Use Fail2ban to protect your Linux server
introduce
-
Monitoring log files: Fail2ban will monitor the specified log files, such as those of SSH, HTTP, FTP and other services. -
Matching rules: Fail2ban will match log files according to user-defined rules (also called "filters"). Rules are usually based on regular expressions to identify malicious behaviors, such as failed login attempts and malicious requests. -
Trigger response: When the rule is matched, Fail2ban will trigger the defined response operation, such as adding the attacker's IP address to the firewall rule to block its access, or sending an email alarm to the administrator. -
Automatic unblocking: Fail2ban also provides automatic unblocking function, which can automatically unblock blocked IP addresses after a period of time to avoid blocking legitimate users by mistake.
-
Automatically prevent malicious behavior and reduce the workload of administrators. -
It can be flexibly configured according to user-defined rules. -
Automatic unblocking function is supported to avoid blocking legitimate users by mistake. -
It can be integrated with other security tools (such as firewalls) to improve security.
-
Some advanced attacks may not be effectively defended. -
In some cases, legitimate users may be blocked by mistake, such as when multiple users share the same IP address. -
Certain configuration and management work is required to ensure its effectiveness and security.
actual combat
1. Install Fail2ban
#Ubuntu. This demonstration uses Ubuntu 22.04.1 LTS, Fail2Ban v0.11.2 to demonstrate the whole process sudo apt install fail2ban # CentOS sudo yum install fail2ban
2. Understanding the Fail2ban directory
/etc/fail2ban/ ☆ -- action. d # Various actions, with many commonly used ones by default │ ├── dummy.conf │ ├── hostsdeny.conf │ ├── iptables.conf │ ├── mail-whois.conf │ ├── mail.conf │ ├── shorewall.conf │ └── xxxxx.conf │ ....... ☆ -- fail2ban. conf # Default default configuration ▄ -- fail2ban. d # Start directory ▄ -- filter. d # Various filters, which are commonly used by default │ ├── apache-auth.conf │ ├── apache-noscript.conf │ ├── couriersmtp.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── qmail.conf │ ├── sasl.conf │ ├── sshd.conf │ └── xxxxx.conf │ ....... ☆ -- jail. conf # Default monitoring configuration └─ jail.d L -- defaults debian. conf # # SSH related configuration
3. Configure Fail2ban to enable SSH protection
-
Copy default configuration
#Switch to the fail2ban directory cd /etc/fail2ban #Copy the default configuration sudo cp fail2ban.conf fail2ban.local #Copy the default monitoring configuration. If you don't want a full configuration, you can add an empty file without copying it and edit it yourself sudo cp jail.conf jail.local
Customize the SSH protection rules and edit the jail.local file, as shown below: #DEFAULT configuration is similar to global configuration at first. If a single service is not configured, the default configuration will be used [DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 1h findtime = 1m maxretry = 3 banaction = firewallcmd-ipset action = %(action_mwl)s #End of DEFAULT configuration #Start of sshd service configuration [sshd] enabled = true filter = sshd port = 22 maxretry = 3 findtime = 60 bantime = -1 action = %(action_mwl)s #End of sshd service configuration Parameters: -
ignoreip : The white list of IP addresses that will never be banned. They have a permanent "out of jail" card. The IP address (127.0.0.0.1/8) of the local host is in the list. By default, its IPv6 is equivalent to (:: 1). If you confirm that other IP addresses should never be prohibited, please add them to this list and Leave a space 。 -
bantime : Duration of IP address prohibition ("m" represents minutes). If you type a value without "m" or "h" (representing hours), it will be regarded as a second if you leave it blank. A value of - 1 will permanently disable IP addresses. Be very careful not to shut down your computer. This is a very likely low-level error. -
findtime : Too many failed connections will result in the IP address being disabled. -
maxretry : The number of "too many failed attempts".
The above configuration indicates that the ssh service fails for a maximum of three attempts in a 60s period. If this rule is violated, the IP address is blocked permanently. -
4. Enable and verify whether Fail2ban takes effect
#Enable fail2ban sudo systemctl start fail2ban #Check the status. If the status is running, check the configuration sudo fail2ban-client status #View the specific status of the sshd service sudo fail2ban-client status sshd
Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 6 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 3 `- Banned IP list: 192.168.1.12
It can be seen that my machine IP appears on the Banned IP after I have made continuous SSH login errors, and then I can no longer connect to the SSH. I have to take over the server through the visualization tool to delete the IP of the Banned. The command is:
fail2ban-client set sshd unbanip 192.168.1.12
root@ubuntu-dev :~# tail -f /var/log/fail2ban.log 2023-08-02 22:31:26,770 fail2ban.filter [2906926]: INFO [sshd] Found 192.168.1.12 - 2023-08-02 22:31:26 2023-08-02 22:31:29,616 fail2ban.filter [2906926]: INFO [sshd] Found 192.168.1.12 - 2023-08-02 22:31:29 2023-08-02 22:31:33,925 fail2ban.filter [2906926]: INFO [sshd] Found 192.168.1.12 - 2023-08-02 22:31:33 2023-08-02 22:31:34,271 fail2ban.actions [2906926]: NOTICE [sshd] Ban 192.168.1.12 2023-08-02 22:33:13,076 fail2ban.actions [2906926]: NOTICE [sshd] Unban 192.168.1.12
summary
Fail2ban Common Command Memo
fail2ban-client ping : Test whether the fail2ban service is successfully started. If it is successful, pong will be output fail2ban-server -V : View the fail2ban version number fail2ban-client status sshd : View the blocked IP of a service (here is sshd, corresponding to [sshd] in the jail.local configuration file) rule fail2ban-client set sshd unbanip 192.168.1.12 : Remove the IP blocking of a service. This is to remove the blocking of the sshd service 192.168.1.12 fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf : Test whether the filter rule is correct tail /var/log/fail2ban.log : View Fail2ban log information fail2ban-client unban --all : Use with caution , clear all IP addresses that are blocked
Reference article
Introduction and use of Fail2Ban
Pagoda panel 6. X installation fail2ban+Firewalld to prevent CC attacks