雲伺服器一直有人掃 22 端口進行爆破,看著這不停滾動的記錄,很是不爽。
root@localhost:~# lastb
ssh:notty 64.62.197.115 Fri Oct 6 21:29 - 21:29 (00:00)
httpfs ssh:notty 68.183.176.157 Fri Oct 6 21:12 - 21:12 (00:00)
httpfs ssh:notty 68.183.176.157 Fri Oct 6 21:12 - 21:12 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:10 - 21:10 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:10 - 21:10 (00:00)
web ssh:notty 68.183.176.157 Fri Oct 6 21:06 - 21:06 (00:00)
web ssh:notty 68.183.176.157 Fri Oct 6 21:06 - 21:06 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:05 - 21:05 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 21:05 - 21:05 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
root ssh:notty 121.186.84.26 Fri Oct 6 21:03 - 21:03 (00:00)
unbt ssh:notty 68.183.176.157 Fri Oct 6 20:59 - 20:59 (00:00)
unbt ssh:notty 68.183.176.157 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:59 - 20:59 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:53 - 20:53 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:53 - 20:53 (00:00)
node ssh:notty 68.183.176.157 Fri Oct 6 20:53 - 20:53 (00:00)
node ssh:notty 68.183.176.157 Fri Oct 6 20:53 - 20:53 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:47 - 20:47 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:47 - 20:47 (00:00)
backup ssh:notty 68.183.176.157 Fri Oct 6 20:46 - 20:46 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:42 - 20:42 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:42 - 20:42 (00:00)
develope ssh:notty 68.183.176.157 Fri Oct 6 20:40 - 20:40 (00:00)
develope ssh:notty 68.183.176.157 Fri Oct 6 20:40 - 20:40 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:36 - 20:36 (00:00)
operator ssh:notty 157.245.220.120 Fri Oct 6 20:36 - 20:36 (00:00)
nexus ssh:notty 68.183.176.157 Fri Oct 6 20:33 - 20:33 (00:00)
nexus ssh:notty 68.183.176.157 Fri Oct 6 20:33 - 20:33 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:30 - 20:30 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:30 - 20:30 (00:00)
root ssh:notty 59.39.24.254 Fri Oct 6 20:30 - 20:30 (00:00)
root ssh:notty 59.39.24.254 Fri Oct 6 20:28 - 20:28 (00:00)
root ssh:notty 111.26.175.223 Fri Oct 6 20:27 - 20:27 (00:00)
nvidia ssh:notty 68.183.176.157 Fri Oct 6 20:27 - 20:27 (00:00)
nvidia ssh:notty 68.183.176.157 Fri Oct 6 20:27 - 20:27 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:25 - 20:25 (00:00)
nifi ssh:notty 157.245.220.120 Fri Oct 6 20:25 - 20:25 (00:00)
aaa ssh:notty 68.183.176.157 Fri Oct 6 20:20 - 20:20 (00:00
Fail2Ban 是一個入侵檢測系統框架,通過合理配置可以避免爆破攻擊,在大多數發行版本中包管理都是有的。
Debian 安裝 Fail2ban#
#使用Debian 包管理器安裝
sudo aptitude install fail2ban
配置 Fail2ban#
使用包管理安裝配置文件都在/etc/fail2ban目錄下,目錄結構如下
ls -al
total 104
drwxr-xr-x 6 root root 4096 Apr 14 12:08 .
drwxr-xr-x 97 root root 4096 Mar 21 23:24 ..
drwxr-xr-x 2 root root 4096 Oct 6 2023 action.d
-rw-r--r-- 1 root root 3017 Nov 9 2022 fail2ban.conf
drwxr-xr-x 2 root root 4096 Apr 22 2023 fail2ban.d
drwxr-xr-x 3 root root 4096 Mar 11 21:41 filter.d
-rw-r--r-- 1 root root 25607 Apr 14 11:20 jail.conf
drwxr-xr-x 2 root root 4096 Apr 14 11:29 jail.d
-rw-r--r-- 1 root root 645 Nov 9 2022 paths-arch.conf
-rw-r--r-- 1 root root 2728 Nov 9 2022 paths-common.conf
-rw-r--r-- 1 root root 627 Nov 9 2022 paths-debian.conf
-rw-r--r-- 1 root root 738 Nov 9 2022 paths-opensuse.conf
Fail2ban 配置文件目錄結構#
| action.d | 目錄下存放了當觸發規則時執行的操作配置文件 |
| fail2ban.conf | 是 Fail2ban.conf 配置文件 |
| fail2ban.d | Fail2ban 的額外配置文件 |
| filter.d | Fail2ban 規則 / 過濾器目錄,裡面是定義日誌過濾規則的配置文件這裡有官方寫好的規則,當然你可以在這裡定義自己的攔截過濾規則,比如攔截 frp 內網穿透等 |
| jail.conf | Fail2ban 官方監獄示列配置文件,定義了對服務或協議進行監控和防禦的規則、調用過濾器和動作。 |
| jail.d | 存放監獄(jail)的額外配置文件,Fail2ban 在啟動時會加載 jail.local 文件以及 jail.d 目錄下的所有配置文件 |
根據 [https://github.com/fail2ban/fail2ban/wiki/Proper-fail2ban-configuration\](Proper fail2ban configuration) ,給的示列配置文件放在jail.conf中,不建議直接修改給的配置文件,而是根據所需根據給的示列配置文件,編輯自己的jali.local,jail.conf 示列配置文件定義的監獄規則都默認被禁用,需要我們手動開啟。
sduo cp jail.conf jail.local
sudo nano jail.local
jail 配置文件#
[DEFAULT]
# 該標籤下是對jail監獄規則進行全局配置,全局設置可以被覆蓋
...
# 被封禁的時間,默認以秒為單位,bantime = 10m 表示被封禁的時間為 10 分鐘。
bantime = 10m
# 用於確定是否封禁IP的時間段,以秒為單位。findtime = 10m表示在過去的10分鐘內進行的登錄失敗大於等於maxretry次數將被封禁。
findtime = 10m
# 允許的最大登錄失敗次數,如果在findtime時間段內某個IP地址的登錄失敗次數達到或超過maxretry次,該IP地址將被封禁。
maxretry = 5
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s
# 用於獲取文件修改的後端。這個選項指定了 Fail2ban 使用的監視文件變化的機制。
# 可以選擇的後端包括:pyinotify、gamin、polling、systemd 和 auto。
# 如果未指定後端,Fail2ban 將嘗試按照順序使用這些後端,直到找到可用的後端為止。
# backend = auto 表示 Fail2ban 將嘗試使用pyinotify、gamin、polling、systemd這幾種後端中的一種。
backend = auto
# 啟用ssh
[sshd]
# 使用nftables封禁ip
banaction = nftables-multiport
banaction_allports = nftables-allports
# 客戶端主機被禁止的時長 單位:秒
bantime = 86400
# 客戶端主機被禁止前允許失敗的次數
maxretry = 3
# 查找失敗次數的時長 單位:秒
findtime = 600
backend = systemd
enable=true
這裡需要注意下,Fail2ban 是需要分析日誌文件,在部分 Linux 發行版本中,ssh 登錄日誌已經被 systemd 所替代,所以不配置backend = systemd啟動會直接報下面的錯誤
ERROR Failed during configuration: Have not found any log file for sshd jail
Fail2ban 命令#
配置好之後,重啟啟動 Fail2ban
# 重啟
sudo systemctl restart fail2ban
# 停止
sudo systemctl stop fail2ban
# 啟動
sudo systemctl start fail2ban
# 開機啟動
sudo systemctl enable fail2ban
# 關閉開機啟動
sudo systemctl disable fail2ban
# 查看幫助命令
sudo fail2ban-client -h
# 查看fail2ban是否啟動成功
sudo fail2ban-client ping
# 顯示pong顯示啟動成功
Server replied: pong
# 查看當前啟用的規則
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
# 查看指定規則下封禁信息
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| |- Total failed: 14
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 121.186.84.26 157.245.220.120 68.183.176.157
參考#
Proper fail2ban configuration
How To Protect SSH with Fail2Ban on Debian 11 | DigitalOcean
Gentoo-Fail2ban
how-to-install-fail2ban-on-debian-linux
使用 Fail2ban 自動拉黑暴力破解 SSH 的 IP - Alain's Blog (alainlam.cn)
Fail2ban - ArchWiki (archlinux.org)
防止暴力破解 ssh 的四種方法_ssh 防爆破_Linux 學習中的博客 - CSDN 博客