因為是測試及可能對外服務的系統,所以無法設定太嚴格的防火牆規則,所以加裝了 fail2ban 來加強系統的安全。
# apt-get install fail2ban
修改設定檔
# vim /etc/fail2ban/jail.conf
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
[@more@]
重新啟動 fail2ban 服務
# /etc/init.d/fail2ban restart
[ ok ] Restarting authentication failure monitor: fail2ban.
檢查 fail2ban 的狀態
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
以 Client IP 192.168.1.1 嘗試對 Server IP 192.168.1.109 嘗試連線錯誤幾次之後
列出 fail2ban 偵測到的 SSH 攻擊
# fail2ban-client status ssh
Status for the jail: ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 1
| `- Total failed: 1
`- action
|- Currently banned: 1
| `- IP list: 192.168.1.1
`- Total banned: 1
列出 fail2ban-ssh 的規則
# iptables -t filter -L fail2ban-ssh -n
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all — 192.168.1.1 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0
解除方式:
# iptables -D fail2ban-ssh -s 192.168.1.1 -j DROP
運作一段時間後,看一下成果:
# iptables -t filter -L fail2ban-ssh -n
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all — 61.174.51.211 0.0.0.0/0
DROP all — 122.225.109.100 0.0.0.0/0
DROP all — 61.174.51.215 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0