Fail2ban工具实践

Fail2ban可以监视系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作,而且可以发送邮件。

官网地址http://www.fail2ban.org
下载:
https://github.com/fail2ban/fail2ban

在Centos中,使用YUM安装:

#CentOS内置源并未包含fail2ban,需要先安装epel源
yum install epel-release
#安装fail2ban
yum install fail2ban
#确认安装
rpm -qa | grep fail
fail2ban-0.9.7-1.el7.noarch
fail2ban-server-0.9.7-1.el7.noarch
fail2ban-firewalld-0.9.7-1.el7.noarch
fail2ban-sendmail-0.9.7-1.el7.noarch

#确认安装
rpm -ql fail2ban-0.9.7-1.el7.noarch
(没有包含文件)

#确认安装
rpm -ql fail2ban-server-0.9.7-1.el7.noarch
/etc/fail2ban
/etc/fail2ban/action.d
/etc/fail2ban/action.d/*	-----动作文件夹 
/etc/fail2ban/fail2ban.conf    	-----日志级别、日志位置及Sock文件位置
/etc/fail2ban/fail2ban.d
/etc/fail2ban/filter.d
/etc/fail2ban/filter.d/*	------匹配规则
/etc/fail2ban/jail.conf		------主配置文件
/etc/fail2ban/jail.d
/etc/fail2ban/paths-common.conf
/etc/fail2ban/paths-debian.conf
/etc/fail2ban/paths-fedora.conf
/etc/fail2ban/paths-freebsd.conf
/etc/fail2ban/paths-opensuse.conf
/etc/fail2ban/paths-osx.conf
/etc/logrotate.d/fail2ban
/run/fail2ban
/run/fail2ban/fail2ban.pid
/usr/bin/fail2ban-client
/usr/bin/fail2ban-python
/usr/bin/fail2ban-regex
/usr/bin/fail2ban-server
/usr/lib/python2.7/site-packages/fail2ban
/usr/lib/systemd/system/fail2ban.service
/usr/lib/tmpfiles.d/fail2ban.conf
/var/lib/fail2ban

#确认安装
rpm -ql fail2ban-firewalld-0.9.7-1.el7.noarch
/etc/fail2ban/jail.d/00-firewalld.conf

#确认安装
rpm -ql fail2ban-sendmail-0.9.7-1.el7.noarch
/etc/fail2ban/action.d/sendmail-buffered.conf
/etc/fail2ban/action.d/sendmail-common.conf
/etc/fail2ban/action.d/sendmail-geoip-lines.conf
/etc/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
/etc/fail2ban/action.d/sendmail-whois-ipmatches.conf
/etc/fail2ban/action.d/sendmail-whois-lines.conf
/etc/fail2ban/action.d/sendmail-whois-matches.conf
/etc/fail2ban/action.d/sendmail-whois.conf

关键文件说明:
1 /etc/fail2ban/fail2ban.conf
这个配置文件是对Fail2ban进程的配置文件,主要是日志级别位置及Sock文件位置等,一般不需要修改,如果需要修改,可以在/etc/fail2ban下建立/etc/fail2ban/fail2ban.local,然后覆盖对应的值。按照惯例,也可以在/etc/fail2ban/fail2ban.d/下建立对应的文件进行覆盖。

2 /etc/fail2ban/paths-xxxx.conf
这里的输入的日志文件,根据系统不同,会被对应包含到/etc/fail2ban/jail.conf中,覆盖原则也是一样的,可以建立paths-xxx.local文件

3 /etc/fail2ban/jail.conf
这个是主要的配置文件,一般都不需要修改它。如果需要修改,只需要建立/etc/fail2ban/jail.local即可。注意,也可以在/etc/fail2ban/jail.d中建立单个以conf结尾的文件对jail.conf进行覆盖,或者在jail.d中建立单个以local结尾的文件对应jail.local进行覆盖(jail.conf -> jail.d/xxx.conf -> jail.local -> jail.d/xxx.local)

注: 一般只需要建立jail.local即可。

4 /etc/fail2ban/filter.d/*
这里包含了内置的过滤器,所谓过滤器就是怎么过滤数据,比如/etc/fail2ban/filter.d/ssh.conf,里面包括了提取信息的正则。如果内置的过滤器不符合要求,需要自己添加。

5 /etc/fail2ban/action.d/*
如果过滤器匹配了,将采取什么动作。比如/etc/fail2ban/action.d/iptables.conf,定义了如果禁用一个IP。如果没有符合的动作也需要自己添加。

配置关键点:
1 设置一个块,用中括号括起来,名字随意
[ssh-iptables]
2 启用这个快
enabled = true
3 指定过滤模块(在/etc/fail2ban/filter.d中必须存在sshd)
filter = sshd
4 指定动作
action = iptables[name=SSH, port=ssh, protocal=tcp]
5 发送邮件
sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@email.com]
mail[name=SSH, dest=xxx@xx.com]
mail-whois[name=SSH, dest=xxx@xx.com]
6 要监控的日志文件(过滤器用到)
logpath = /var/log/secure
7 定义最大尝试次数
maxretry = 3

配置例子:

vi /etc/fail2ban/jail.conf
[DEFAULT]
# 忽略IP列表
ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24
# 禁止时长(秒)
bantime = 86400
# 允许失败次数
maxretry = 5
# 查找失败次数时长(秒): 间隔多长时间,比如10分钟超过maxretry就采取action,这里应该填600
findtime = 600
# 日志修改检测机制(gamin polling auto)
backend = auto

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@email.com]
logpath = /var/log/secure
maxretry = 3

注:每个配置块都是可以往上覆盖的。

配置使用SMTP发送邮件:
首先安装mailx, 参考:http://blog.ifeeline.com/2809.html

vi /etc/fail2ban/action.d/mail.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
#actionstart = printf %%b "Hi,\n
#              The jail <name> has been started successfully.\n
#              Regards,\n
#              Fail2Ban"|mailx -s "[Fail2Ban] <name>: started  on `uname -n`" <dest>
actionstart = 

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
#actionstop = printf %%b "Hi,\n
#             The jail <name> has been stopped.\n
#             Regards,\n
#             Fail2Ban"|mailx -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n
            Regards,\n
            Fail2Ban"|mailx -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = 

[Init]

# Default name of the chain
#
name = default

# Destination/Addressee of the mail
#
dest = root

注意这里把mail替换成了mailx。另外,actionstart和actionstop清理掉。这两个命令对应的是fail2ban启动和关闭时发送邮件,看起来不需要。

另外,如果重启,如果原来已经ban了一批IP,那么会发送一批邮件,这个看起来比较不适应。

如果需要使用whois查询一下ip,那么需要安装whois,然后使用mail-whois.conf这个动作(需要到源码库中拷贝下来,配置与mail.conf一样,把mail改为mailx)

——————————————-常用命令
#启动关闭,默认启动
systemctl status fail2ban
systemctl start fail2ban
systemctl stop fail2ban
systemctl enable fail2ban
systemctl disable fail2ban

#查看版本
fail2ban-client version

#查询当前状态,可以看到哪些规则存在拦截状态
fail2ban-client status

#根据规则命令查询具体的拦截状态新,可以查看具体拦截了哪些IP
fail2ban-client status ssh-iptables

#手动添加屏蔽IP
fail2ban-client set ssh-iptables banip 192.168.1.111

#删除被屏蔽的IP
fail2ban-client set ssh-iptables unbanip 192.168.1.111

#查看日志
tail /var/log/fail2ban.log

遇到问题:
1 重启iptables后,fail2ban无法工作,出现:Couldn’t load target `f2b-SSH’

#重启iptable后fail2ban无法工作
systemctl restart iptables

#先停止fail2ban
systemctl stop fail2ban
#然后启动fail2ban
systemctl start fail2ban

2 Centos 7下注意点
在CentOS 7下,由于默认没有启动iptables服务,启动的是firewalld,所以需要先关闭firewalld,然后启动iptables:

yum install iptables
yum install iptables-services

systemctl enable iptables.service

#注意默认情况,Iptable限制了访问
vi # sample configuration for iptables service

# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

去掉-A的规则,保存。