云服务器一直有人扫22端口

root@localhost:~# lastb
         ssh:notty    64.62.197.115    Fri Oct  6 21:29 - 21:29  (00:00)
httpfs   ssh:notty    68.183.176.157   Fri Oct  6 21:12 - 21:12  (00:00)
httpfs   ssh:notty    68.183.176.157   Fri Oct  6 21:12 - 21:12  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:10 - 21:10  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:10 - 21:10  (00:00)
web      ssh:notty    68.183.176.157   Fri Oct  6 21:06 - 21:06  (00:00)
web      ssh:notty    68.183.176.157   Fri Oct  6 21:06 - 21:06  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:05 - 21:05  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:05 - 21:05  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
unbt     ssh:notty    68.183.176.157   Fri Oct  6 20:59 - 20:59  (00:00)
unbt     ssh:notty    68.183.176.157   Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:53 - 20:53  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:53 - 20:53  (00:00)
node     ssh:notty    68.183.176.157   Fri Oct  6 20:53 - 20:53  (00:00)
node     ssh:notty    68.183.176.157   Fri Oct  6 20:53 - 20:53  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:47 - 20:47  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:47 - 20:47  (00:00)
backup   ssh:notty    68.183.176.157   Fri Oct  6 20:46 - 20:46  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:42 - 20:42  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:42 - 20:42  (00:00)
develope ssh:notty    68.183.176.157   Fri Oct  6 20:40 - 20:40  (00:00)
develope ssh:notty    68.183.176.157   Fri Oct  6 20:40 - 20:40  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:36 - 20:36  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:36 - 20:36  (00:00)
nexus    ssh:notty    68.183.176.157   Fri Oct  6 20:33 - 20:33  (00:00)
nexus    ssh:notty    68.183.176.157   Fri Oct  6 20:33 - 20:33  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:30 - 20:30  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:30 - 20:30  (00:00)
root     ssh:notty    59.39.24.254     Fri Oct  6 20:30 - 20:30  (00:00)
root     ssh:notty    59.39.24.254     Fri Oct  6 20:28 - 20:28  (00:00)
root     ssh:notty    111.26.175.223   Fri Oct  6 20:27 - 20:27  (00:00)
nvidia   ssh:notty    68.183.176.157   Fri Oct  6 20:27 - 20:27  (00:00)
nvidia   ssh:notty    68.183.176.157   Fri Oct  6 20:27 - 20:27  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:25 - 20:25  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:25 - 20:25  (00:00)
aaa      ssh:notty    68.183.176.157   Fri Oct  6 20:20 - 20:20  (00:00

Debian 安装Fail2ban

#使用Debian 默认包管理器安装
sudo aptitude install fail2ban

配置Fail2ban

根据[https://github.com/fail2ban/fail2ban/wiki/Proper-fail2ban-configuration\]( Proper fail2ban configuration) 配置文件在/etc/fail2ban下，给的示列配置文件放在jail.conf中，不建议直接修改给的配置文件，而是根据所需根据给的示列配置文件，编辑自己的jali.local

[DEFAULT]
# 使用nftables封禁ip
banaction = nftables-multiport
banaction_allports = nftables-allports

# 客户端主机被禁止的时长 单位：秒
bantime = 86400

# 客户端主机被禁止前允许失败的次数 
maxretry = 3

# 查找失败次数的时长 单位：秒
findtime = 600

# 启用ssh
[sshd]
backend = systemd
enable=true

这里需要注意下，Fail2ban是需要分析日志文件，在部分Linux发行版本中，ssh登陆日志已经被systemd所替代，所以不配置backend = systemd启动会直接报下面的错误

ERROR   Failed during configuration: Have not found any log file for sshd jail

配置好之后,重启启动Fail2ban

# 重启
sudo systemctl restart fail2ban
# 停止
sudo systemctl stop fail2ban
# 启动
sudo systemctl start fail2ban
# 开机启动
sudo systemctl enable fail2ban
# 关闭开机启动
sudo systemctl disable fail2ban

Fail2ban命令

# 查看帮助命令
sudo fail2ban-client -h

# 查看fail2ban是否启动成功
sudo fail2ban-client ping
# 显示pong显示启动成功
Server replied: pong

# 查看当前启用的规则
sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

# 查看指定规则下封禁信息
sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     14
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 3
   |- Total banned:     3
   `- Banned IP list:   121.186.84.26 157.245.220.120 68.183.176.157

参考

Proper fail2ban configuration
How To Protect SSH with Fail2Ban on Debian 11 | DigitalOcean
使用Fail2ban自动拉黑暴力破解SSH的IP - Alain’s Blog (alainlam.cn)
防止暴力破解ssh的四种方法_ssh防爆破_Linux学习中的博客-CSDN博客

菜单

分享

Debian12配置Fail2ban

Debian 安装Fail2ban

配置Fail2ban

Fail2ban命令

参考

评论