0%

使用fail2ban保护ssh服务

fail2ban发现异常的网络连接请求时,会将事件信息记录下,当次数频率等超过了设置值后,会使用iptables屏蔽访问者的IP。在设定的屏蔽时长以后,还会自动释放对该IP的屏蔽。

安装并创建sshd监狱的配置文件
1
2
sudo pacman -S fail2ban
sudo vim /etc/fail2ban/jail.d/sshd.local

设置如下:

/etc/fail2ban/jail.d/sshd.local
1
2
3
4
5
6
7
8
9
[sshd]
enabled = true
backend = systemd
banaction = iptables
filter = sshd
findtime = 1d
maxretry = 3
bantime = 60s
ignoreip = 127.0.0.0/8

解释:在1天以内,发现异常的ssh登录请求超过3次则触发屏蔽。为测试效果,故将屏蔽时长设为60s,并忽略了在本机上直接的登录事件。

使能并启动fail2ban.service
1
$ sudo systemctl enable --now fail2ban.service
检查fail2ban.service是否正常启动
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2019-11-13 21:18:53 CST; 8min ago
Docs: man:fail2ban(1)
Process: 1289 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 1291 (fail2ban-server)
Tasks: 3 (limit: 1159)
Memory: 12.4M
CGroup: /system.slice/fail2ban.service
└─1291 /usr/bin/python /usr/bin/fail2ban-server -xf start
Nov 13 21:18:53 archlinux systemd[1]: Starting Fail2Ban Service...
Nov 13 21:18:53 archlinux systemd[1]: Started Fail2Ban Service.
Nov 13 21:18:53 archlinux fail2ban-server[1291]: Server ready

好的,监狱已就绪!

在其它机器上尝试暴力攻击该服务器的ssh服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ssh root@192.168.1.106
root@192.168.1.106's password:
Received disconnect from 192.168.1.106 port 22:2: Too many authentication failures
Disconnected from 192.168.1.106 port 22
$ ssh root@192.168.1.106
ssh: connect to host 192.168.1.106 port 22: Connection refused
$ ssh root@192.168.1.106
ssh: connect to host 192.168.1.106 port 22: Connection refused
$ ssh foobar@192.168.1.106
foobar@192.168.1.106's password:
Received disconnect from 192.168.1.106 port 22:2: Too many authentication failures
Disconnected from 192.168.1.106 port 22
$ ssh foobar@192.168.1.106
ssh: connect to host 192.168.1.106 port 22: Connection refused

无论使用正确的用户名和错误的密码,还是使用不存在的用户,都触发了fail2ban的屏蔽机制。等了60秒后,取消屏蔽的机制也工作正常。

观察fail2ban的日志
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ sudo tail -f /var/log/fail2ban.log
2019-11-13 21:18:53,694 fail2ban.server [1291]: INFO Starting Fail2ban v0.10.4
2019-11-13 21:18:53,696 fail2ban.database [1291]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-13 21:18:53,697 fail2ban.jail [1291]: INFO Creating new jail 'sshd'
2019-11-13 21:18:53,702 fail2ban.jail [1291]: INFO Jail 'sshd' uses systemd {}
2019-11-13 21:18:53,702 fail2ban.jail [1291]: INFO Initiated 'systemd' backend
2019-11-13 21:18:53,703 fail2ban.filter [1291]: INFO maxLines: 1
2019-11-13 21:18:53,746 fail2ban.filtersystemd [1291]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-13 21:18:53,747 fail2ban.filter [1291]: INFO maxRetry: 3
2019-11-13 21:18:53,747 fail2ban.filter [1291]: INFO findtime: 86400
2019-11-13 21:18:53,747 fail2ban.actions [1291]: INFO banTime: 60
2019-11-13 21:18:53,748 fail2ban.filter [1291]: INFO encoding: UTF-8
2019-11-13 21:18:53,762 fail2ban.jail [1291]: INFO Jail 'sshd' started
2019-11-13 21:18:53,831 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:14:41
2019-11-13 21:18:53,834 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:14:45
2019-11-13 21:18:53,834 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:14:46
2019-11-13 21:18:53,961 fail2ban.actions [1291]: NOTICE [sshd] Ban 192.168.1.100
2019-11-13 21:18:56,043 fail2ban.actions [1291]: NOTICE [sshd] Unban 192.168.1.100
2019-11-13 21:19:47,200 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:19:46
2019-11-13 21:19:54,908 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:19:54
2019-11-13 21:19:56,200 fail2ban.filter [1291]: INFO [sshd] Found 192.168.1.100 - 2019-11-13 21:19:55
2019-11-13 21:19:56,399 fail2ban.actions [1291]: NOTICE [sshd] Ban 192.168.1.100
2019-11-13 21:20:56,535 fail2ban.actions [1291]: NOTICE [sshd] Unban 192.168.1.100

现在将ssh监狱的配置正式设置一下:

/etc/fail2ban/jail.d/sshd.local
1
2
3
4
5
6
7
8
9
[sshd]
enabled = true
backend = systemd
banaction = iptables
filter = sshd
findtime = 1d
maxretry = 5
bantime = 1d
ignoreip = 127.0.0.0/8

放宽失败次数为5,屏蔽时间延长到1天!心里想着,也许可以设为2w,关他两个礼拜,呵呵~~~

记得重启一下fail2ban服务sudo systemctl restart fail2ban

检查真实服务器上的Ban日志
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo cat /var/log/fail2ban.log | grep Ban
2019-11-13 22:10:16,213 fail2ban.actions [2683]: NOTICE [sshd] Ban 112.196.54.35
2019-11-13 22:10:16,258 fail2ban.actions [2683]: NOTICE [sshd] Ban 140.143.98.35
2019-11-13 22:10:16,275 fail2ban.actions [2683]: NOTICE [sshd] Ban 106.13.140.52
2019-11-13 22:10:16,293 fail2ban.actions [2683]: NOTICE [sshd] Ban 193.112.143.141
2019-11-13 22:10:16,311 fail2ban.actions [2683]: NOTICE [sshd] Ban 113.125.25.73
2019-11-13 22:10:16,327 fail2ban.actions [2683]: NOTICE [sshd] Ban 182.61.105.104
2019-11-13 22:10:16,344 fail2ban.actions [2683]: NOTICE [sshd] Ban 188.35.187.50
2019-11-13 22:10:16,361 fail2ban.actions [2683]: NOTICE [sshd] Ban 182.61.108.121
2019-11-13 22:10:16,979 fail2ban.actions [2683]: NOTICE [sshd] Ban 218.240.249.162
2019-11-13 22:10:17,599 fail2ban.actions [2683]: NOTICE [sshd] Ban 157.245.155.230
2019-11-13 22:10:19,824 fail2ban.actions [2683]: NOTICE [sshd] Ban 178.33.185.70
2019-11-13 22:10:28,063 fail2ban.actions [2683]: NOTICE [sshd] Ban 23.251.142.181
2019-11-13 22:10:31,288 fail2ban.actions [2683]: NOTICE [sshd] Ban 103.133.108.33
iptables防火墙中对应的条目
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 103.133.108.33 anywhere reject-with icmp-port-unreachable
REJECT all -- 181.142.251.23.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable
REJECT all -- 178.33.185.70 anywhere reject-with icmp-port-unreachable
REJECT all -- 157.245.155.230 anywhere reject-with icmp-port-unreachable
REJECT all -- 218.240.249.162 anywhere reject-with icmp-port-unreachable
REJECT all -- 182.61.108.121 anywhere reject-with icmp-port-unreachable
REJECT all -- 188.35.187.50 anywhere reject-with icmp-port-unreachable
REJECT all -- 182.61.105.104 anywhere reject-with icmp-port-unreachable
REJECT all -- 113.125.25.73 anywhere reject-with icmp-port-unreachable
REJECT all -- 193.112.143.141 anywhere reject-with icmp-port-unreachable
REJECT all -- 106.13.140.52 anywhere reject-with icmp-port-unreachable
REJECT all -- 140.143.98.35 anywhere reject-with icmp-port-unreachable
REJECT all -- 112.196.54.35 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
使用fail2ban-client命令查询sshd监狱的状况
1
2
3
4
5
6
7
8
9
10
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 92
| |- Total failed: 421
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 13
`- Banned IP list: 103.133.108.33

好了,世界清净多了!