Linux-fail2ban

1. 作者QQ：67065435 QQ群：821635552

2. 本站内容全部为作者原创，转载请注明出处！

3. 安装前请先确认,您的服务器使用的防护软件为firewalld而不是iptables

4. 安装fail2ban

   yum -y install epel-release
   yum -y install fail2ban
   

5. 新增Nginx防CC攻击规则

   vim /etc/fail2ban/filter.d/nginx-cc.conf
   
   [Definition]
   failregex = <HOST> -.*- .*HTTP/1.* .* .*$
   ignoreregex =
   
   ESC
   :wq
   

6. 调整配置

   vim /etc/fail2ban/jail.local
   
   #除了127.0.0.1以外100秒内访问次数超过200次的IP都将被firewalld屏蔽600秒
   [DEFAULT]
   ignoreip  = 127.0.0.1,192.168.0.1
   bantime   = 86400
   findtime  = 600
   maxretry  = 3
   banaction = firewallcmd-ipset
   action    = %(action_mwl)s
   
   [sshd]
   enabled   = true
   filter    = sshd
   port      = 22
   bantime   = 86400
   findtime  = 600
   maxretry  = 3
   action    = %(action_mwl)s
   logpath   = /var/log/secure
   
   [nginx-cc]
   enabled   = true
   filter    = nginx-cc
   port      = 80,443
   bantime   = 3600
   findtime  = 100
   maxretry  = 100
   action    = %(action_mwl)s
   logpath = /usr/local/nginx/logs/access.log
   
   ESC
   :wq
   

7. 开机启动、启动、重启、停止、禁止开机启动

   #开机启动
   systemctl enable fail2ban
   #启动
   systemctl start fail2ban
   #重启
   systemctl restart fail2ban
   #停止
   systemctl stop fail2ban
   #禁止开机启动
   systemctl disable fail2ban
   

8. fail2ban-client

   #重载fail2ban所有规则的配置
   fail2ban-client reload
   
   #查看fail2ban指定规则的状态
   fail2ban-client status [规则名称]
   
   #修改fail2ban指定规则的状态
   fail2ban-client set [规则名称] unbanip [IP]
   
   #查看fail2ban工作日志
   tail /var/log/fail2ban.log
   

9. fail2ban-client命令参数

   # 配置文件目录
   -c [目录路径]
   
   # 会话文件路径
   -s [文件路径]
   
   # 进程ID文件路径
   -p [文件路径]
   
   # 打印配置信息
   -d
   
   # 打开互动模式
   -i
   
   # 增加冗余长度
   -v
   
   # 减少冗余长度
   -q
   
   # 强制执行server(删除套接字文件)
   -x
   
   # 在后台运行server
   -b
   
   # 在前台运行server
   -f
   
   # 获取帮助信息
   -h
   
   # 获取版本信息
   -V
   

10. fail2ban-client进阶命令

    # 启动服务和规则
    start
    
    # 重新加载配置
    reload
    
    # 重新加载指定规则的配置
    reload [规则名称]
    
    # 停止所有规则并关闭服务
    stop
    
    # 查看所有规则的运行状态及服务运行状态
    status
    
    # 查看指定规则的运行状态
    status [规则名称]
    
    # 查看测试服务是否在运行
    ping
    
    # 获得帮助
    help
    
    # 获得版本信息
    version
    
    # 设置日志级别
    set loglevel [CRITICAL, ERROR, WARNING,NOTICE, INFO, DEBUG]
    
    # 获取日志级别
    get loglevel
    
    # 设置日志标签
    set logtarget [STDOUT, STDERR, SYSLOG]
    
    # 获取日志标签
    get logtarget
    
    # 设置系统日志套接字
    set syslogsocket auto|[套接字]
    
    # 获取系统日志套接字
    get syslogsocket
    
    # 刷新日志标签
    flushlogs
    
    # 其它命令
    set dbfile [文件路径|None]
    get dbfile
    
    set dbpurgeage [秒数]
    get dbpurgeage
    
    add [规则名称] [后台]
    start [规则名称]
    stop [规则名称]
    status [规则名称] [个性定制]
    
    set [规则名称] idle on
    set [规则名称] idle off
    # 添加IP白名单
    set [规则名称] addignoreip [IP]
    # 删除IP白名单
    set [规则名称] delignoreip [IP]
    

11. 参考链接