云服务器一直有人扫22端口进行爆破,看着这不停滚动的记录,很是不爽。
root@localhost:~# lastb
ssh:notty 64.62.197.115 Fri Oct 6 21:29 - 21:29 (00:00)
httpfs ssh:notty 68.183.176.157 Fri Oct 6 21:12 - 21:12 (00:00)
httpfs ssh:notty 68.183.176.157 Fri Oct 6 21:12 - 21:12 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:10 - 21:10 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:10 - 21:10 (00:00)
web ssh:notty 68.183.176.157 Fri Oct 6 21:06 - 21:06 (00:00)
web ssh:notty 68.183.176.157 Fri Oct 6 21:06 - 21:06 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:05 - 21:05 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:05 - 21:05 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
unbt ssh:notty 68.183.176.157 Fri Oct 6 20:59 - 20:59 (00:00)
unbt ssh:notty 68.183.176.157 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:53 - 20:53 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:53 - 20:53 (00:00)
node ssh:notty 68.183.176.157 Fri Oct 6 20:53 - 20:53 (00:00)
node ssh:notty 68.183.176.157 Fri Oct 6 20:53 - 20:53 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:47 - 20:47 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:47 - 20:47 (00:00)
backup ssh:notty 68.183.176.157 Fri Oct 6 20:46 - 20:46 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:42 - 20:42 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:42 - 20:42 (00:00)
develope ssh:notty 68.183.176.157 Fri Oct 6 20:40 - 20:40 (00:00)
develope ssh:notty 68.183.176.157 Fri Oct 6 20:40 - 20:40 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:36 - 20:36 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:36 - 20:36 (00:00)
nexus ssh:notty 68.183.176.157 Fri Oct 6 20:33 - 20:33 (00:00)
nexus ssh:notty 68.183.176.157 Fri Oct 6 20:33 - 20:33 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:30 - 20:30 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:30 - 20:30 (00:00)
root ssh:notty 59.39.24.254 Fri Oct 6 20:30 - 20:30 (00:00)
root ssh:notty 59.39.24.254 Fri Oct 6 20:28 - 20:28 (00:00)
root ssh:notty 111.26.175.223 Fri Oct 6 20:27 - 20:27 (00:00)
nvidia ssh:notty 68.183.176.157 Fri Oct 6 20:27 - 20:27 (00:00)
nvidia ssh:notty 68.183.176.157 Fri Oct 6 20:27 - 20:27 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:25 - 20:25 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:25 - 20:25 (00:00)
aaa ssh:notty 68.183.176.157 Fri Oct 6 20:20 - 20:20 (00:00
Fail2Ban是一个入侵检测系统框架,通过合理配置可以避免爆破攻击,在大多数发行版本中包管理都是有的。
Debian安装Fail2ban
#使用Debian 包管理器安装
sudo aptitude install fail2ban
配置Fail2ban
使用包管理安装配置文件都在/etc/fail2ban目录下,目录结构如下
ls -al
total 104
drwxr-xr-x 6 root root 4096 Apr 14 12:08 .
drwxr-xr-x 97 root root 4096 Mar 21 23:24 ..
drwxr-xr-x 2 root root 4096 Oct 6 2023 action.d
-rw-r--r-- 1 root root 3017 Nov 9 2022 fail2ban.conf
drwxr-xr-x 2 root root 4096 Apr 22 2023 fail2ban.d
drwxr-xr-x 3 root root 4096 Mar 11 21:41 filter.d
-rw-r--r-- 1 root root 25607 Apr 14 11:20 jail.conf
drwxr-xr-x 2 root root 4096 Apr 14 11:29 jail.d
-rw-r--r-- 1 root root 645 Nov 9 2022 paths-arch.conf
-rw-r--r-- 1 root root 2728 Nov 9 2022 paths-common.conf
-rw-r--r-- 1 root root 627 Nov 9 2022 paths-debian.conf
-rw-r--r-- 1 root root 738 Nov 9 2022 paths-opensuse.conf
Fail2ban 配置文件目录结构
| action.d | 目录下存放了当触发规则时执行的操作配置文件 |
| fail2ban.conf | 是Fail2ban.conf配置文件 |
| fail2ban.d | Fail2ban 的额外配置文件 |
| filter.d | Fail2ban 规则/过滤器目录,里面是定义日志过滤规则的配置文件这里有官方写好的规则,当然你可以在这里定义自己的拦截过滤规则,比如拦截frp内网穿透等 |
| jail.conf | Fail2ban 官方监狱示列配置文件,定义了对服务或协议进行监控和防御的规则、调用过滤器和动作。 |
| jail.d | 存放监狱(jail)的额外配置文件,Fail2ban 在启动时会加载 jail.local 文件以及 jail.d 目录下的所有配置文件 |
根据[https://github.com/fail2ban/fail2ban/wiki/Proper-fail2ban-configuration\]( Proper fail2ban configuration) ,给的示列配置文件放在jail.conf中,不建议直接修改给的配置文件,而是根据所需根据给的示列配置文件,编辑自己的jali.local,jail.conf示列配置文件定义的监狱规则都默认被禁用,需要我们手动开启。
sduo cp jail.conf jail.local
sudo nano jail.local
jail配置文件
[DEFAULT]
# 该标签下是对jail监狱规则进行全局配置,全局设置可以被覆盖
...
# 被封禁的时间,默认以秒为单位,bantime = 10m 表示被封禁的时间为 10 分钟。
bantime = 10m
# 用于确定是否封禁IP的时间段,以秒为单位。findtime = 10m表示在过去的10分钟内进行的登录失败大于等于maxretry次数将被封禁。
findtime = 10m
# 允许的最大登录失败次数,如果在findtime时间段内某个IP地址的登录失败次数达到或超过maxretry次,该IP地址将被封禁。
maxretry = 5
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s
# 用于获取文件修改的后端。这个选项指定了 Fail2ban 使用的监视文件变化的机制。
# 可以选择的后端包括:pyinotify、gamin、polling、systemd 和 auto。
# 如果未指定后端,Fail2ban 将尝试按照顺序使用这些后端,直到找到可用的后端为止。
# backend = auto 表示 Fail2ban 将尝试使用pyinotify、gamin、polling、systemd这几种后端中的一种。
backend = auto
# 启用ssh
[sshd]
# 使用nftables封禁ip
banaction = nftables-multiport
banaction_allports = nftables-allports
# 客户端主机被禁止的时长 单位:秒
bantime = 86400
# 客户端主机被禁止前允许失败的次数
maxretry = 3
# 查找失败次数的时长 单位:秒
findtime = 600
backend = systemd
enable=true
这里需要注意下,Fail2ban是需要分析日志文件,在部分Linux发行版本中,ssh登陆日志已经被systemd所替代,所以不配置backend = systemd启动会直接报下面的错误
ERROR Failed during configuration: Have not found any log file for sshd jail
Fail2ban命令
配置好之后,重启启动Fail2ban
# 重启
sudo systemctl restart fail2ban
# 停止
sudo systemctl stop fail2ban
# 启动
sudo systemctl start fail2ban
# 开机启动
sudo systemctl enable fail2ban
# 关闭开机启动
sudo systemctl disable fail2ban
# 查看帮助命令
sudo fail2ban-client -h
# 查看fail2ban是否启动成功
sudo fail2ban-client ping
# 显示pong显示启动成功
Server replied: pong
# 查看当前启用的规则
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
# 查看指定规则下封禁信息
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| |- Total failed: 14
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 121.186.84.26 157.245.220.120 68.183.176.157
参考
Proper fail2ban configuration
How To Protect SSH with Fail2Ban on Debian 11 | DigitalOcean
Gentoo-Fail2ban
how-to-install-fail2ban-on-debian-linux
使用Fail2ban自动拉黑暴力破解SSH的IP - Alain’s Blog (alainlam.cn)
Fail2ban - ArchWiki (archlinux.org)
防止暴力破解ssh的四种方法_ssh防爆破_Linux学习中的博客-CSDN博客