查看尝试登录的IP和次数:
# ubuntu cat /var/log/auth.log | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'# centoscat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'结果如下
95.99.151.150 = 2 96.116.62.121 = 2 96.126.108.130 = 1 96.234.157.43 = 1 96.239.137.66 = 2 96.242.27.57 = 1 96.255.29.134 = 1 96.30.68.34 = 6 96.45.70.192 = 21 96.53.113.134 = 1946 96.57.104.194 = 2 96.57.82.166 = 3 96.64.177.108 = 2 96.66.198.178 = 10 96.67.205.235 = 7 96.68.174.209 = 8 96.68.99.234 = 2 96.70.240.38 = 1 96.70.80.177 = 4 96.70.94.73 = 2
介绍:
fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作。
功能和特性编辑
1、支持大量服务。如sshd,apache,qmail,proftpd,sasl等等
2、支持多种动作。如iptables,tcp-wrapper,shorewall(iptables第三方工具),mail notifications(邮件通知)等等。
3、在logpath选项中支持通配符
4、需要Gamin支持(注:Gamin是用于监视文件和目录是否更改的服务工具)
5、需要安装python,iptables,tcp-wrapper,shorewall,Gamin。如果想要发邮件,那必需安装postfix或sendmail
官网:
http://www.fail2ban.org/
安装:
ubuntu sudo apt-get update sudo apt-get upgrade sudo apt-get install fail2ban centos yum -y install epel-release yum -y install fail2ban
文件结构
/etc/fail2ban ## fail2ban 服务配置目录/etc/fail2ban/action.d ## iptables 、mail 等动作文件目录/etc/fail2ban/filter.d ## 条件匹配文件目录,过滤日志关键内容/etc/fail2ban/jail.conf ## fail2ban 防护配置文件/etc/fail2ban/fail2ban.conf ## fail2ban 配置文件,定义日志级别、日志、sock 文件位置等
配置
1.打开配置文件
vim /etc/fail2ban/jail.conf 配置信息 [DEFAULT]# 忽略的IP列表,不受设置限制ignoreip = 127.0.0.1/8 # 被封IP禁止访问的时间,单位是秒bantime = 86400# 检测时间,在此时间内超过规定的次数会激活fail2ban,单位是秒 findtime = 300# 允许错误登录的最大次数maxretry = 3# 日志修改检测机制(gamin、polling和auto这三种)backend = auto # 定义日志级别,默认loglevel = 3 # 定义 fail2ban 日志文件logtarget = /var/log/fail2ban.log # sock 文件存放位置,默认socket = /var/run/fail2ban/fail2ban.sock # pid 文件存放位置,默认pidfile = /var/run/fail2ban/fail2ban.pid # 邮件通知参数sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] ## 收件人地址 ## 发件人地址 [sshd]# 激活enabled = true# 规律规则名,对应filter.d目录下的sshd.conffilter = sshd banaction = firewallcmd-new# 检测的系统的登陆日志文件。这里要写sshd服务日志文件logpath = /var/log/secure # 禁止用户IP访问主机1小时bantime = 3600 # 在5分钟内内出现规定次数就开始工作findtime = 300 # 3次密码验证失败maxretry = 3 [sshd-ddos] enabled = trueport = 8888fail2ban启动 >> service fail2ban start # 启动fail2ban服务 * Starting authentication failure monitor fail2ban [ OK ] >> fail2ban-client status # 查看fail2ban服务Status |- Number of jail: 1`- Jail list: ssh >> service fail2ban restart # 重启
启动fail2ban并设置开机启动:
centos systemctl enable fail2ban systemctl start fail2ban ubuntu
查看日志
tail -100 /var/log/fail2ban.log # 查看最近100条记录
查看SSH服务监护状态,能看到当前被禁IP。
>> fail2ban-client status ssh|- filter | |- File list: /var/log/auth.log | |- Currently failed: 56 | `- Total failed: 6307 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
在SSH监护服务白名单中添加/删除IP:
fail2ban-client set sshd addignoreip 1.2.3.4fail2ban-client set sshd delignoreip 1.2.3.4
作者:Pala风
链接:https://www.jianshu.com/p/1eb53a0200e8
点击查看更多内容
为 TA 点赞
评论
共同学习,写下你的评论
评论加载中...
作者其他优质文章
正在加载中
感谢您的支持,我会继续努力的~
扫码打赏,你说多少就多少
赞赏金额会直接到老师账户
支付方式
打开微信扫一扫,即可进行扫码打赏哦