centos 如何开启 fail2ban
复制问题
CentOS 安装和配置 fail2ban 详细教程
1. 安装 fail2ban
CentOS 7/8 安装步骤:
# 安装 EPEL 源
sudo yum install epel-release -y
# 更新软件包列表
sudo yum update -y
# 安装 fail2ban
sudo yum install fail2ban -y
CentOS Stream 9 / Rocky Linux 9 / AlmaLinux 9:
# 安装 EPEL 源
sudo dnf install epel-release -y
# 安装 fail2ban
sudo dnf install fail2ban -y
2. 配置 fail2ban
创建本地配置文件:
# 复制默认配置文件
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# 编辑配置文件
sudo nano /etc/fail2ban/jail.local
基本配置示例:
[DEFAULT]
# 忽略的IP地址(添加你的IP地址)
ignoreip = 127.0.0.1/8 ::1 你的公网IP
# 封禁时间(秒)3600 = 1小时
bantime = 3600
# 查找时间窗口(秒)600 = 10分钟
findtime = 600
# 最大重试次数
maxretry = 3
# 后端数据库
backend = systemd
# 邮件通知设置(可选)
destemail = your-email@example.com
sender = fail2ban@your-server.com
mta = sendmail
action = %(action_mwl)s
[sshd]
# 启用SSH保护
enabled = true
# SSH端口(如果修改了默认端口22,这里也要修改)
port = ssh
# 过滤器
filter = sshd
# 日志文件路径(CentOS使用 /var/log/secure)
logpath = /var/log/secure
# SSH专用设置
maxretry = 3
bantime = 3600
findtime = 600
3. 创建SSH专用配置(推荐)
创建独立的SSH配置文件:
sudo nano /etc/fail2ban/jail.d/sshd.local
配置内容:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 3600
findtime = 600
ignoreip = 127.0.0.1/8 你的IP地址
4. 启动和启用 fail2ban
# 启动 fail2ban 服务
sudo systemctl start fail2ban
# 设置开机自启动
sudo systemctl enable fail2ban
# 检查服务状态
sudo systemctl status fail2ban
5. 验证配置和监控
检查 fail2ban 状态:
# 查看 fail2ban 总体状态
sudo fail2ban-client status
# 查看 SSH 监狱状态
sudo fail2ban-client status sshd
# 查看详细信息
sudo fail2ban-client get sshd banip
sudo fail2ban-client get sshd bantime
sudo fail2ban-client get sshd findtime
sudo fail2ban-client get sshd maxretry
常用管理命令:
# 手动封禁IP
sudo fail2ban-client set sshd banip 192.168.1.100
# 手动解封IP
sudo fail2ban-client set sshd unbanip 192.168.1.100
# 重新加载配置
sudo fail2ban-client reload
# 重新加载特定监狱
sudo fail2ban-client reload sshd
# 查看日志
sudo tail -f /var/log/fail2ban.log
6. 防火墙集成
如果使用 firewalld(CentOS 7+默认):
# 检查 firewalld 状态
sudo systemctl status firewalld
# fail2ban 会自动与 firewalld 集成
# 可以查看被封禁的IP
sudo firewall-cmd --list-rich-rules
如果使用 iptables:
# 在 jail.local 中指定 banaction
banaction = iptables-multiport
banaction_allports = iptables-allports
7. 高级配置
创建自定义过滤器(可选):
sudo nano /etc/fail2ban/filter.d/sshd-custom.conf
[Definition]
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)$
^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye$
^%(__prefix_line)sConnection closed by <HOST>$
ignoreregex =
配置邮件通知:
# 安装邮件服务
sudo yum install sendmail -y
sudo systemctl start sendmail
sudo systemctl enable sendmail
# 在 jail.local 中配置邮件
destemail = admin@yourdomain.com
sender = fail2ban@yourserver.com
action = %(action_mwl)s
8. 监控脚本
创建监控脚本:
nano ~/fail2ban_monitor.sh
#!/bin/bash
# fail2ban 监控脚本
echo "=== Fail2ban 状态监控 ==="
echo "时间: $(date)"
echo
# 检查服务状态
echo "--- 服务状态 ---"
sudo systemctl is-active fail2ban
echo
# 检查SSH监狱状态
echo "--- SSH监狱状态 ---"
sudo fail2ban-client status sshd
echo
# 显示最近的封禁记录
echo "--- 最近的封禁记录 ---"
sudo tail -n 20 /var/log/fail2ban.log | grep Ban
echo
# 显示当前被封禁的IP
echo "--- 当前被封禁的IP ---"
sudo fail2ban-client get sshd banip
echo
# 统计攻击次数
echo "--- 今日攻击统计 ---"
sudo grep "$(date '+%Y-%m-%d')" /var/log/secure | grep "Failed password" | awk '{print $11}' | sort | uniq -c | sort -nr | head -10
设置定时任务:
# 编辑 crontab
crontab -e
# 添加每小时执行一次监控
0 * * * * /home/your_user/fail2ban_monitor.sh >> /var/log/fail2ban_monitor.log 2>&1
9. 故障排除
常见问题解决:
1. 服务启动失败
# 检查配置文件语法
sudo fail2ban-client -t
# 查看详细错误信息
sudo journalctl -u fail2ban -f
2. 日志文件权限问题
# 确保 fail2ban 可以读取日志文件
sudo chmod 644 /var/log/secure
sudo chown root:root /var/log/secure
3. SELinux 问题
# 检查 SELinux 状态
getenforce
# 如果是 Enforcing,可能需要设置 SELinux 策略
sudo setsebool -P httpd_can_network_connect 1
10. 性能优化
优化配置:
# 在 jail.local 中添加
[DEFAULT]
# 使用更高效的后端
backend = systemd
# 减少日志扫描频率
logtimezone = UTC
# 设置合理的数据库清理
dbpurgeage = 86400
验证安装成功
执行以下命令验证 fail2ban 正常工作:
# 1. 检查服务状态
sudo systemctl status fail2ban
# 2. 查看监狱状态
sudo fail2ban-client status
# 3. 查看SSH保护状态
sudo fail2ban-client status sshd
# 4. 查看日志
sudo tail -f /var/log/fail2ban.log
如果一切正常,你应该看到类似这样的输出:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
现在你的 CentOS 服务器已经成功配置了 fail2ban 来防护 SSH 暴力破解攻击!
重新生成
语音播放
复制回答