掘金 后端 ( ) • 2024-03-29 15:04
通过fail2ban来提升服务器稳定性
fail2ban 服务器 稳定性

theme: geek-black

fail2ban

简介

仓库地址:https://github.com/fail2ban/fail2ban/tree/master

Fail2Ban通过扫描日志文件,如/var/log/auth.log,通过更新系统防火墙规则,在一段可配置的时间内来禁止IP地址进行过多的失败尝试。通过使用fail2ban可以大大提高系统的安全性。

安装

$ sudo ln -sf /usr/bin/python3.7 /usr/bin/python
$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban/
$ python setup.py install
$ cp files/debian-initd /etc/init.d/fail2ban
$ update-rc.d fail2ban defaults
$ service fail2ban start

默认日志:/var/log/fail2ban.log

参考配置:/etc/fail2ban/jail.conf

防止SSH暴力破解

对于开放在公网的SSH服务一直是被攻击的重点对象,我们可以通过fail2ban来防止暴力破解

$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 1046
filter = sshd
logpath = /var/log/auth.log
ignoreip = 127.0.0.1/8 ::1
findtime = 600 # 间隔时间
maxretry = 3 # 最大失败次数
bantime = 60 # 封禁时间

重启服务

$ systemctl restart fail2ban
$ fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

我们在反复测试ssh失败,3次后查看iptables

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1046

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	9
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	3
   `- Banned IP list:	10.246.250.26

手工去掉封禁

$ fail2ban-client unban 10.246.250.26

防止nginx被爆破

配置nginx和fail2ban

$ printf "test:$(openssl passwd -1 testpassword)\n" > /etc/nginx/conf.d/.passwd
$ cat /etc/nginx/sites-enabled/test.conf
server {
    listen 80 ;
    server_name test.netease.com;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
port    = http,https
filter  = nginx-http-auth
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 3
bantime = 60
$ systemctl restart fail2ban

测试

$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword
$ curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:test # 失败3次后就被封了
curl: (7) Failed to connect to test.netease.com port 80: Connection refused
# 服务端上可以看到
$ tail -f  /var/log/fail2ban.log
2024-03-29 14:09:31,083 fail2ban.filter   [40602]: INFO    [nginx-http-auth] Found 10.246.250.26 - 2024-03-29 14:09:31
2024-03-29 14:09:31,850 fail2ban.actions  [40602]: NOTICE  [nginx-http-auth] Ban 10.246.250.26
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-http-auth  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-http-auth (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

防止nginx被刷

配置nginx和fail2ban,虽然通过limit_req可以返回给用户503,但是大量的503还是会给服务器造成压力,所以通过fail2ban添加iptables直接封禁

$ cat /etc/nginx/sites-enabled/test.conf
limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; # 测试需要调整为1秒1个请求

server {
    listen 80 ;
    server_name test.netease.com;
    limit_req zone=perip burst=1 nodelay;

    location / {
      auth_basic "you must have correct access";
      auth_basic_user_file conf.d/.passwd;
      autoindex on;
      autoindex_localtime on;
      alias /data/;
    }
}
$ nginx -s reload
$ cat /etc/fail2ban/jail.local
[nginx-limit-req]
enabled = true
port    = http,https
filter  = nginx-limit-req
logpath = /var/log/nginx/error.log
findtime = 1m
maxretry = 1
bantime = 60
$ systemctl restart fail2ban

测试

$ for i in `seq 10`;do curl http://test.netease.com --resolve test.netease.com:80:10.246.250.24 --user test:testpassword ;done
# 服务端上可以看到
$ tail  -f /var/log/fail2ban.log
2024-03-29 14:32:04,414 fail2ban.filter         [14526]: INFO    [nginx-limit-req] Found 10.246.250.26 - 2024-03-29 14:31:29
2024-03-29 14:32:04,449 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] Ban 10.246.250.26
2024-03-29 14:32:04,478 fail2ban.actions        [14526]: NOTICE  [nginx-limit-req] 10.246.250.26 already banned
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nginx-limit-req  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain f2b-nginx-limit-req (1 references)
target     prot opt source               destination
REJECT     all  --  10.246.250.26        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0