在Fail2Ban中,忽略IP地址

・4 分钟阅读

Fail2Ban可以帮助保护你的Linux服务器免受攻击,它是一个python包,可以监视日志文件,并且动态调整防火墙规则以阻止恶意IP地址。

你可以用Fail2Ban表达式(filters-)来设置(或使用预先配置的)python正则表达式,以确定恶意请求,如果Fail2Ban在指定的日志文件中检测到过滤器正则表达式的特定频率,则动态生成iptables规则,该规则禁止滥用的IP地址一段时间。

Fail2Ban配置

例如,可以配置Fail2Ban来触发对原始IP地址的禁止:

  • 3次失败后,SSH登录尝试超过10分钟
  • 在单次尝试用户枚举之后,- 在WordPress的上下文中,这种类型的请求几乎肯定是恶意的,
  • 在面向公众的用户登录表单上,在五分钟内有6次失败的提交,

在Ubuntu 16.04中,主配置文件是/etc/fail2ban/jail.conf ,您不应该编辑它,因为您的自定义将在升级时被覆盖。相反,通过以下任一方式扩展配置:

  • 将重写规则添加到/etc/fail2ban/jail.local文件
  • /etc/fail2ban/jail.d目录中使用.conf后缀在file-by-file目录中添加配置规则

配置文件应该引用过滤器-它决定目标正则表达式,这里提供了多种预先配置的正则表达式: /etc/fail2ban/filter.d

覆盖IP地址

Fail2Ban允许你列出应该忽略的IP地址,这对于测试目的很有用,并且可以帮助避免客户端(或者自己)不必要的锁定。

要达到这个目的,只需添加 ignoreip = 127.0.0.1/8 x.x.x.x y.y.y.y 到相关的action。

注意如果向action添加特定的IP地址它将覆盖默认值,子操作会覆盖ignoreip规则 - 它不会合并IP地址。

示例jail.local

下面的代码定义单个文件中的操作,你不需要复制整个/etc/fail2ban/jail.conf文件-只需要扩展必要的部分。


# File: /etc/fail2ban/jail.local

# Fail2ban overrides
# These rules override `/etc/fail2ban/jail.conf`.
# =============================================================

[DEFAULT]
# Ban bad hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
# Emails
destemail = serveradmin@example.com
sendername = Fail2Ban_Archimedes
mta = mail
# Action
action = %(action_mwl)s
# List of safe IP addresses
ignoreip = 127.0.0.1/8 x.x.x.x

# ============================================================
# Jails Enabled
# ============================================================

# sshd jail is already enabled by default, so this isn't strictly necessary
[sshd]
enabled = true
bantime = 36000
# Override the default value - overwrites, does not merge
ignoreip = 127.0.0.1/8 x.x.x.x y.y.y.y

[ssh]
enabled = true
port = 9999
# Use a pre-configured filter
filter = sshd
bantime = 36000
logpath = /var/log/auth.log
maxretry = 6
ignoreip = 127.0.0.1/8 x.x.x.x y.y.y.y

# For WordPress jails, you need to configure WordPress to write to the specified log.
# You also need to create appropriate filters e.g. `/etc/fail2ban/filter.d/wordpress-hard.conf`.

# This jails IP addresses that are certainly malicious (e.g. trying to enumerate users)
[wordpress-hard]
enabled = true
filter = wordpress-hard
bantime = 36000
logpath = /var/log/auth.log
maxretry = 1
port = http,https

# Softer jail - allows users to retry their logins
[wordpress-soft]
enabled = true
filter = wordpress-soft
bantime = 36000
logpath = /var/log/auth.log
maxretry = 3
port = http,https

引用

Zhongy0410 profile image