使用Fail2Ban防止暴力登录尝试
缘起
之前好像写过一篇文章来的,由于有邮件转发的需求,就在vps上搭了个postfix邮件服务器。
然后运行没多久就发现问题了,虽然postfix内部有一些选项可以用来禁止频繁登录,但是基本上功能比较弱,只能从功能层面拦截登录动作,不能直接在网络层面做拦截,因此我们就需要一个可以对这些恶意登录进行检测,同时能够自动ban ip的工具,来替我们自动的ban掉暴力登录尝试。
查了些资料,发现果然别人也遇到类似的问题了,同时还有个开源免费且功能比我需要的更加全面的工具可以用,那就是fail2ban,因此有了这次折腾的历程咯!
操作
安装fail2ban
我的vps是64位的centos7,安装这一步可以使用yum安装,也可以使用源码安装。
yum安装
A - CentOS 6
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
B - CentOS 7
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
yum install fail2ban
源码安装
fail2ban是开源免费的,在github上有工程,我们只需要clone下来安装即可
git clone https://github.com/fail2ban/fail2ban.git cd fail2ban python setup.py install
安装完成之后我们需要把fail2ban加入到开机自启里,
debian系的系统 cd fail2ban cp files/debian-initd /etc/init.d/fail2ban update-rc.d fail2ban defaults service fail2ban start centos系的系统 cd fail2ban cp files/redhat-initd /etc/init.d/fail2ban systemctl daemon-reload systemctl restart fail2ban systemctl enable fail2ban 其他系的系统请自行查找 如果使用了错误的启动文件,则服务会启动失败,显示Active(exited)状态 service 状态显示绿色的"active (exited)
这样就可以开机自启动fail2ban了
配置fail2ban
fail2ban的配置文件默认放在/etc/fail2ban目录下,默认的配置文件为jail.conf,这个文件里边的配置非常全面,包括ssh登录尝试,postfix登录尝试、nginx、apaceh等等的配置设置,默认情况下,所有的配置全是关闭状态,我们需要的是按需开启
而自定义的配置我们需要放在jail.local文件下,没有的话自己创建,比如我的vps上此文件的配置如下,主要防范ssh、posftix、mysql的登录尝试
直接50分钟之内有2此错误的登录尝试,尝试的ip就会被封100小时,可以说是非常激进,也非常有效了,这个时间的成本对于暴力破解来说根本是不可接受的ban time
[DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 6000m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 50m # "maxretry" is the number of failures before a host get banned. maxretry = 2 [sshd] enabled = true [postfix] enabled = true #[postfix-rbl] #enabled = true #[courier-smtp] #enabled = true [dovecot] enabled = true #[courier-auth] #enabled = true [postfix-sasl] enabled = true [mysqld-auth] enabled = true
配置各类日志的路径
fail2ban内部内置了一套日志的默认路径,比如mail的log路径是/var/log/maillog,但是各个vps服务商难免对这些路径做了定制,导致fail2ban找不到对应的日志的位置,进而启动失败,start Service时直接报错
这时候,我们就可以对/etc/fail2ban/paths-common.conf做自定义操作了,可以按需修改即可
比如这个就代表mail的log位置
# Technically syslog_facility in main.cf can overwrite but no-one sane does this. #postfix_log = %(syslog_mail_warn)s postfix_log = /var/log/maillog postfix_backend = %(default_backend)s
启动fail2ban
CentOS 6:
service fail2ban restart
CentOS 7:
systemctl restart fail2ban.service
设置开机启动
CentOS 6:
chkconfig fail2ban on
CentOS 7:
systemctl enable fail2ban
效果展示
用了一段时间之后,发现基本上没有被频繁暴力尝试了,而且列表里会有很多被ban的ip,满足了我们的需求
如下,基本上尝试破解密码的都被ban了
2018-01-20 13:41:54,430 fail2ban.filter [608]: INFO [postfix-sasl] Found 185.222.209.14 - 2018-01-20 13:41:53 2018-01-20 13:45:04,427 fail2ban.filter [608]: INFO [postfix-sasl] Found 179.105.255.72 - 2018-01-20 13:45:04 2018-01-20 13:45:04,870 fail2ban.actions [608]: NOTICE [postfix-sasl] Ban 179.105.255.72
iptable里边一堆被ban的ip,只能说现在暴力跑破解的服务器也是多,我这个无名小站都会被暴力尝试。。。醉。。。
iptables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-postfix-sasl -A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -j f2b-postfix-sasl -A f2b-postfix-sasl -s 179.184.201.10/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 179.105.255.72/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 91.237.124.222/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 201.40.122.56/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 41.71.71.118/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 31.27.32.18/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 64.39.166.40/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 120.150.227.127/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 95.59.137.196/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 222.102.154.172/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 200.105.132.238/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 185.109.169.71/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 181.54.254.152/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 41.193.16.218/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 37.49.227.159/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 190.194.112.164/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 71.165.225.25/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 188.225.171.58/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 180.211.92.122/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 203.191.174.55/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 203.154.204.209/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 104.215.2.8/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 213.156.120.22/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 187.67.207.89/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 196.22.248.246/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 181.49.39.70/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 179.234.26.230/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 31.28.86.59/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 2.42.219.63/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 94.23.252.94/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 91.200.12.103/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 91.200.12.87/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 93.174.93.29/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -j RETURN
总结
结合最近这段时间的使用来说,这个fail2ban还是很给力的,占用vps的资源也可以接受。建议大家如果在vps上有部署数据库、邮箱系统的都可以用来试试。
参考文档
https://github.com/fail2ban/fail2ban
http://www.laozuo.org/5430.html
https://www.powerrc.net/centos-7-%E9%85%8D%E7%BD%AEfail2ban.html
https://github.com/fail2ban/fail2ban/issues/1687
发表评论