Fail2ban+Firewalld安全防御 —— 筑梦之路

# 查看尝试登录失败最多的ip

lastb | awk '{ print $3}' | sort | uniq -c | sort -n

# 安装

## centos 7

yum install epel-release -y

yum install fail2ban


# 配置
 
 /etc/fail2ban 配置文件目录

 jail.conf 为主配置文件
 
 匹配规则位于filter.d目录


# 防火墙配置

## 查看防火墙状态

firewall-cmd --state

## 启动防火墙

systemctl start firewalld

## 开启必要的端口

firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

## 查看已经放通的端口

firewall-cmd --list-all

----------------------------------
#  配置fail2ban

新建 jail.local 来覆盖 Fail2ban 的一些默认规则

vim /etc/fail2ban/jail.local 

[DEFAULT]
# 指定哪些地址可以忽略 fail2ban 屏蔽
ignoreip = 127.0.0.1/8

# 客户端IP被封禁时长
bantime  = 24h

# 在多长时间内允许尝试
findtime = 10m

# 允许客户端尝试失败的次数
maxretry = 5

# 屏蔽IP所使用的方法
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22   
action = %(action_mwl)s
logpath = /var/log/secure


# 启动服务

systemctl start fail2ban.service 
systemctl enable fail2ban.service 
systemctl status fail2ban.service

# 查看状态

fail2ban-client status sshd


#解锁被封ip

fail2ban-client set sshd delignoreip

fail2ban-client set sshd unbanip 192.168.10.100

cat  /etc/fail2ban/jail.d/00-firewalld.conf

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

变更为ipset

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-ipset[actiontype=<multiport>]
banaction_allports = firewallcmd-ipset[actiontype=<allports>]

# 重启

fail2ban-client restart

# 验证

# 获取所有 direct 规则
firewall-cmd --direct --get-all-rules

# 获取 ipset 列表
ipset list

其他参考案例

#忽略IP,在这个清单里的IP不会被屏蔽
ignoreip = 127.0.0.1 172.13.14.15
#屏蔽时间
bantime = 600
#发现时间，在此期间内重试超过规定次数，会激活fail2ban
findtime = 600
#尝试次数
maxretry = 3
#日志修改检测机制
backend = auto

[ssh-iptables]
#激活
enabled = true
#filter的名字，在filter.d目录下
filter = sshd
#所采用的工作，按照名字可在action.d目录下找到
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=root]
#目的分析日志
logpath = /var/log/secure
#覆盖全局重试次数
maxretry = 5
#覆盖全局屏蔽时间
bantime = 3600


fail2ban-client status ssh-iptables
-----------------
nginx 自动封禁ip

#  nginx 配置

log_format  main  '$remote_addr $status $request $body_bytes_sent [$time_local]  $http_user_agent $http_referer  $http_x_forwarded_for $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time';
access_log  logs/access.log  main;


# fail2ban 

cat  /etc/fail2ban/filter.d/nginx-403-CC.conf

这个和 nginx 的日志 log_format 设置位置是吻合的，这个很关键

[Definition]
failregex =403.(GET|POST)*.*HTTP/1.*$
ignoreregex =

cat  /etc/fail2ban/jail.d/nginx-anti-403.conf

封禁的规则相关的，日志的路劲是自定义的，需要和当前的路劲是一致的

[nginx-anti-403]
enabled = true
port = http
filter = nginx-403-cc
logpath = /opt/nginx/logs/access.log
findtime = 6
bantime = 900
maxretry = 9

修改 fail2ban 的防火墙相关的配置

sed -i 's/iptables = iptables/iptables = iptables/' /etc/fail2ban/action.d/iptables-common.conf

参考资料：http://t.zoukankan.com/fjping0606-p-10102797.html

----------------------------------------

黑名单脚本

#!/bin/bash
# Based on the below article
# https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist
 
# Source the blacklisted countries from the configuration file
. /etc/blacklist-by-country
 
# Create a temporary working directory
ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX)
pushd $ipdeny_tmp_dir
 
# Download the latest network addresses by country file
curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar xf all-zones.tar.gz
 
# For updates, remove the ipset blacklist and recreate
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
    firewall-cmd -q --permanent --delete-ipset=blacklist
fi
 
# Create the ipset blacklist which accepts both IP addresses and networks
firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
    --option=family=inet --option=hashsize=4096 --option=maxelem=200000 \
    --set-description="An ipset list of networks or ips to be dropped."
 
# Add the address ranges by country per ipdeny.com to the blacklist
for country in $countries; do
    firewall-cmd -q --permanent --ipset=blacklist \
        --add-entries-from-file=./$country.zone && \
        echo "Added $country to blacklist ipset."
done
 
# Block individual IPs if the configuration file exists and is not empty
if [ -s "/etc/blacklist-by-ip" ]; then
    echo "Adding IPs blacklists."
    firewall-cmd -q --permanent --ipset=blacklist \
        --add-entries-from-file=/etc/blacklist-by-ip && \
        echo "Added IPs to blacklist ipset."
fi
 
# Add the blacklist ipset to the drop zone if not already setup
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
    echo "Blacklist already in firewalld drop zone."
else
    echo "Adding ipset blacklist to firewalld drop zone."
    firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
fi
 
firewall-cmd -q --reload
 
popd
rm -rf $ipdeny_tmp_dir


# 授权

sudo chmod +x /usr/local/sbin/firewalld-blacklist

# 创建配置文件

cat  /etc/blacklist-by-country

# Which countries should be blocked?
# Use the two letter designation separated by a space.
countries=""

cat  /etc/blacklist-by-ip

# 检查黑名单

sudo firewall-cmd --info-zone=drop

sudo firewall-cmd --info-ipset=blacklist | less