Shulou(Shulou.com)06/01 Report--

1. Reason for installing fail2ban

My website has been greeted countless times since it was built for a period of time. Aliyun security team is really dedicated and sends me abnormal notification text messages at night. Thank you! (give him an advertisement

)

[root@Lnmp logs] # awk'{print $1} 'access.log | sort | uniq-c | sort-rn | head-10

18559 121.42.0.38

16353 121.42.0.39

15351 222.186.34.249

15350 222.186.160.94

15341 222.186.21.35

13870 121.42.0.36

13172 121.42.0.17

12393 121.42.0.31

12302 121.42.0.37

11843 121.42.0.30

So I decided to install fail2ban to restrict access.

1.1 Software introduction

Fail2ban is a practical software that can monitor your log and then match the log information (regular matching) to perform the corresponding masking action.

1.2 installation environment

[root@Lnmp logs] # cat / etc/redhat-release

CentOS release 6.8 (Final)

[root@Lnmp logs] # uname-r

2.6.32-642.6.1.el6.x86_64

two。 Actual combat fail2ban construction

# upload fail2ban-0.8.14.tar.gz to the installation directory and extract the installation

[root@Lnmp tools] # tar xf fail2ban-0.8.14.tar.gz

[root@Lnmp tools] # cd fail2ban-0.8.14

[root@Lnmp fail2ban-0.8.14] # ll

Total 236

-rw-rw-r-- 1 root root 46255 Aug 20 2014 ChangeLog

Drwxrwxr-x 2 root root 4096 Aug 20 2014 client

Drwxrwxr-x 2 root root 4096 Aug 20 2014 common

Drwxrwxr-x 4 root root 4096 Aug 20 2014 config

-rw-rw-r-- 1 root root 19296 Aug 20 2014 COPYING

-rw-rw-r-- 1 root root 13329 Aug 20 2014 DEVELOP

Drwxrwxr-x 2 root root 4096 Aug 20 2014 doc

-rwxrwxr-x 1 root root 12699 Aug 20 2014 fail2ban-client

-rwxrwxr-x 1 root root 13570 Aug 20 2014 fail2ban-regex

-rwxrwxr-x 1 root root 4502 Aug 20 2014 fail2ban-server

-rwxrwxr-x 1 root root 8242 Aug 20 2014 fail2ban-testcases

-rwxrwxr-x 1 root root 397 Aug 20 2014 fail2ban-testcases-all

Drwxrwxr-x 4 root root 4096 Aug 20 2014 files

-rw-rw-r-- 1 root root 18972 Aug 20 2014 FILTERS

-rwxrwxr-x 1 root root 69 Aug 20 2014 kill-server

Drwxrwxr-x 2 root root 4096 Aug 20 2014 man

-rw-rw-r-- 1 root root 8268 Aug 20 2014 MANIFEST

-rw-rw-r-- 1 root root 3992 Aug 20 2014 README.md

-rw-rw-r-- 1 root root 4189 Aug 20 2014 README.Solaris

Drwxrwxr-x 2 root root 4096 Aug 20 2014 server

-rw-rw-r-- 1 root root 291 Aug 20 2014 setup.cfg

-rwxrwxr-x 1 root root 3337 Aug 20 2014 setup.py

Drwxrwxr-x 4 root root 4096 Aug 20 2014 testcases

-rw-rw-r-- 1 root root 1733 Aug 20 2014 THANKS

-rw-rw-r-- 1 root root 1827 Aug 20 2014 TODO

# install fail2ban. Note: python is not installed. You need to install it first.

[root@Lnmp fail2ban-0.8.14] # python setup.py install

# check the startup file

[root@Lnmp fail2ban-0.8.14] # grep chkconfig. / *-R-- color

. / files/redhat-initd:# chkconfig:-92 08

# copy the startup file to / etc/init.d for boot self-startup

[root@Lnmp fail2ban-0.8.14] # cp files/redhat-initd / etc/init.d/fail2ban

[root@Lnmp fail2ban-0.8.14] # chkconfig-- add fail2ban

[root@Lnmp fail2ban-0.8.14] # chkconfig-- list fail2ban

Fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off

# modify the configuration file and back up the configuration file before modification

[root@Lnmp fail2ban-0.8.14] # cp / etc/fail2ban/jail.conf / etc/fail2ban/jail.conf.ori

[root@Lnmp fail2ban-0.8.14] # ls / etc/fail2ban/

Action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.ori jail.d

# navigate to line 94 [ssh-iptables] to modify parameters

[root@Lnmp fail2ban-0.8.14] # vi / etc/fail2ban/jail.conf + 94

# Prevention of violence cracking

[ssh-iptables]

Enabled = true

Filter = sshd

Action = iptables [name=SSH, port=ssh, protocol=tcp]

Sendmail-whois [name=SSH, dest=wwj@163.com, sender=bob@163.com, sendername= "Fail2Ban"]

Logpath = / var/log/secure

Maxretry = 3 # set access frequency (in "times")

Bantime = 3600 # limit cannot log in within 1 hour (in "seconds")

Findtime = 300 # set access time within ten minutes (300s)

# above means that the login password has been typed incorrectly for 3 times within 10 minutes, and the user will be locked up for 1 hour.

[root@Lnmp fail2ban-0.8.14] # service fail2ban start

Starting fail2ban: [OK]

# check whether the fail2ban rule is in effect

[root@Lnmp fail2ban-0.8.14] # service fail2ban status

Fail2ban-server (pid 6723) is running...

Status

| |-Number of jail: 1 |

`- Jail list: ssh-iptables

# restrict frequent visits to the website and prohibit illegal ip

[root@Lnmp fail2ban-0.8.14] # vi / etc/fail2ban/jail.conf

# navigate to the end by uppercase G, and add the following code

# nginx access control

[access-get-dos]

Enables = true

Port = http,https

Filter = nginx-bansniffer

Action = iptables [name=IT300,port=http,portocol=tcp]

Sendmail-whois [name=IT300,dest=11223379@qq.com,sender=wwj@163.com]

# access log path

Logpath = / application/nginx/logs/access.log

# restriction rules

Findtime = 60 # set access time within one minute (60s)

Maxretry = 30 # set access frequency (in "times")

Bantime = 3600 # limit cannot log in within 1 hour (in "seconds")

# above means 30 visits within 1 minute, detention for 1 hour

# create a rule file

[root@Lnmp fail2ban-0.8.14] # vi / etc/fail2ban/filter.d/nginx-bansniffer.conf

[Definition]

Failregex = -. * -. * HTTP/1.*. *.

Ignoreregex =

# restart fail2ban

[root@Lnmp fail2ban-0.8.14] # service fail2ban reload

# check the status of the rules in effect in fail2ban

[root@Lnmp fail2ban-0.8.14] # service fail2ban status

Fail2ban-server (pid 7013) is running...

Status

| |-Number of jail: 2 |

`- Jail list: access-get-dos, ssh-iptables

# check the access status after it takes effect. Note: the access log has been cut.

[root@Lnmp logs] # awk'{print $1} '20161101_access_www.log | sort | uniq-c | sort-rn | head-10

11 121.42.0.16

9 198.52.119.97

8 61.158.152.132

6 112.97.63.104

5 42.48.70.245

5 36.57.226.54

5 221.225.2.214

5 180.114.17.26

5 171.105.144.226

5 123.11.115.223

# uniq-c means merging adjacent duplicate records and counting the number of duplicates

# sort-n means to sort from small to large

# sort-r indicates reverse order, that is, sorting in the order from largest to smallest.

# head-10 means to take the top 10 digits

Summary: since the installation of fail2ban, I have no longer received greeting messages from Ali security team every day, and the setting is successful.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.