Shulou(Shulou.com)06/01 Report--

Fail2ban is a well-known * protected open source framework on Linux that monitors log files for multiple systems (such as / var/log/auth.log or / var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In terms of basic security, fail2ban is very useful in defending against brute force password cracking on SSH servers.

Let's talk about the basic configuration:

1. Download source

Download the appropriate installation package

2.yum installation

Yum install-y fail2ban

3. Start

Service fail2ban start

The 4.fail2ban profile is here.

Service configuration directory: / etc/fail2ban/

/ etc/fail2ban/action.d # actions folder, containing default files. Action configuration such as iptables and mail

/ etc/fail2ban/fail2ban.conf # defines the fai2ban log level, log location, and sock file location

/ etc/fail2ban/filter.d # conditional folder containing default files. Filter log key content settings

/ etc/fail2ban/jail.conf # main configuration file, modularization. Mainly set the service and action threshold for enabling ban action

/ etc/rc.d/init.d/fail2ban # startup script file

5. Configuration

Vim / etc/fail2ban/jail.conf

[DEFAULT]

# "ignoreip" can be an IP address, classless inter-domain routing (Classless Inter-Domain Routing, CIDR), or DNS address.

# Fail2ban does not disable matching IP.

# multiple addresses can be separated by spaces.

Ignoreip = 127.0.0.1

# "bantime" is the blocking time, calculated in seconds.

Bantime = 3600

# "findtime" is an IP that will be counted as the number of retries during this interval. If you log in again within 10 minutes at 600, the number of retries will be + 1, and after more than 10 minutes, you will start from scratch.

# count by seconds.

Findtime = 600,

# "maxretry" is the maximum number of retries. If you fail for 3 times, you will be prohibited from landing.

Maxretry = 3

# Log detection machine, with three modes: "gamin" and "polling" and "auto".

Backend = auto

Enabled = true

[ssh-iptables] # enable

Filter = sshd

# port=ssh here is the default SSH port. If you modify it, you should also change it here, such as port=213

Action = iptables [name=SSH, port=ssh, protocol=tcp]

Sendmail-whois [name=SSH, dest=root, sender=fail2ban@example.com]

Logpath = / var/log/secure

Maxretry = 5

6. View iptbales

[root@ fail2ban] # iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

F2b-SSH tcp-anywhere anywhere tcp dpt:ssh

7. View the log

Tail/var/log/fail2ban.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.