使用fail2ban限制暴力破解sshd
原创
通过frp将家里的机器暴透传到公网上,如果使用密码登录的话则通常每天会遇到大量的ssh暴力破解的情况。
为此,我们可以使用fail2ban来做个限制。
安装
yum install fail2ban-server配置
cd /etc/fail2ban
cd jail.d
创建配置文件如下:
vim sshd.conf
[sshd]
port = ssh
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
bantime = 3600
findtime = 300
maxretry = 3
ignoreip = 127.0.0.1/32
参数含义详解:
port = ssh # 监控SSH端口(默认22,若修改了SSH端口需同步调整)
enabled = true # 启用SSH监狱
filter = sshd # 使用sshd过滤器(匹配日志中的失败尝试)
action = iptables[name=SSH, port=ssh, protocol=tcp] # 执行动作:封禁IP
logpath = /var/log/secure # CentOS/RHEL的SSH认证日志路径
bantime = 3600 # 封禁时长(秒),3600秒=1小时
findtime = 300 # 时间窗口(秒),300秒内超过maxretry次则触发封禁
maxretry = 3 # 允许的最大失败尝试次数(如3次)
ignoreip = 127.0.0.1/8 # 忽略的IP列表(避免误封本地或信任IP)启动
systemctl start fail2ban # 启动Fail2Ban
systemctl enable fail2ban # 设置开机自启
systemctl status fail2ban # 应显示“active (running)”
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2025-09-21 17:24:53 CST; 46s ago
Docs: man:fail2ban(1)
Process: 27183 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 27186 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 27195 (fail2ban-server)
Tasks: 5
Memory: 10.1M
CGroup: /system.slice/fail2ban.service
└─27195 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start
Sep 21 17:24:53 centos7-3 systemd[1]: Starting Fail2Ban Service...
Sep 21 17:24:53 centos7-3 snoopy[27186]: [uid:0 sid:27186 tty:(none) cwd:/ filename:/bin/mkdir]: /bin/mkdir -p /run/fail2ban
Sep 21 17:24:53 centos7-3 systemd[1]: Started Fail2Ban Service.
Sep 21 17:24:53 centos7-3 snoopy[27195]: [uid:0 sid:27195 tty:(none) cwd:/ filename:/usr/bin/fail2ban-server]: /usr/bin/f... start
Sep 21 17:24:53 centos7-3 fail2ban-server[27195]: Server ready
Hint: Some lines were ellipsized, use -l to show in full.查看SSH监狱的状态,确认规则已加载:
> fail2ban-client status sshd # 应显示“Status: active”及当前封禁的IP列表
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:查看Fail2Ban日志,跟踪实时活动:
> tail -f /var/log/fail2ban.log # 实时输出Fail2Ban的操作日志(如封禁IP)
2025-09-21 17:24:53,632 fail2ban.jail [27195]: INFO Jail 'sshd' uses poller {}
2025-09-21 17:24:53,633 fail2ban.jail [27195]: INFO Initiated 'polling' backend
2025-09-21 17:24:53,638 fail2ban.filter [27195]: INFO maxLines: 1
2025-09-21 17:24:53,677 fail2ban.filter [27195]: INFO maxRetry: 3
2025-09-21 17:24:53,677 fail2ban.filter [27195]: INFO encoding: UTF-8
2025-09-21 17:24:53,678 fail2ban.filter [27195]: INFO findtime: 300
2025-09-21 17:24:53,678 fail2ban.actions [27195]: INFO banTime: 3600
2025-09-21 17:24:53,678 fail2ban.filter [27195]: INFO Added logfile: '/var/log/secure' (pos = 4881678, hash = d60400918f2bf72927a94dbeb839afb2)
2025-09-21 17:24:53,682 fail2ban.jail [27195]: INFO Jail 'sshd' started
2025-09-21 17:25:01,482 fail2ban.transmitter [27195]: WARNING Command ['status', 'ssh'] has failed. Received UnknownJailException('ssh',)手动封禁和解封
封禁
fail2ban-client set sshd banip 192.168.1.100
解封
fail2ban-client set sshd unbanip 192.168.1.100如下图,是测试多次输入错误密码后,被fail2ban拦截后的iptables -L -n的截图:
注意:若调整了jail.local或过滤器文件,需重启Fail2Ban使更改生效:
sudo systemctl restart fail2ban原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
腾讯云开发者
