[Linux 安全] 服务器暴力入侵防护 fail2ban
转载本站文章请注明,转载自:扶凯[http://www.php-oa.com]
本文链接: http://www.php-oa.com/2008/05/08/ftpfuwuqibaoliruqinfanghu.html
vsftp就象ssh一样的问题,大量的"黑客"来测试我的服务器的安全,太谢他们了,为了提高一下他们入侵的难度,找了个小软件来防暴力入侵.ssh也可以用这个软件.可以防护的东西可多啦,如下.
fail2ban的安装
Centos5上面安装很容易.yum安装就可以了,当然前提是安装了我讲的那个Centos的扩展包.
$ yum install fail2ban
也可以到他们的官方网站看看
http://www.fail2ban.org/wiki/index.php/Main_Page
fail2ban 可以阻挡的暴力入侵服务很多如apache,postfix,exim,named,qmail,sasl,ssh,webmin,wuftpd,大多了.
在 filter.d 目录可以看到所有的部分
$ ls -l /etc/fail2ban/filter.d/
-rw-r–r– 1 root root 704 Feb 28 2008 apache-auth.conf
-rw-r–r– 1 root root 2396 Mar 6 2008 apache-badbots.conf
-rw-r–r– 1 root root 650 Mar 5 2008 apache-noscript.conf
-rw-r–r– 1 root root 444 Mar 6 2008 apache-overflows.conf
-rw-r–r– 1 root root 1036 Mar 1 2008 common.conf
-rw-r–r– 1 root root 609 Feb 28 2008 courierlogin.conf
-rw-r–r– 1 root root 584 Feb 28 2008 couriersmtp.conf
-rw-r–r– 1 root root 606 Feb 28 2008 exim.conf
-rw-r–r– 1 root root 447 May 22 2008 gssftpd.conf
-rw-r–r– 1 root root 1014 May 22 2008 named-refused.conf
-rw-r–r– 1 root root 870 May 22 2008 pam-generic.conf
-rw-r–r– 1 root root 584 Feb 28 2008 postfix.conf
-rw-r–r– 1 root root 871 Mar 11 2008 proftpd.conf
-rw-r–r– 1 root root 794 Feb 28 2008 pure-ftpd.conf
-rw-r–r– 1 root root 599 Feb 28 2008 qmail.conf
-rw-r–r– 1 root root 643 Feb 28 2008 sasl.conf
-rw-r–r– 1 root root 1379 May 12 2008 sshd.conf
-rw-r–r– 1 root root 620 Feb 28 2008 sshd-ddos.conf
-rw-r–r– 1 root root 693 Mar 5 2008 vsftpd.conf
-rw-r–r– 1 root root 820 Feb 28 2008 webmin-auth.conf
-rw-r–r– 1 root root 437 May 22 2008 wuftpd.conf
-rw-r–r– 1 root root 841 Mar 6 2008 xinetd-fail.conf
fail2ban的配置
在fail2ban安装好后.主要的设置文件是/etc/fail2ban/jail.conf和fail2ban.conf.fail2ban.conf.对不过我们用默认的值就好了. 好了,我们平时的设置啦,他设置太容易了,修改设定档jail可以控制上面的所有的服务.
$ vim /etc/fail2ban/jail.conf
[DEFAULT]
#全局设置
# 不列入的 IP 范围,如果有二组以上以空白做为间隔 192.168.250.0/24
ignoreip = 127.0.0.1
# 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁
bantime = 600
# 设定在多少时间内达到 maxretry 的次数就封锁
findtime = 600
# 允许尝试的次数
maxretry = 3
#分类设置
#针对sshd暴力入侵防护
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
logpath = /var/log/secure
# 如果有个别的次数设定就设在这里
maxretry = 5
#针对vsftpd暴力入侵防护
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/secure
maxretry = 3
bantime = 1800
新的 fail2ban 默认就开启了 ssh 的防护,不用配置,直接启动就行了.
建议设置成maxretry为 3 表示3次错误就封锁,另外logpath(Centos5和Rhel5中)要改成/var/log/secure. 然后我们设置启动服务:
$ chkconfig --level 2345 fail2ban on $ service fail2ban start
fail2ban测试和查看
过滤检查语法测试命令,你可以用这个命令看看哦.
$ fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf
安装完fail2ban后.运行iptables的命令,会看到多了如下的iptables 的规则
$ iptables -L -nv Chain INPUT (policy ACCEPT 231M packets, 51G bytes) pkts bytes target prot opt in out source destination 97 5294 fail2ban-VSFTPD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain fail2ban-VSFTPD (1 references) pkts bytes target prot opt in out source destination 20 998 DROP all -- * * 220.249.41.163 0.0.0.0/0 77 4296 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
当然,fail2ban本身还提供一个命令来查
$ fail2ban-client status vsftpd-iptables Status for the jail: vsftpd-iptables |- filter | |- File list: /var/log/secure | |- Currently failed: 0 | `- Total failed: 6 `- action |- Currently banned: 1 | `- IP list: 220.249.41.163 `- Total banned: 1
注:如果重起iptables 记的一定还要重起fail2ban,不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的.
.text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,status=no,resizable=yes'));keyit.focus(); "添加到 POCO 网摘"){kind=logo}
试用下,谢谢凯~