Linux-fail2ban

1. 作者QQ：67065435 QQ群：821635552

2. 安装前请先确认,您的服务器使用的防护软件为firewalld而不是iptables

3. 安装fail2ban

   yum -y install epel-release
   yum -y install fail2ban
   

4. 新增Nginx防CC攻击规则

   vim /etc/fail2ban/filter.d/nginx-cc.conf
   
   [Definition]
   failregex = <HOST> -.*- .*HTTP/1.* .* .*$
   ignoreregex =
   
   ESC
   :wq
   

5. 调整配置

   vim /etc/fail2ban/jail.local
   
   #除了127.0.0.1以外100秒内访问次数超过200次的IP都将被firewalld屏蔽600秒
   [DEFAULT]
   ignoreip  = 127.0.0.1,192.168.0.1
   bantime   = 86400
   findtime  = 600
   maxretry  = 3
   banaction = firewallcmd-ipset
   action    = %(action_mwl)s
   
   [sshd]
   enabled   = true
   filter    = sshd
   port      = 22
   bantime   = 86400
   findtime  = 600
   maxretry  = 3
   action    = %(action_mwl)s
   logpath   = /var/log/secure
   
   [nginx-cc]
   enabled   = true
   filter    = nginx-cc
   port      = 80,443
   bantime   = 3600
   findtime  = 100
   maxretry  = 100
   action    = %(action_mwl)s
   logpath = /usr/local/nginx/logs/access.log
   
   ESC
   :wq
   

6. 开机启动、启动、重启、停止、禁止开机启动

   #开机启动
   systemctl enable fail2ban
   #启动
   systemctl start fail2ban
   #重启
   systemctl restart fail2ban
   #停止
   systemctl stop fail2ban
   #禁止开机启动
   systemctl disable fail2ban
   

7. fail2ban-client

   #重载fail2ban所有规则的配置
   fail2ban-client reload
   
   #查看fail2ban指定规则的状态
   fail2ban-client status [规则名称]
   
   #修改fail2ban指定规则的状态
   fail2ban-client set [规则名称] unbanip [IP]
   
   #查看fail2ban工作日志
   tail /var/log/fail2ban.log
   

8. fail2ban-client命令参数

   # 配置文件目录
   -c [目录路径]
   
   # 会话文件路径
   -s [文件路径]
   
   # 进程ID文件路径
   -p [文件路径]
   
   # 打印配置信息
   -d
   
   # 打开互动模式
   -i
   
   # 增加冗余长度
   -v
   
   # 减少冗余长度
   -q
   
   # 强制执行server(删除套接字文件)
   -x
   
   # 在后台运行server
   -b
   
   # 在前台运行server
   -f
   
   # 获取帮助信息
   -h
   
   # 获取版本信息
   -V
   

9. fail2ban-client进阶命令

   # 启动服务和规则
   start
   
   # 重新加载配置
   reload
   
   # 重新加载指定规则的配置
   reload [规则名称]
   
   # 停止所有规则并关闭服务
   stop
   
   # 查看所有规则的运行状态及服务运行状态
   status
   
   # 查看指定规则的运行状态
   status [规则名称]
   
   # 查看测试服务是否在运行
   ping
   
   # 获得帮助
   help
   
   # 获得版本信息
   version
   
   # 设置日志级别
   set loglevel [CRITICAL, ERROR, WARNING,NOTICE, INFO, DEBUG]
   
   # 获取日志级别
   get loglevel
   
   # 设置日志标签
   set logtarget [STDOUT, STDERR, SYSLOG]
   
   # 获取日志标签
   get logtarget
   
   # 设置系统日志套接字
   set syslogsocket auto|[套接字]
   
   # 获取系统日志套接字
   get syslogsocket
   
   # 刷新日志标签
   flushlogs
   
   # 其它命令
   set dbfile [文件路径|None]
   get dbfile
   
   set dbpurgeage [秒数]
   get dbpurgeage
   
   add [规则名称] [后台]
   start [规则名称]
   stop [规则名称]
   status [规则名称] [个性定制]
   
   set [规则名称] idle on
   set [规则名称] idle off
   # 添加IP白名单
   set [规则名称] addignoreip [IP]
   # 删除IP白名单
   set [规则名称] delignoreip [IP]
   

10. 参考链接