fail2ban - HackMD

###### tags: `Linux` `資安` # fail2ban ## Fail2ban是什麼? Fail2ban 是一個用來防止暴力法攻擊的防護工具，它會定期掃描系統的紀錄檔，尋找符合條件的網路攻擊來源，當次數達到門檻值的時候，就透過設置防火牆的方式暫時阻擋網路攻擊的來源 IP 位址，過了一段時間之後才會再度開放。 ## etc/fail2ban結構 ![](https://i.imgur.com/CQM5nMF.png) action.d/*.conf 阻擋攻擊的規則設定 jail.conf 與 jail.d/*.conf 定義各系統服務用的 filters 與 actions 組合。 ![](https://i.imgur.com/kp6jJE1.png) ![](https://i.imgur.com/Ho84opR.png) filter.d/*.conf 識別攻擊的規則設定 ![](https://i.imgur.com/m3moUEB.png) 依據nginx/access.log裡面的規則去限制 ![](https://i.imgur.com/eq6R18I.png) 測試 ![](https://i.imgur.com/woPDPf4.png) ## 啟用fail2ban 兩種方式查看是否自訂規則有啟用查看log ``` more /var/log/fail2ban.log ``` ![](https://i.imgur.com/7NoIRwI.png) 使用fail2ban-client ``` fail2ban-client status ``` ![](https://i.imgur.com/RYHA6K4.png) ``` fail2ban-client status http-get-dos ``` ![](https://i.imgur.com/GhVgwzY.png) ## 安裝步驟 ``` apt-get install fail2ban ``` ``` vim /etc/fail2ban/jail.local ``` ``` [http-get-dos] enabled = true port = http filter = http-get-dos logpath = /var/log/nginx/access.log maxretry = 5 findtime = 10 bantime = 10 action = iptables[name=HTTP, port=http, protocol=tcp] ``` ``` vim /etc/fail2ban/filter.d/http-get-dos.conf ``` ``` [Definition] failregex = ^<HOST> - - .*\"(GET|POST).* ignoreregex = ``` ``` service fail2ban restart ``` 查看log ``` vi /var/log/fail2ban.log ``` ``` fail2ban-client status ``` https://net.nthu.edu.tw/netsys/security:fail2ban ![](https://i.imgur.com/rIdS33m.png) iptables (action) 設定檔為 /etc/fail2ban/action.d/iptables.conf sendmail-whois (action) 設定檔為 /etc/fail2ban/action.d/sendmail-whois.conf ![](https://i.imgur.com/vZs3hPk.png)