我主機基本上都設定了遠端日誌,全部往Synology NAS上的日誌中心送。
其中有一台當Router對外的樹莓派,會有一堆sshd驗證嘗試登,
Disconnected from invalid user slurm 128.199.177.36 port 60810 [preauth]
基本上我只允許公鑰驗證,
所以用帳號密碼也別想暴力破解呀,但一堆的驗證失敗的Log看了還真討厭。
所以我就Google了一下,看到了這個東西fail2ban,看起來很不錯,那就來設定看看吧。
以下就是我的安裝步驟,直接記下來:
第一步: 安裝
apt-get install fail2ban
我們可以切換目錄到/etc/fail2ban,然後瞄一下 jail.conf這個檔.
root@ptest:/etc/fail2ban# head jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
上面說啦,在大多數情況下,我們不應該變更這個檔案,而是提供一個自訂的jail.local
第二步: 在/etc/fail2ban目錄下
cd /etc/fail2ban
cp jail.conf jail.local
第三步: 修改jail.local
找到sshd的地方,這個檔案的其他地方也有#[sshd],別解除註解,那只是他的說明。
補兩行,「啟動」及「動作」。
enabled = true
action = %(action_)s
上例中,action_使用最簡單的設定
action_ : The simplest action to take: ban only
action_mw: ban & send an e-mail with whois report to the destemail.
action_mwl: ban & send an e-mail with whois report and relevant log lines
完整如下
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
action = %(action_)s
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
第四步:啟動
(systemctl 這東西真好用,之前還覺的service指令好好的為何要換這個,現在用的很習慣了😝)
#開機時自動啟動
systemctl enable fail2ban
#啟動
systemctl start fail2ban
第五步: 查看啟動狀態,看到actvie代表運作中囉
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-12-11 10:38:59 CST; 1h 12min ago
Docs: man:fail2ban(1)
Main PID: 26761 (fail2ban-server)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/fail2ban.service
└─26761 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
如果無法啟動,可以用查看是否有什麼錯誤
--dp, --dump-pretty dump the configuration using more human readable representation
fail2ban-client --dp
第六步: 查看<JAIL>的狀態,sshd就是<JAIL>的名稱
fail2ban-client status sshd
結果畫面如下:
(在第三步中的action = 很重要,要設定哦 ,不然你這裡看到的Baned IP list只是眼睛業障重的假象)
root@ptest:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 12
| |- Total failed: 280
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 6
`- Banned IP list: 88.218.17.117 137.184.65.253
fail2ban-client有相當多的功能,足繁不及備載,請自己打指令就可以查看了
fail2ban-client
例如: 直接手動笨笨看
root@ptest:~# fail2ban-client |grep banip
set <JAIL> banip <IP> manually Ban <IP> for <JAIL>
set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>
root@ptest:~#
確認是否有用,可找台主機測看看是否能登,如果手動Ban IP後就不能登了。
fail2ban-client set sshd banip 34.81.227.39
fail2ban-client set sshd unbanip 34.81.227.39
測試組擋後,就真的連不上啦,下方是示意文圖
~# ssh ptest
ssh: connect to host 主機 port 22: Cannot assign requested address
觀查了一下我Synology上的日誌中心,果真少很多
No Comment
Post your comment