Setup Fail2ban

今天查看我的滴滴云服务器的时候，云监控里发现最近两天有两百多次的SSH暴力破解登录，查了下来源IP，都是韩国釜山，安徽什么的。真是防不胜防啊！于是决定研究下SSH的防暴力破解，我选择的程序是Fail2ban。下面介绍如何配置使用。

1、下载安装
#

Fail2ban安装包在epel源里，如果没安装，需要装上。

$ sudo yum install -y epel-release
$ sudo yum install -y fail2ban fail2ban-systemd fail2ban-firewalld

2、修改配置文件
#

主配置文件/etc/fail2ban/jail.conf不建议修改，自行建一个配置文件,它会覆盖主配置文件的配置项，这样便于管理，升级安装包时也不会被覆盖。

$ sudo vim /etc/fail2ban/jail.d/ssh.local
[DEFAULT]
# 禁止一个IP24小时
bantime = 24h

# 10分钟内尝试登陆3次失败便加入屏蔽列表
findtime = 10m
maxretry = 3
# 把自己的IP加入这里，免得自己被ban
ignoreip = 127.0.0.1/8 ::1 x.x.x.x

[sshd]
enabled = true
mode    = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

3、启动Fail2ban服务
#

$ sudo systemctl start fail2ban.service
$ sudo systemctl enable fail2ban.service

4、查看`ssh`状态
#

$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 20
   |- Total banned:     20
   `- Banned IP list:   1.252.24.138 142.93.153.234 157.230.9.239 \
   159.65.145.175 159.65.148.178 159.65.151.151 165.227.39.62 \
   183.157.142.164 183.230.146.26 192.99.255.47 193.201.224.214 \
   195.231.4.214 198.98.56.196 198.98.62.146 206.189.132.42 \
   209.141.35.22 223.113.91.54 24.90.25.51 59.20.205.178 68.183.99.64

5、查看实时日志
#

$ sudo tail -f /var/log/fail2ban.log

6、最近一个启动`fail2ban`日志
#

journalctl -b -u fail2ban

7、查看登录失败的日志
#

$ sudo cat /var/log/secure |grep 'Failed password'
May 16 20:42:55 10-255-0-83 sshd[21804]: Failed password for root from 185.244.25.105 port 35412 ssh2
May 16 21:08:06 10-255-0-83 sshd[25255]: Failed password for root from 40.73.39.211 port 41718 ssh2
May 16 21:13:51 10-255-0-83 sshd[25935]: Failed password for root from 105.103.132.251 port 19628 ssh2

8、解锁IP
#

$ fail2ban-client set sshd unbanip IP

1、下载安装 #

2、修改配置文件 #

3、启动Fail2ban服务 #

4、查看ssh状态 #

5、查看实时日志 #

6、最近一个启动fail2ban日志 #

7、查看登录失败的日志 #

8、解锁IP #