# 查看尝试登录失败最多的ip
lastb | awk '{ print $3}' | sort | uniq -c | sort -n
# 安装
## centos 7
yum install epel-release -y
yum install fail2ban
# 配置
/etc/fail2ban 配置文件目录
jail.conf 为主配置文件
匹配规则位于filter.d目录
# 防火墙配置
## 查看防火墙状态
firewall-cmd --state
## 启动防火墙
systemctl start firewalld
## 开启必要的端口
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
## 查看已经放通的端口
firewall-cmd --list-all
----------------------------------
# 配置fail2ban
新建 jail.local 来覆盖 Fail2ban 的一些默认规则
vim /etc/fail2ban/jail.local
[DEFAULT]
# 指定哪些地址可以忽略 fail2ban 屏蔽
ignoreip = 127.0.0.1/8
# 客户端IP被封禁时长
bantime = 24h
# 在多长时间内允许尝试
findtime = 10m
# 允许客户端尝试失败的次数
maxretry = 5
# 屏蔽IP所使用的方法
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure
# 启动服务
systemctl start fail2ban.service
systemctl enable fail2ban.service
systemctl status fail2ban.service
# 查看状态
fail2ban-client status sshd
#解锁被封ip
fail2ban-client set sshd delignoreip
fail2ban-client set sshd unbanip 192.168.10.100
cat /etc/fail2ban/jail.d/00-firewalld.conf
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
变更为ipset
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-ipset[actiontype=<multiport>]
banaction_allports = firewallcmd-ipset[actiontype=<allports>]
# 重启
fail2ban-client restart
# 验证
# 获取所有 direct 规则
firewall-cmd --direct --get-all-rules
# 获取 ipset 列表
ipset list
其他参考案例
#忽略IP,在这个清单里的IP不会被屏蔽
ignoreip = 127.0.0.1 172.13.14.15
#屏蔽时间
bantime = 600
#发现时间,在此期间内重试超过规定次数,会激活fail2ban
findtime = 600
#尝试次数
maxretry = 3
#日志修改检测机制
backend = auto
[ssh-iptables]
#激活
enabled = true
#filter的名字,在filter.d目录下
filter = sshd
#所采用的工作,按照名字可在action.d目录下找到
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
#目的分析日志
logpath = /var/log/secure
#覆盖全局重试次数
maxretry = 5
#覆盖全局屏蔽时间
bantime = 3600
fail2ban-client status ssh-iptables
-----------------
nginx 自动封禁ip
# nginx 配置
log_format main '$remote_addr $status $request $body_bytes_sent [$time_local] $http_user_agent $http_referer $http_x_forwarded_for $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time';
access_log logs/access.log main;
# fail2ban
cat /etc/fail2ban/filter.d/nginx-403-CC.conf
这个和 nginx 的日志 log_format 设置位置是吻合的,这个很关键
[Definition]
failregex =403.(GET|POST)*.*HTTP/1.*$
ignoreregex =
cat /etc/fail2ban/jail.d/nginx-anti-403.conf
封禁的规则相关的,日志的路劲是自定义的,需要和当前的路劲是一致的
[nginx-anti-403]
enabled = true
port = http
filter = nginx-403-cc
logpath = /opt/nginx/logs/access.log
findtime = 6
bantime = 900
maxretry = 9
修改 fail2ban 的防火墙相关的配置
sed -i 's/iptables = iptables/iptables = iptables/' /etc/fail2ban/action.d/iptables-common.conf
参考资料:http://t.zoukankan.com/fjping0606-p-10102797.html
----------------------------------------
黑名单脚本
#!/bin/bash
# Based on the below article
# https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist
# Source the blacklisted countries from the configuration file
. /etc/blacklist-by-country
# Create a temporary working directory
ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX)
pushd $ipdeny_tmp_dir
# Download the latest network addresses by country file
curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar xf all-zones.tar.gz
# For updates, remove the ipset blacklist and recreate
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
firewall-cmd -q --permanent --delete-ipset=blacklist
fi
# Create the ipset blacklist which accepts both IP addresses and networks
firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
--option=family=inet --option=hashsize=4096 --option=maxelem=200000 \
--set-description="An ipset list of networks or ips to be dropped."
# Add the address ranges by country per ipdeny.com to the blacklist
for country in $countries; do
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=./$country.zone && \
echo "Added $country to blacklist ipset."
done
# Block individual IPs if the configuration file exists and is not empty
if [ -s "/etc/blacklist-by-ip" ]; then
echo "Adding IPs blacklists."
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=/etc/blacklist-by-ip && \
echo "Added IPs to blacklist ipset."
fi
# Add the blacklist ipset to the drop zone if not already setup
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
echo "Blacklist already in firewalld drop zone."
else
echo "Adding ipset blacklist to firewalld drop zone."
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
fi
firewall-cmd -q --reload
popd
rm -rf $ipdeny_tmp_dir
# 授权
sudo chmod +x /usr/local/sbin/firewalld-blacklist
# 创建配置文件
cat /etc/blacklist-by-country
# Which countries should be blocked?
# Use the two letter designation separated by a space.
countries=""
cat /etc/blacklist-by-ip
# 检查黑名单
sudo firewall-cmd --info-zone=drop
sudo firewall-cmd --info-ipset=blacklist | less