Centos中Fail2ban配置

安装可以使用源码编译 官网 或者yum安装

安装

(base) [root@www fail2ban]# yum -y install fail2ban

配置

#配置
(base) [root@www fail2ban]# vim jail.conf 
 加入以下内容
 42 [ssh-iptables]
 43 enabled = true
 44 filter = sshd
 45 action = iptables[name=SSH, port=ssh, protocol=tcp]
 46 sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@email.com]
 47 logpath = /var/log/secure
 48 maxretry = 3
 49 bantime = 3600
 50 findtime = 300

重启fail2ban

(base) [root@www fail2ban]# systemctl restart fail2ban

测试效果

[root@NFS ~]# ssh 192.168.100.119
root@192.168.100.119's password: 
Permission denied, please try again.
root@192.168.100.119's password: 
Permission denied, please try again.
root@192.168.100.119's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@NFS ~]# ssh 192.168.100.119
ssh: connect to host 192.168.100.119 port 22: Connection refused

可以在/var/log/secure 查看日志信息

查看iptables规则

(base) [root@www fail2ban]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-SSH (1 references)
target     prot opt source               destination         
REJECT     all  --  192.168.100.155      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  192.168.100.157      0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
(base) [root@www fail2ban]#

使用fail2ban-client 查看状态

(base) [root@www fail2ban]# fail2ban-client status ssh-iptables 
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	6
|  `- File list:	/var/log/secure
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:	192.168.100.155 192.168.100.157

解锁特定的ip

(base) [root@www fail2ban]# fail2ban-client set ssh-iptables unbanip 192.168.100.155
1
(base) [root@www fail2ban]# fail2ban-client status ssh-iptables 
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	6
|  `- File list:	/var/log/secure
`- Actions
   |- Currently banned:	1
   |- Total banned:	2
   `- Banned IP list:	192.168.100.157

注意，如果你停止了Fail2ban 服务，那么所有的IP地址都会被解锁。当你重启 Fail2ban，它会从/etc/log/secure(或 /var/log/auth.log)中找到异常的IP地址列表，如果这些异常地址的发生时间仍然在禁止时间内，那么Fail2ban会重新将这些IP地址禁止。