Linux 使用fail2ban+Firewalld來阻止惡意IP,提高伺服器安全。
阿新 • • 發佈:2018-12-17
#如果您已經安裝iptables建議先關閉 service iptables stop #檢視Firewalld狀態 firewall-cmd --state #啟動firewalld systemctl start firewalld #設定開機啟動 systemctl enable firewalld.service
#放行22埠 firewall-cmd --zone=public --add-port=80/tcp --permanent #過載配置 firewall-cmd --reload #檢視已放行埠 firewall-cmd --zone=public --list-ports
#CentOS內建源並未包含fail2ban,需要先安裝epel源 yum -y install epel-release #安裝fial2ban yum -y install fail2ban
#新建配置 vi /etc/fail2ban/jail.local #預設配置 [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 86400 findtime = 600 maxretry = 5 #這裡banaction必須用firewallcmd-ipset,這是fiewalll支援的關鍵,如果是用Iptables請不要這樣填寫 banaction = firewallcmd-ipset action = %(action_mwl)s
ignoreip:IP白名單,白名單中的IP不會遮蔽,可填寫多個以(,)分隔 bantime:遮蔽時間,單位為秒(s) findtime:時間範圍 maxretry:最大次數 banaction:遮蔽IP所使用的方法,上面使用firewalld遮蔽埠
[sshd] enabled = true filter = sshd port = 22 action = %(action_mwl)s logpath = /var/log/secure
[sshd]:名稱,可以隨便填寫 filter:規則名稱,必須填寫位於filter.d目錄裡面的規則,sshd是fail2ban內建規則 port:對應的埠 action:採取的行動 logpath:需要監視的日誌路徑
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 86400 findtime = 600 maxretry = 5 banaction = firewallcmd-ipset action = %(action_mwl)s [sshd] enabled = true filter = sshd port = 22 action = %(action_mwl)s logpath = /var/log/secure
#需要先新建一個nginx日誌匹配規則 vi /etc/fail2ban/filter.d/nginx-cc.conf #填寫如下內容 [Definition] failregex = -.*- .*HTTP/1.* .* .*$ ignoreregex =
[nginx-cc] enabled = true port = http,https filter = nginx-cc action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
#需要先新建一個nginx日誌匹配規則 vi /etc/fail2ban/filter.d/wordpress.conf #填寫如下內容 [Definition] failregex = ^ -.* /wp-login.php.* HTTP/1\.." ignoreregex =
[wordpress] enabled = true port = http,https filter = wordpress action = %(action_mwl)s maxretry = 20 findtime = 60 bantime = 3600 logpath = /usr/local/nginx/logs/access.log
#啟動 systemctl start fail2ban #停止 systemctl stop fail2ban #開機啟動 systemctl enable fail2ban #檢視被ban IP,其中sshd為名稱,比如上面的[wordpress] fail2ban-client status sshd #刪除被ban IP fail2ban-client set sshd delignoreip 192.168.111.111 #檢視日誌 tail /var/log/fail2ban.log