我主机基本上都设置了远程日志,全部往Synology NAS上的日志中心送。
其中有一台当Router对外的树莓派,会有一堆sshd验证尝试登,
Disconnected from invalid user slurm 128.199.177.36 port 60810 [preauth]
基本上我只允许公钥验证,
所以用帐号密码也别想暴力破解呀,但一堆的验证失败的Log看了还真讨厌。
所以我就Google了一下,看到了这个东西fail2ban,看起来很不错,那就来设置看看吧。
以下就是我的安装步骤,直接记下来:
第一步: 安装
apt-get install fail2ban
我们可以切换目录到/etc/fail2ban,然后瞄一下 jail.conf这个档.
root@ptest:/etc/fail2ban# head jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#上面说啦,在大多数情况下,我们不应该变更这个文件,而是提供一个自定义的jail.local
第二步: 在/etc/fail2ban目录下
cd /etc/fail2ban
cp jail.conf jail.local第三步: 修改jail.local
找到sshd的地方,这个文件的其他地方也有#[sshd],别解除注解,那只是他的说明。
补两行,「启动」及「动作」。
enabled = true
action = %(action_)s上例中,action_使用最简单的设置
action_ : The simplest action to take: ban only
action_mw: ban & send an e-mail with whois report to the destemail.
action_mwl: ban & send an e-mail with whois report and relevant log lines
完整如下
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
action = %(action_)s
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s第四步:启动
(systemctl 这东西真好用,之前还觉的service命令好好的为何要换这个,现在用的很习惯了😝)
#开机时自动启动
systemctl enable fail2ban
#启动
systemctl start fail2ban第五步: 查看启动状态,看到actvie代表运作中罗
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-12-11 10:38:59 CST; 1h 12min ago
Docs: man:fail2ban(1)
Main PID: 26761 (fail2ban-server)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/fail2ban.service
└—26761 /usr/bin/python3 /usr/bin/fail2ban-server -xf start如果无法启动,可以用查看是否有什么错误
--dp, --dump-pretty dump the configuration using more human readable representation
fail2ban-client --dp
第六步: 查看<JAIL>的状态,sshd就是<JAIL>的名称
fail2ban-client status sshd结果画面如下:
(在第三步中的action = 很重要,要设置哦 ,不然你这里看到的Baned IP list只是眼睛业障重的假象)
root@ptest:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 12
| |- Total failed: 280
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 6
`- Banned IP list: 88.218.17.117 137.184.65.253fail2ban-client有相当多的功能,足繁不及备载,请自己打命令就可以查看了
fail2ban-client例如: 直接手动笨笨看
root@ptest:~# fail2ban-client |grep banip
set <JAIL> banip <IP> manually Ban <IP> for <JAIL>
set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>
root@ptest:~#确认是否有用,可找台主机测看看是否能登,如果手动Ban IP后就不能登了。
fail2ban-client set sshd banip 34.81.227.39
fail2ban-client set sshd unbanip 34.81.227.39测试组挡后,就真的连不上啦,下方是示意文图
~# ssh ptest
ssh: connect to host 主机 port 22: Cannot assign requested address观查了一下我Synology上的日志中心,果真少很多
No Comment
Post your comment