤J¡C½Ð§A[µù¥U|µn¤J]
« ¤W¤@½g¥DÃD ¤U¤@½g¥DÃD » Åã¥Ü¦¨¦C¦L¼Ò¦¡ | ¼W¥[¨ì§Úªº³Ì·R
µoªí·s¥DÃD µoªí¦^ÂÐ
§@ªÌ
¥DÃD
shunze
¤u¤Í§B§B


µù¥U¤é´Á: 2002 04
¨Ó¦Û: ¼é¦Á²×¤î¤§¦a
¤å³¹: 2370

shunze Â÷½u
¡m¤À¨É¡nUbuntu¦w¸Ëfail2ban¤Þ¥Î¦^ÂÐ ½s¿è/§R°£¤å³¹ ·j´M¥Ñ  µoªíªº¨ä¥L¤å³¹ ¦^³øµ¹ª©¥D IP ¦ì¸m ¦^¦¹­¶³Ì¤W¤è

«e°}¤l¦bYoutube¤W¬Ý¤FÀb«È¤u¨ãªºdemo¼v¤ù¡A
¹ï©óÀb«È¤u¨ã±½port¥H¤Î¯}¸Ñ±K½Xªº³t«×µÛ¹êÀ~¤F¤@¸õ¡C

§Ú·Q¡A¹ï©ó¥ô¦ó¤@­ÓIT¤H­û¡A¼É¤O¯}¸Ñ±K½XÁ`¬OÅý¤H¾á¤ßªº¡A
¤£½×¬OWindowsªºRDP©Î¬OLinuxªºSSH¡A¤@¥¹³Q¼É¤O¯}¸Ñ¤F¡A¦A¦hªº¦w¥þ¨¾Å@¡A¤]¬O§Î¦Pµê³]¡C

¨º»ò¦bUbuntu¤W¡A¦³¨S¦³¨¾¨î¼É¤O¯}¸Ñªº®M¥ó¡H
µo²{¬YIP¦b±K½X´ú¸Õ¿ù¤F´X¦¸¤§«á¡A´N±j¨î«ÊïH¸ÓIP¨Ï¥Î¦¹ªA°È¤@¬q®É¶¡¡H
¬Æ¦Ü¬O¸Ó±N´c·NIP¥Ã¤[«ÊÂê¡A¤£±o¦A¨Ï¥Î¦¹ªA°È¡H

¹³³o¼Ë­«­n¥B´¶¹Mªº»Ý¨D¡A¦ÛµM¬O¦³ªº¡C
¨º´N¬O fail2ban ®M¥ó¡C

¥H¤U¶¶¤l¥HUbuntu 14.04¬°Àô¹Ò¡A¶i¦æfail2banªº¦w¸Ë¡C

  1. ¦w¸Ëfail2ban®M¥ó¡C
    apt-get install fail2ban


  2. ¦w¸Ë§¹fail2ban®M¥ó«á¡A¨ä¦w¸Ë¸ô®|¬O¦b /etc/fail2ban¡C
    ¸Ó¥Ø¿ý¤U¡A¦³¨â­Ó­«­nªº³]©wÀÉ fail2ban.conf »P jail.conf¡A
    ¨ä¤¤ jail.conf ·|¦]®M¥óªº§ó·s¦Ó³QÂмg¡A©Ò¥Hfail2ban­n¨D¨Ï¥ÎªÌ¥ý«Ø¥ß¤@­Ó°Æ¥» jail.local¡A
    ©Ò¦³ªº³]©w§¡©ó jail.local ¶i¦æ½s¿è¡C
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


    ³]©wÀÉ fail2ban.conf ùØ¡A¥D­n¬O¹ïlogªº¼h¯Å¶i¦æ©w¸q¡Aºû«ù¹w³]§Y¥i¡A
    ùØ­±¦³¤@­Ó­«­n°Ñ¼Æ logtarget ©w¸q¤Ffail2banªºlogÀÉ¡A¹w³]¸ô®|¦p¤U¡A
    ·ífail2ban¦b°õ¦æ¤W¦³°ÝÃD®É¡A¥i©ólogÀɤ¤´M§ä°ÝÃD½u¯Á¡C
    logtarget = /var/log/fail2ban.log


    ¦Ó jail.conf ªº [DEFAULT] °Ï¬qùØ¡A«h¥i¹ï¥Õ¦W³æ¡B«ÊÂê®É¶¡¡B¤¹³\±K½X²q´ú¦¸¼Æ¡B«ÊÂê°Ê§@¡Aµ¥¶i¦æ©w¸q¡C
    ¨ä¤¤ ignoreip °Ñ¼Æ¬O¥Î¨Ó©w¸q¥Õ¦W³æ¡A¹w³]¥u¦³ 127.0.0.1/8 ¥»¾÷ºô¬q¡A¦³»Ý­n¼W¥[ºô¬q®É¡A¥HªÅ¥Õ¦r¤¸¤À¹j§Y¥i¡C
    ignoreip = 127.0.0.1/8 192.168.0.1/32


    bantime °Ñ¼Æ¡A«h¬O©w¸q«ÊÂê®É¶¡¡A¹w³]¬O600¬í¡A­Y·Q¥Ã¤[«ÊÂê¡A¥i§ï¬°-1¡C
    bantime = -1


    findtime °Ñ¼Æ¡A«h¬O©w¸q¶ZÂ÷¤W¤@¦¸¿ù»~±K½Xªº®É¶¡¡A¹w³]¬O600¬í¡C
    maxretry °Ñ¼Æ¡A«h¬O¤¹³\±K½X²q´úªº³Ì¦h¦¸¼Æ¡A¹w³]¬°3¦¸¡C
    ¥H¤W¥H¹w³]±ø¥óºî¦X°_¨Ó»¡¡A´N¬O600¬í¤º¡A­Y¸ÓIP¹Á¸Õ3¦¸¿ù»~ªº²q´ú¡A²Ä4¦¸´N·|³Qfail2ban¶i¦æ«ÊÂê¡A¹w³]«ÊÂê®É¶¡¬°600¬í¡C

    ±µ¤U¨Ó¤T­Ó°Ñ¼Æ destemail¡Asendername¡Amta «h¬O¸òµo°e³qª¾¶l¥ó¦³Ãöªº°Ñ¼Æ¡C
    destemail °Ñ¼Æ¡A¬O¦¬¥ó¤Hªºemail¡C
    sendername °Ñ¼Æ¡A¬O±H¥ó¤HªºÅã¥Ü¦WºÙ¡C
    mta °Ñ¼Æ¡A«hµo°e¶l¥óªºagent¡A¹w³]¬Osendmail¡C

    ­Y§A¸ò¶¶¤l¤@¼Ë¡A¸Ë¤Fexim4®M¥ó¡A·Q³z¹LGmail¨Óµo«H¡A¨º»ò³o¤T­Ó°Ñ¼Æ¥i¥H­×§ï¦p¤U¡C
    destemail = §Aªº±b¸¹@gmail.com
    sendername = Fail2Ban
    mta = mail


    ±µ¨Ó¤@­Ó­«­nªº°Ñ¼Æ¬O action¡A¦¹°Ñ¼Æ¨M©w¤F«ÊÂêIP®Éªº°µªk¡A¹w³]¦³¦p¤U¤TºØ¡C
    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.

    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

    action ¹w³]°Ñ¼Æ¬O action_¡A¦¹¹w³]°Ñ¼Æ¨Ã¤£·|±Hµo¶l¥ó³qª¾¡F
    ­Y­n§ï¬°±Hµo¶l¥ó³qª¾¡A¥i¥H­×§ï¬° action_mw ©Î action_mwl¡C
    action = %(action_mw)s


  3. jail.conf ³q¥Î°Ï¬qùتº°Ñ¼Æ³]©w¦n¤F¡A±µµÛ´N¥i¥H¦b³]©wÀɪº«á¥b¬q¨Ó¶i¦æ­Ó§OªA°Èªº³]©w¡C
    fail2ban¹w³]¥u¹ïSSH±Ò¥Î¡A©Ò¥H¦bjail.confªº [ssh] °Ï¬qùØ¡A§Ú­Ì¥i¥H¬Ý¨ì enabled °Ñ¼Æ¬O true ±Ò¥Îªº¡F
    ¦Ó¨ä¥¦ [sasl]¡B[vsftpd]¡B[postfix]¡B[dovecot]¡K°Ï¬qªº enabled °Ñ¼Æ«h¬O false¡A¹w³]ª¬ºA¤U¥¼±Ò¥Î¡C
    ³o³¡¤À½Ð¨Ì¹ê»Ú»Ý¨D¨Ó¶i¦æ±Ò¥Î¡A³o½g¤å³¹ùض¶¤l¥u´ú¸Õ¤FSSHªº«Êªý¥\¯à¡C

    ©Ò¦³¤ä´©ªºªA°È¡A¨ä¬ÛÃö°»´ú¹LÂo²Ó¸`¡A«h¬O©ñ¦b /etc/fail2bain/filter.d/ ¥Ø¿ý¤¤¡A
    ¥HSSH¬°¨Ò¡A¨ä³]©wÀÉ´N¬O /etc/fail2bain/filter.d/sshd.conf¡A¦³¿³½ìªºªB¤Í¥i¥H¦Û¦æ¬ã¨s¡C

    ­Y­n±Ò¥ÎªA°Èªº°Ñ¼Æ¤£¦P©ó [DEFAULT] ùتº³q¥Î³]©w¡A¨º»ò§Ú­Ì¥i¥H¦bªA°È°Ï¬q¤¤¡A¦A³]©w¤@¦¸°Ñ¼Æ¡F
    ªA°È°Ï¬q¤¤ªº°Ñ¼Æ¡A¨äÀu¥ýÅv¤j©ó [DEFAULT] ùتº³q¥Î³]©w¡C

    ³]©w¦n¡A­«±Ò¤@¤Ufail2banªA°È¡AµM«á§Ú­Ì´N¥i¥H¶i¦æ´ú¸Õ¤F¡C
    service fail2ban restart


  4. ¦bSSHªº´ú¸Õ¤W¡A§Ú­Ì¥i¥H¬G·N¨Ï¥Î¿ù»~ªº±K½X¨Óµn¤JSSH¶i¦æ´ú¸Õ¡C
    ¦b¥¢±Ñ¦¸¼Æ¹F³Ì¤j­È«á¡A²z½×¤W§Ú­Ì·|³Q±j­¢½ð¥X¡A
    µM«á§Ú­Ì¥i¥H³z¹LiptablesªºÀ˵ø«ü¥O¡A¨Ó¬d¬Ý³Q«ÊÂꪺ³W«h¡C
    iptables -L



    ­Y°»´úªA°Èªº action °Ñ¼Æ¬O§t¦³mail³qª¾ªº action_mw ©Î action_mwl¡A
    ¨º»ò§Ú­Ìªºemail¤]·|¦¬¨ìFail2Ban±H¨Óªº³qª¾«H¡C



  5. ¨º³Q«ÊÂꪺIP¦p¦ó¸Ñ°£«ÊÂê©O¡H
    ¥Ñ©ófail2ban¬O³z¹Liptables¨Ó¶i¦æ«ÊÂꪺ¡A
    ©Ò¥H­n¸Ñ°£«ÊÂê¡A¤]­n±qiptables¨Ó¤U¤â¡A¥ý¬d¥X¥¦¬O¹ïÀ³¨ì­þ±ø³W«h¡AµM«á¦A¥h§R°£±¼³o±ø³W«h¡C
    iptables -L --line-numbers
    iptables -D <chain-name> <line-number>



    ¥H¶¶¤lªº¨Ò¤l¬°¨Ò¡A³z¹L iptables -L --line-numbers ¬d¥Xªºchain-name¬°fail2ban-ssh¡A
    ¾D«ÊÂêIP 192.168.0.2ªºline-number¬°1¡A
    ¨º§Ú­Ì´N¥i¥H¤U¦p¤Uªº«ü¥O±N³o±ø³W«h§R°£¡A¥H¸Ñ°£192.168.0.2ªº«ÊÂê¡C
    iptables -D fail2ban-ssh 1


    ¥t¥~ÁÙ¦³¤@­Ófail2ban-client«ü¥O¡A¾Ú»¡¥i¥H¥Î¨Ó¸Ñ°£IPªº«ÊÂê¡H
    ¦ý¶¶¤l¸Õ¤F¤@¾ã­Ó±ß¤W¡AÁÙ¬O¸Õ¤£¥X¨Ó¡A³o³¡¤À´N¤£»~¾É¤j®a¤F...

  6. root±b¸¹µLªk°»´ú«ÊÂê¡I¡H
    ³Ì«á¦b´ú¸Õ¤¤¶¶¤lµo²{¡A¥Hroot±b¸¹¶i¦æsshµn¤J´ú¸Õ¡Afail2ban¬O¤£·|¾×ªº¡C
    ºô¸ô¤W¦³¤H¸ò¶¶¤l¤@¼Ë¦³¬Û¦Pµ²ªG¡A¦ý¦³¨Ç¤Hªºª©¥»¤S¥i¥H¾×root±b¸¹¡C

    ¦pªG¸ò¶¶¤l¤@¼Ë¾×¤£±¼root±b¸¹¡A
    ¨º´N°Ñ¦Òºô¸ô¤Wªº¤å³¹¡A§âroot±b¸¹©óssh¤¤¡A³]©w¬°¸T¤îµn¤J¡C
    ¤Ï¥¿¹ïubuntu¦Ó¨¥¡Aroot±b¸¹¥»´N¤£´£¨Ñ¨Ï¥Î¡A
    ¦bssh¤¤³]©w¸T¤îrootµn¤J¡H¤]¬O­è¦n¦Ó¤w¡ã

    ­×§ï /etc/ssh/sshd_config ¤å¥ó¡A¨Ã±N PermitRootLogin °Ñ¼Æ³]©w¬° no §Y¥i¡C
    PermitRootLogin no


  7. ¦pªG·Q­n§ó¬½¤@ÂI¡A¤@°»´ú¨ì±K½X²q´úªº¦æ¬°¡A´Nª½±µ«ÊÂê¸ÓIP¡A
    ºÞ¥¦¥Îªº¬OSSHÁÙ¬OFTP¡A§¹¥þ©Úµ´´£¨Ñ¸ÓIP¥ô¦óªA°È¡A¨º­n«ç»ò°µ¡H

    ­º¥ý¡A¥ý¦b jail.local ¤¤¬d¬Ý banaction °Ñ¼Æªº¤º®e(¹w³]¬Oiptables-multiport)¡C
    banaction = iptables-multiport

    ¥H¹w³]ªº iptables-multiport ¬°¨Ò¡A±µµÛ¨ì /etc/fail2ban/action.d/ ¥Ø¿ý¤U¡A­×§ï¹ïÀ³ªº³]©wÀÉ iptables-multiport.conf¡A
    ±N actionban »P actionunban ³o¨â­Óiptablesªº³W«h§ï¬°§¹¥þ«ÊÂꪺ³]©w¡C
    #actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
    actionban = iptables -I INPUT -s <ip> -j DROP
    ...
    #actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
    actionunban = iptables -D INPUT -s <ip> -j DROP

    ³Ì«á¦A­«±Òfail2banªA°È§Y¥i¡ã
    service fail2ban restart


  8. ­«¶}¾÷«á¡A«ÊÂêÁÙ¦³®Ä¶Ü¡H
    «Ü¿ò¾Ñªº¡A­«¶}¾÷©Î­«±ÒªA°È«á¡A¦]iptables¤¤¹ïÀ³ªºchain­«·s¸ü¤J¡A¤§«e«ÊÂꪺIP´N¤£¨£¤F...
    ¤£¹Lºô¸ô¤W¦³¤@½g¤å³¹¥i¥H¹F¨ì¥Ã¤[«ÊÂꪺ®ÄªG - How to make fail2ban bans persistent

    ¥¦ªº¤u§@­ì²z¬O¦b¶i¦æIP«ÊÂê®É¡A¤]¦P®É±N«ÊÂꪺIP¼g¤J¤@­ÓÀɮסA¨Ò¦pip.blacklist¡A
    µM«á¦b±Ò°ÊªA°È®É¡A¦A±N¦¹Àɮפ¤ªºIP¸ü¤Jiptablesªºchain¡A¥H¹F«ùÄò«ÊÂꪺ®ÄªG¡C
    actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
        echo <ip> >> /etc/fail2ban/ip.blacklist

    actionstart = iptables -N fail2ban-<name>
        iptables -A fail2ban-<name> -j RETURN
        iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
        cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done


    ³o­Ó°µªk¬O¥i¦æªº¡A¤£¹L³z¹Liptables -D fail2ban-XXX¨Ó¸Ñ°£IP«ÊÂê®É¡A
    ¨Ã¥¼¦P¨B§R°£ip.blacklistÀɮפ¤ªºIP¡A©Ò¥HºÞ²z­û¥²»Ý¤â°Ê§R°£¦¹ÀɪºIP¡C

    ¥t¥~¦b¦P®ÉºÊ±±¦h­ÓªA°Èªº±¡ªp¤U¡A¤£¦PªA°ÈªºIP¼g¤J¦P¤@­ÓÀÉ®×·|³y¦¨¤@­ÓIP¦³¦hµ§°O¿ý¡F
    ¦P®É­«±ÒªA°È®É¡A¤]·|§â¤£¦PªA°Èªº«ÊÂêIP¡AµL®t§Oªº¸ü¤J©Ò¦³iptablesªºchain¤¤¡A³y¦¨«D¹w´Áªº·N¥~ª¬ªp¡C

    ¦b¦P®ÉºÊ±±¦hºØªA°È®É¡A³o­ÓIP¦W³æ°O¿ýÀÉip.blacklist»Ý¹ïÀ³¤£¦PªººÊ±±ªA°È¤â°Ê«Ø¥ß¦hµ§¡A
    ¨Ò¦psshªA°Èªº¡A´N©R¦W¬°ip.ssh.blacklist¡A
    vsftpdªA°Èªº¡A´N©R¦W¬°ip.vsftpd.blacklist¡F
    µM«á¦b actionban »P actionstart ¤¤§âªA°È¦WºÙÅܼÆ<name>¥[¨ì°O¿ýÀɪºÀɦW¤§¤¤¡A³o¼Ë¤~¤£·|¥X¿ù¡C
    actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
        echo <ip> >> /etc/fail2ban/ip.<name>.blacklist

    actionstart = iptables -N fail2ban-<name>
        iptables -A fail2ban-<name> -j RETURN
        iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
        cat /etc/fail2ban/ip.<name>.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done



°Ñ¦Ò¸ê®Æ
CentOS¦w¸Ëfail2ban°O¨Æ
How To Install and Use Fail2ban on Ubuntu 14.04
STEP 3: INSTALLING FAIL2BAN
¥H fail2ban °»´úºô­¶³s½u§ðÀ»
How to make fail2ban bans persistent



♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2015-05-08, 22:17 shunze ªº­Ó¤H¸ê®Æ §â shunze ¥[¤J¦n¤Í¦Cªí µo°eEmailµ¹ shunze ÂsÄý shunze ªººô¯¸ MSN : shunze@gmail.com
  « ¤W¤@½g¥DÃD ¤U¤@½g¥DÃD »
µoªí·s¥DÃD µoªí¦^ÂÐ
¸õ¨ì:

Powered by: Burning Board 1.1.1 2001 WoltLab GbR