个人工具

UbuntuHelp:Fail2ban

来自Ubuntu中文

跳转至: 导航, 搜索

Introduction

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.

Installation

To install fail2ban, type the following in the terminal:

sudo apt-get install fail2ban 

Configuration

To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban

cd /etc/fail2ban
sudo cp jail.conf jail.local 

Now edit the file:

sudo nano jail.local 

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 3 

Email Notification

Note: You will need sendmail or any other MTA to do this. If you wish to be notified of bans by email, modify this line with your email address:

destemail = [email protected] 

Then find the line:

action = %(action_)s 

and change it to

action = %(action_mw)s 

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log:

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 

To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:

enabled = true 

Once done, restart fail2ban to put those settings into effect

sudo /etc/init.d/fail2ban restart 

Advanced: Filters

If you wish to tweak or add log filters, you can find them in

/etc/fail2ban/filter.d 

Testing

To test fail2ban, look at iptable rules:

iptables -L 

Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.

External Links