CentOS 6和7版本环境安装Fail2ban服务来防止暴力破解FTP/SSH

定位

如果出于各种少折腾的需求，如果能不用VPS尽量我们建站的时候就不要用VPS，因为在很多时候我们会受到来自各种主动与非主动的攻击问题出现。一旦出现问题，我们就需要花费大量的时间和精力去解决这样的问题。刚才在寻找是否有些教程可以写的时候看到这篇关于Fail2ban应用文章，于是也就整理过来分享。

基于CentOS 6或者7版本的系统，我们可以安装Fail2ban工具来阻止一定的暴力破解SSH或者FTP账户问题，也许不能足够的解决问题，但至少可以解决一般的问题。

第一、Fail2ban安装

A - CentOS 6

1. rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
   
2. yum install fail2ban

复制代码

B - CentOS 7

1. rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
   
2. yum install fail2ban

复制代码

选择对应的系统进行脚本一键安装，在安装过程中会出现三次是否需要输入Y的步骤，我们输入y且回车继续到最后

第二、Fail2ban设置

编辑/etc/fail2ban/jail.conf文件，我们需要设置Fail2ban配置文件。

1. [DEFAULT]
   
2. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
   
3. # ban a host which matches an address in this list. Several addresses can be
   
4. # defined using space separator.
   
5. ignoreip = 127.0.0.1/8
   
6. # External command that will take an tagged arguments to ignore, e.g. ,
   
7. # and return true if the IP is to be ignored. False otherwise.
   
8. #
   
9. # ignorecommand = /path/to/command
   
10. ignorecommand =
    
11. # "bantime" is the number of seconds that a host is banned.
    
12. bantime  = 600
    
13. # A host is banned if it has generated "maxretry" during the last "findtime"
    
14. # seconds.
    
15. findtime  = 600
    
16. # "maxretry" is the number of failures before a host get banned.
    
17. maxretry = 3
    
18. # "backend" specifies the backend used to get files modification.
    
19. # Available options are "pyinotify", "gamin", "polling" and "auto".
    
20. # This option can be overridden in each jail as well.
    
21. #
    
22. # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
    
23. #              If pyinotify is not installed, Fail2ban will use auto.
    
24. # gamin:     requires Gamin (a file alteration monitor) to be installed.
    
25. #              If Gamin is not installed, Fail2ban will use auto.
    
26. # polling:   uses a polling algorithm which does not require external libraries.
    
27. # auto:      will try to use the following backends, in order:
    
28. #              pyinotify, gamin, polling.
    
29. backend = auto
    
30. # "usedns" specifies if jails should trust hostnames in logs,
    
31. #   warn when DNS lookups are performed, or ignore all hostnames in logs
    
32. #
    
33. # yes:   if a hostname is encountered, a DNS lookup will be performed.
    
34. # warn:  if a hostname is encountered, a DNS lookup will be performed,
    
35. #        but it will be logged as a warning.
    
36. # no:    if a hostname is encountered, will not be used for banning,
    
37. #        but it will be logged as info.
    
38. usedns = warn

复制代码

一般，我们设置这几个就可以，具体的含义如下：

1. ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制（白名单）
   
2. bantime = 600 #屏蔽时间，单位：秒
   
3. findtime = 600 #这个时间段内超过规定次数会被ban掉
   
4. maxretry = 3 #最大尝试次数
   
5. backend = auto #日志修改检测机制（gamin、polling和auto这三种）
   
6. [ssh-iptables] #针对各服务的检查配置，如设置bantime、findtime、maxretry和全局冲突，服务优先级大于全局设置
   
7. enabled = true #是否激活此项（true/false）
   
8. filter = sshd #过滤规则filter的名字，对应filter.d目录下的sshd.conf
   
9. action = iptables[name=SSH, port=ssh, protocol=tcp] #动作的相关参数
   
10. sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] #触发报警的收件人
    
11. logpath = /var/log/secure #检测的系统的登陆日志文件
    
12. maxretry = 5 #最大尝试次数

复制代码

第三、启动fail2ban

1. CentOS 6:
   
2. service fail2ban restart
   
3. CentOS 7:
   
4. systemctl restart fail2ban.service

复制代码

第四、设置开机启动

1. CentOS 6:
   
2. chkconfig fail2ban on
   
3. CentOS 7:
   
4. systemctl enable fail2ban

复制代码

heimao

不错，支持，后续做一下