july
july
发布于 2023-10-06 / 56 阅读
1

Debian12配置Fail2ban

云服务器一直有人扫22端口进行爆破,看着这不停滚动的记录,很是不爽。

root@localhost:~# lastb
         ssh:notty    64.62.197.115    Fri Oct  6 21:29 - 21:29  (00:00)
httpfs   ssh:notty    68.183.176.157   Fri Oct  6 21:12 - 21:12  (00:00)
httpfs   ssh:notty    68.183.176.157   Fri Oct  6 21:12 - 21:12  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:10 - 21:10  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:10 - 21:10  (00:00)
web      ssh:notty    68.183.176.157   Fri Oct  6 21:06 - 21:06  (00:00)
web      ssh:notty    68.183.176.157   Fri Oct  6 21:06 - 21:06  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:05 - 21:05  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 21:05 - 21:05  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
root     ssh:notty    121.186.84.26    Fri Oct  6 21:03 - 21:03  (00:00)
unbt     ssh:notty    68.183.176.157   Fri Oct  6 20:59 - 20:59  (00:00)
unbt     ssh:notty    68.183.176.157   Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:59 - 20:59  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:53 - 20:53  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:53 - 20:53  (00:00)
node     ssh:notty    68.183.176.157   Fri Oct  6 20:53 - 20:53  (00:00)
node     ssh:notty    68.183.176.157   Fri Oct  6 20:53 - 20:53  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:47 - 20:47  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:47 - 20:47  (00:00)
backup   ssh:notty    68.183.176.157   Fri Oct  6 20:46 - 20:46  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:42 - 20:42  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:42 - 20:42  (00:00)
develope ssh:notty    68.183.176.157   Fri Oct  6 20:40 - 20:40  (00:00)
develope ssh:notty    68.183.176.157   Fri Oct  6 20:40 - 20:40  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:36 - 20:36  (00:00)
operator ssh:notty    157.245.220.120  Fri Oct  6 20:36 - 20:36  (00:00)
nexus    ssh:notty    68.183.176.157   Fri Oct  6 20:33 - 20:33  (00:00)
nexus    ssh:notty    68.183.176.157   Fri Oct  6 20:33 - 20:33  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:30 - 20:30  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:30 - 20:30  (00:00)
root     ssh:notty    59.39.24.254     Fri Oct  6 20:30 - 20:30  (00:00)
root     ssh:notty    59.39.24.254     Fri Oct  6 20:28 - 20:28  (00:00)
root     ssh:notty    111.26.175.223   Fri Oct  6 20:27 - 20:27  (00:00)
nvidia   ssh:notty    68.183.176.157   Fri Oct  6 20:27 - 20:27  (00:00)
nvidia   ssh:notty    68.183.176.157   Fri Oct  6 20:27 - 20:27  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:25 - 20:25  (00:00)
nifi     ssh:notty    157.245.220.120  Fri Oct  6 20:25 - 20:25  (00:00)
aaa      ssh:notty    68.183.176.157   Fri Oct  6 20:20 - 20:20  (00:00

Fail2Ban是一个入侵检测系统框架,通过合理配置可以避免爆破攻击,在大多数发行版本中包管理都是有的。

Debian安装Fail2ban

#使用Debian 包管理器安装
sudo aptitude install fail2ban

配置Fail2ban

使用包管理安装配置文件都在/etc/fail2ban目录下,目录结构如下

ls -al
total 104
drwxr-xr-x  6 root root  4096 Apr 14 12:08 .
drwxr-xr-x  97 root root  4096 Mar 21 23:24 ..
drwxr-xr-x  2 root root  4096 Oct  6  2023 action.d
-rw-r--r--  1 root root  3017 Nov  9  2022 fail2ban.conf
drwxr-xr-x  2 root root  4096 Apr 22  2023 fail2ban.d
drwxr-xr-x  3 root root  4096 Mar 11 21:41 filter.d
-rw-r--r--  1 root root  25607 Apr 14 11:20 jail.conf
drwxr-xr-x  2 root root  4096 Apr 14 11:29 jail.d
-rw-r--r--  1 root root   645 Nov  9  2022 paths-arch.conf
-rw-r--r--  1 root root  2728 Nov  9  2022 paths-common.conf
-rw-r--r--  1 root root   627 Nov  9  2022 paths-debian.conf
-rw-r--r--  1 root root   738 Nov  9  2022 paths-opensuse.conf

Fail2ban 配置文件目录结构

action.d 目录下存放了当触发规则时执行的操作配置文件
fail2ban.conf 是Fail2ban.conf配置文件
fail2ban.d Fail2ban 的额外配置文件
filter.d Fail2ban 规则/过滤器目录,里面是定义日志过滤规则的配置文件这里有官方写好的规则,当然你可以在这里定义自己的拦截过滤规则,比如拦截frp内网穿透等
jail.conf Fail2ban 官方监狱示列配置文件,定义了对服务或协议进行监控和防御的规则、调用过滤器和动作。
jail.d 存放监狱(jail)的额外配置文件,Fail2ban 在启动时会加载 jail.local 文件以及 jail.d 目录下的所有配置文件

根据[https://github.com/fail2ban/fail2ban/wiki/Proper-fail2ban-configuration\]( Proper fail2ban configuration) ,给的示列配置文件放在jail.conf中,不建议直接修改给的配置文件,而是根据所需根据给的示列配置文件,编辑自己的jali.local,jail.conf示列配置文件定义的监狱规则都默认被禁用,需要我们手动开启。

sduo cp jail.conf jail.local

sudo nano jail.local

jail配置文件

[DEFAULT] 
# 该标签下是对jail监狱规则进行全局配置,全局设置可以被覆盖
...
# 被封禁的时间,默认以秒为单位,bantime = 10m 表示被封禁的时间为 10 分钟。
bantime  = 10m

# 用于确定是否封禁IP的时间段,以秒为单位。findtime = 10m表示在过去的10分钟内进行的登录失败大于等于maxretry次数将被封禁。
findtime  = 10m

# 允许的最大登录失败次数,如果在findtime时间段内某个IP地址的登录失败次数达到或超过maxretry次,该IP地址将被封禁。
maxretry = 5

# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s

# 用于获取文件修改的后端。这个选项指定了 Fail2ban 使用的监视文件变化的机制。
# 可以选择的后端包括:pyinotify、gamin、polling、systemd 和 auto。
# 如果未指定后端,Fail2ban 将尝试按照顺序使用这些后端,直到找到可用的后端为止。
# backend = auto 表示 Fail2ban 将尝试使用pyinotify、gamin、polling、systemd这几种后端中的一种。
backend = auto

# 启用ssh
[sshd]
# 使用nftables封禁ip
banaction = nftables-multiport
banaction_allports = nftables-allports

# 客户端主机被禁止的时长 单位:秒
bantime = 86400

# 客户端主机被禁止前允许失败的次数 
maxretry = 3

# 查找失败次数的时长 单位:秒
findtime = 600

backend = systemd
enable=true

这里需要注意下,Fail2ban是需要分析日志文件,在部分Linux发行版本中,ssh登陆日志已经被systemd所替代,所以不配置backend = systemd启动会直接报下面的错误

ERROR   Failed during configuration: Have not found any log file for sshd jail

Fail2ban命令

配置好之后,重启启动Fail2ban

# 重启
sudo systemctl restart fail2ban
# 停止
sudo systemctl stop fail2ban
# 启动
sudo systemctl start fail2ban
# 开机启动
sudo systemctl enable fail2ban
# 关闭开机启动
sudo systemctl disable fail2ban
# 查看帮助命令
sudo fail2ban-client -h

# 查看fail2ban是否启动成功
sudo fail2ban-client ping
# 显示pong显示启动成功
Server replied: pong

# 查看当前启用的规则
sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

# 查看指定规则下封禁信息
sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     14
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 3
   |- Total banned:     3
   `- Banned IP list:   121.186.84.26 157.245.220.120 68.183.176.157

参考

Proper fail2ban configuration
How To Protect SSH with Fail2Ban on Debian 11 | DigitalOcean
Gentoo-Fail2ban
how-to-install-fail2ban-on-debian-linux
使用Fail2ban自动拉黑暴力破解SSH的IP - Alain’s Blog (alainlam.cn)
Fail2ban - ArchWiki (archlinux.org)
防止暴力破解ssh的四种方法_ssh防爆破_Linux学习中的博客-CSDN博客