本文共 8599 字,大约阅读时间需要 28 分钟。
Fail2Ban扫描/var/log/auth.log之类的日志文件,并禁止IP地址进行过多的失败登录尝试。它通过更新系统防火墙规则以在可配置的时间内拒绝来自那些IP地址的新连接来实现此目的。 Fail2Ban开箱即用,可以读取许多标准日志文件,例如sshd和Apache的文件,并且可以轻松配置为读取您选择的任何日志文件,以解决所需的任何错误。
在这篇文章中,我将指导您如何使用Fail2Ban保护SSH服务。 首先,您需要安装Fail2ban: linuxidc@linuxidc:~/www.linuxidc.com$ sudo systemctl start fail2ban 安装后,Fail2ban将立即开始工作,但仅适用于SSH和默认设置。现在添加我们需要的设置。整个配置在文件/etc/fail2ban/jail.conf中。我们将需要更改SSH部分: [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 findtime = 3600 bantime = 86400 maxretry:在findtime参数指定的时间内最大错误连接数 findtime:日志文件中分析错误连接数的时间。以秒计算 bantime:阻塞时间(以秒为单位) 您将要使用以下命令启动并启用Fail2ban服务: linuxidc@linuxidc:~/www.linuxidc.com$ sudo systemctl start fail2ban [sudo] linuxidc 的密码: linuxidc@linuxidc:~/www.linuxidc.com$ sudo systemctl enable fail2ban Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable fail2ban linuxidc@linuxidc:~/www.linuxidc.com$ sudo systemctl restart fail2ban 现在,在一小时内输入5个错误密码后,该地址将被封锁一天。您可以使用以下命令找到包含的保护列表: fail2ban–client status 您可以使用以下命令查找每个服务的受阻止客户端的统计信息: fail2ban–client status service_name现在,我将指导您如何使用Fail2Ban保护WordPress登录页面。
要与WordPress集成,您需要在WordPress中安装WP fail2ban插件。 安装后,需要将WP fail2ban插件文件夹(通常位于wordpress/wp-content/plugins/wp-fail2ban)的文件夹中的wordpress.conf文件复制到Fail2ban文件夹(位于 /etc/fail2ban/filter.d)。然后在/etc/fail2ban/jail.conf件中编辑Fail2ban配置,在其中添加WordPress部分: [wordpress] enabled = true filter = wordpress logpath = /var/log/auth.log port = http,https maxretry = 5 findtime = 3600 bantime = 86400 本节将所有访问错误都写入/var/log/auth.log文件,此过滤器适用于http和https。但是,如果在Web服务器的配置中使用了高速缓存代理,则还需要为WP fail2ban插件指定它,以便它开始从特殊标头中获取客户端地址,而不是Frontend-proxy的地址。为此,请打开wp-config.php文件,并在其中添加包含代理服务器配置的行。 define(‘WP_FAIL2BAN_PROXIES’,‘127.0.0.1’); 127.0.0.1 is the address of the proxy server. 现在,重新启动Fail2ban: service fail2ban restart基本原理:
通过过滤ip_conntrack表得到ESTABLISHED状态过多的ip, 然后用iptabels封掉一段时间,同时用hping工具将这些ip从表中清理掉,最后将被封的ip和一些其他信息写到一个html页中,做简单的发布 关于hping: 下载: http://www.hping.org/download.html 安装: ./configure;make;make install 相关联接: http://chinaunix.net/jh/4/367999.html默认功能:
1, 当一个ip在ip_conntrack表中的ESTABLISHED状态在30-50之间时, 此ip被封10分钟,同时在ip_conntrack表中的记录被清除;50-100之间封15分钟,同时清表;100以上封30分钟,同时清表, 2, 然后生成web页 /var/www/html/wwy/drop/index.html — 显示被封的ip, 和cpu状态等信息 /var/www/html/wwy/all/index.html — 每一个ip的连接情况 3, 生成简单的日志 /tmp/killip/tmp.log.txt使用方法:
1, 需要安装hping 2, 建议将脚本放到计划任务中 3, 建议安装并开启apache, 为支持简单的web发布, 默认为 http://127.0.0.1/l/wwy/drop/index.htm 4, 如果表的大小大于20mb请慎用====================================================
代码:
#!/bin/bash#---------------------------------------------------------------------------------------
#Scrip name: killip, base on ip_conntrack, write by wwy. #---------------------------------------------------------------------------------------cpu=sar -u 1 1 | awk '{print $7}' | tail -1
%
while [ “pidof sleep
” ];do
lsmod | grep ip_conntrack
” ]; then modprobe ip_conntrack fi ####################################
##---------------------- functions -----------------------------## ####################################function make_clr {
while read clr33;do cat /tmp/tmp111.txt | grep $clr33 >> /tmp/tmp33-3-clr.txt done < /tmp/tmp33-3.txt while read clr22;do cat /tmp/tmp111.txt | grep $clr22 >> /tmp/tmp33-2-clr.txt done < /tmp/tmp33-2.txt while read clr11;do cat /tmp/tmp111.txt | grep $clr11 >> /tmp/tmp33-1-clr.txt done < /tmp/tmp33-1.txt } function clr_conns { S_IP=$1 D_IP=$2 S_PORT=$3 D_PORT=$4 hping2 $D_IP -R -s $S_PORT -p $D_PORT -a $S_IP -k -c 1 >/dev/null 2>/dev/null & } function kill() { SLEEP_TIME=$1 CLR_LIST=$2 BLACK_LIST=$3 while read blackip;do iptables -I FORWARD 2 -i eth0 -s $blackip/32 -j DROP done < $BLACK_LIST sleep $SLEEP_TIME #-----------------------------------# while read clr3;do clr_conns $clr3 done < $CLR_LIST #-----------------------------------# sleep 1 while read reblackip;do iptables -D FORWARD -i eth0 -s $reblackip/32 -j DROP done < $BLACK_LIST}
##################################### ##--------------- To make a “black list” ----------------------## #####################################echo > /tmp/tmp11.txt
echo > /tmp/tmp111.txt echo > /tmp/ip_conntrack.tmp echo > /tmp/tmp33-3-clr.txt echo > /tmp/tmp33-2-clr.txt echo > /tmp/tmp33-1-clr.txt echo > /tmp/tmp22-3.txt echo > /tmp/tmp22-2.txt echo > /tmp/tmp22-1.txt echo > /tmp/tmp33-3.txt echo > /tmp/tmp33-2.txt echo > /tmp/tmp33-1.txt if [ ! -e /var/www/html/wwy/index.html ];then mkdir /var/www/html/wwy/ mkdir /var/www/html/wwy/all mkdir /var/www/html/wwy/drop 5B touch /var/www/html/wwy/index.html fi #----------------------------------------------------------------------------# echo -e “cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp …\c” cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp echo -e “done!\n” sleep 1 #----------------------------------------------------------------------------# wc=cat /tmp/ip_conntrack.tmp|grep ESTABLISHED|awk -F= '{print $2,$3,$4,$5}'|grep ^172. |sort|awk '{print $1,$3,$5,$7}'|tee /tmp/tmp111.txt|awk '{print $1}'|uniq -c|tee /tmp/tmp11.txt|wc -l
date=date '+%m/%d %H:%M'
cpu2=sar -u 1 1 | awk '{print $7}' | tail -1
% date2=date '+%H'
#----------------------------------------------------------------------------# sleep 1 #----------------------------------------------------------------------------# #if [ “KaTeX parse error: Expected 'EOF', got '&' at position 16: wc" -gt 2500 ] &̲& [ "date2” -gt 10 ] if [ “$wc” -ge 0 ] then #------------------------------ awk ‘{$1}{if ($1>30 && $1<50) print $2}’ /tmp/tmp11.txt > /tmp/tmp22-1.txt awk ‘{$1}{if ($1>=50 && $1<100) print $2}’ /tmp/tmp11.txt > /tmp/tmp22-2.txt awk ‘{$1}{if ($1>=100) print $2}’ /tmp/tmp11.txt > /tmp/tmp22-3.txt cut -c1-15 /tmp/tmp22-1.txt > /tmp/tmp33-1.txt cut -c1-15 /tmp/tmp22-2.txt > /tmp/tmp33-2.txt cut -c1-15 /tmp/tmp22-3.txt > /tmp/tmp33-3.txt wcblackip1=cat /tmp/tmp33-1.txt | wc -l
wcblackip2=cat /tmp/tmp33-2.txt | wc -l
wcblackip3=cat /tmp/tmp33-3.txt | wc -l
######################################
##---------------- To make a index.html -----------------------## ######################################echo "If the total IPs >2500 (total $wc at $date) AND if:" > /var/www/html/wwy/drop/index.html echo "you connect \">100\", you ip will be killed in 30min.
" >>/var/www/html/wwy/drop/index.html echo "you connect \"50-100\", you ip will be killed in 15min.
" >>/var/www/html/wwy/drop/index.html echo "you connect \"30-50\", you ip will be killed in 10min.
" >>/var/www/html/wwy/drop/index.html echo "
" >> /var/www/html/wwy/drop/index.html echo "These IPs (total $wcblackip3 + $wcblackip2 + $wcblackip1) were killed, at $date (look-up all IPs)
" >> /var/www/html/wwy/drop/index.html awk '{$1}{if ($1>=100) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print """"$1"""\t",""$2"""\t""kill 30min""
"}' >> /var/www/html/wwy/drop/index.html awk '{$1}{if ($1>=50 && $1<100) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print ""$1"\t",""$2"""\t""kill 15min""
"}' >> /var/www/html/wwy/drop/index.html awk '{$1}{if ($1>30 && $1<50) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print ""$1"\t",""$2"""\t""kill 10min""
"}' >> /var/www/html/wwy/drop/index.html echo "You can \"ctrl + F\" to find your ip's connects.(total $wc IPs at $date)
" > /var/www/html/wwy/all/index.html echo "" >> /var/www/html/wwy/all/index.html cat /tmp/tmp11.txt | sort -nr | awk '{print ""$1"\t",$2"\t""
"}' >> /var/www/html/wwy/all/index.html
#####################################
##----------------- Use iptables to DROP ---------------------## #####################################make_clr if [ -s /tmp/tmp33-3.txt ];then kill 30m /tmp/tmp33-3-clr.txt /tmp/tmp33-3.txt & sleep 1s fi if [ -s /tmp/tmp33-2.txt ];then kill 15m /tmp/tmp33-2-clr.txt /tmp/tmp33-2.txt & sleep 1s fi if [ -s /tmp/tmp33-1.txt ];then kill 10m /tmp/tmp33-1-clr.txt /tmp/tmp33-1.txt & sleep 1s fi
#-------------------------------
elif [ “KaTeX parse error: Expected 'EOF', got '&' at position 16: date2" -lt 5 ] &̲& [ "date2” -gt 3 ] then while read clrall;do clr_conns $clrall done < /tmp/tmp111.txt echo "clr at $date " >> /tmp/killip/tmp.log.txt fi#####################################
##------------------- make system log ------------------------## ##################################### if [ ! -e /tmp/killip/tmp.log.txt ]; then mkdir /tmp/killip touch /tmp/killip/tmp.log.txt fi echo “$wc $date $cpu $cpu2 $wcblackip3 + $wcblackip2 + $wcblackip1” >> /tmp/killip/tmp.log.txt转载地址:http://gnodi.baihongyu.com/