yum install fail2ban-all.noarch
fail2ban的配置文件路径:/etc/fail2ban
vim /etc/fail2ban/jail.d/jail.local
#defalut这里是设定全局设置,如果下面的监控没有设置就以全局设置的值设置。
[DEFAULT]
# 用于指定哪些地址ip可以忽略 fail2ban 防御,以空格间隔。
ignoreip = 127.0.0.1/8
# 客户端主机被禁止的时长(默认单位为秒)
bantime = 86400
# 过滤的时长(秒)
findtime = 600
# 匹配到的阈值(次数)
maxretry = 3
dstmail="xx@xx.com"
[ssh]
# 是否开启
enabled = true
# 过滤规则
filter = sshd
# 动作
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=%(dstmail)s]
# 日志文件的路径
logpath = /var/log/secure
# 匹配到的阈值(次数)
maxretry = 3
cp /etc/fail2ban/action.d/mail-whois.conf /etc/fail2ban/action.d/mail-whois.local
按需修改mail-whois.local邮件模板
systemctl start fail2ban
fail2ban-client reload
我们可以查看当前被禁止登陆的ip:
fail2ban-client status ssh
Status for the jail: ssh
|- filter
| |- File list: /var/log/secure #日志文件路径
| |- Currently failed: 0 #当前失败次数
| `- Total failed: 3 #总失败次数
`- action
|- Currently banned: 1 #当前禁止的ip数量
| `- IP list: 192.168.1.112 #当前禁止的ip
`- Total banned: 1 #禁止的ip总数
iptables -t filter -L -n
fail2ban-client常用的命令
start 启动fail2ban server和监狱
reload 重新加载配置文件
stop 暂停fail2ban和监狱
status 查看运行的监控服务数量和列表
set loglevel 设置日志等级,有 CRITICAL, ERROR, WARNING,NOTICE, INFO, DEBUG
get loglevel 获取当前日志的等级
set
set
set
set
set
fail2ban-client set ssh unbanip xxx.xx
自写filter测试
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf