centos fail2ban 放爆破插件安装使用

1.CentOS内置源并未包含fail2ban，需要先安装epel源

#安装epel源
yum -y install epel-release
#安装fial2ban
yum -y install fail2ban

2.防爆破配置文件

新建文件名：jail.local

上传到默认安装路径/etc/fail2ban

以下是配置内容根据自己需求修改

# /etc/fail2ban/jail.local
# ignoreip: Fail2Ban不会禁止与列表中的地址匹配的主机；白名单
# bantime: 封禁时间秒，默认是10分钟
# findtime: 如果在最近findtime秒期间已经发生了maxretry次重试，则主机会被禁止
# maxretry: 最大重试次数，子项未设置时以此为准
# sendername: 发件人名称G
# sender: 用于发送告警邮件的邮箱地址
# destemail: 用于接收警报电子邮件的邮箱地
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 99999999
findtime = 99999999
maxretry = 1
banaction = firewallcmd-ipset
action = %(action_mwl)s
# enabled: 表明服务是要打开还是关闭
# port: 使用默认端口则填写服务名称；非传统端口则需要填写端口号
# logpath: 提供服务日志的位置
# backend: 指定用于获取文件修改的后端
[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

3.完成后启动

#启动
systemctl start fail2ban
#停止
systemctl stop fail2ban
#开机启动
systemctl enable fail2ban

设置开机自启并启动（centos和乌班图通用）
systemctl enable fail2ban
systemctl start fail2ban

#查看被ban IP，其中sshd为名称，比如上面的[wordpress]
fail2ban-client status sshd

#删除被ban IP
sudo fail2ban-client set sshd unbanip  192.168.111.111

#查看日志
tail /var/log/fail2ban.log

查看是否启动：
systemctl status fail2ban

4.示例配置

ssh 22默认防爆破配置

# [ssh-iptables]模块的配置修改
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
logpath  = /var/log/secure
maxretry = 3
findtime = 300

阻止恶意扫描

# 新增[nginx-dir-scan]模块
[nginx-dir-scan]
enabled = true
filter = nginx-dir-scan
action   = iptables[name=nginx-dir-scan, port=443, protocol=tcp]
logpath = /path/to/nginx/access.log
maxretry = 1
bantime = 172800
findtime  = 300

 防止 CC 攻击

# 新增[nginx-cc]模块
[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 20
findtime = 60
bantime = 3600
logpath = /usr/local/nginx/logs/access.log

防止 vsftpd 攻击规则

[vsftpd-notification]
enabled = true
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800