第一次将CentOS服务器配上外网可访问的网络配置,发现每次通过外网地址登陆ssh,链接时间长,同时爆出以下信息,显示从上一次登陆成功到本次登陆成功,中间有3896次尝试登陆root账户失败的情况。【说明服务器被攻击了】
Last failed login: Sat Mar 19 09:34:18 CST 2016 from 222.186.15.82 on ssh:notty
There were 3896 failed login attempts since the last successful login.
Last login: Sat Mar 19 09:12:33 2016 from 117.114.129.166
基于CentOS 6或者7版本的系统,我们可以安装Fail2ban工具来阻止一定的暴力破解SSH或者FTP账户问题,也许不能足够的解决问题,但至少可以解决一般的问题。
第一、Fail2ban安装
A - CentOS 6
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
B - CentOS 7
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
yum install fail2ban
[说明]执行以上第一句,若找不到是因为版本更新后,旧版本就删除了。所有打开“http://dl.fedoraproject.org/pub/epel/7/x86_64/e/”找找相应的rpm
第二、Fail2ban设置
(1)各配置文件用途
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置/etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置/etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值/etc/rc.d/init.d/fail2ban #启动脚本文件
(2)、fail2ban.conf一般不用改,再确认以下几项:
vi /etc/fail2ban/fail2ban.conf[Definition]loglevel =3logtarget = SYSLOG #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息socket =/var/run/fail2ban/fail2ban.sock
(3)编辑/etc/fail2b an/jail.conf文件,修改或添加防攻击规则。(后面有规则的举例)
【特别说明】
(1)“[INCLUDES]”以前的不要动(都是注释),否则fail2ban服务就无法启动。可以用命令来检查语法错误 #fail2ban-client -v -v start
(2)“[DEFAULT]”里的 “enabled = false”不能改为true,否则fail2ban服务就无法启动。
centos Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details
第三、重启Fail2ban服务,立即生效。
systemctl restart fail2ban.service
第四、防攻击规则,举例
关键词
[DEFAULT] #全局设置ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制,多个以空格隔开bantime = 600 #屏蔽时间,单位:秒findtime = 600 #这个时间段内超过规定次数会被ban掉maxretry = 3 #最大尝试次数backend = auto #日志修改检测机制(gamin、polling和auto这三种)[sshd] #单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。enabled = true #是否激活此项(true/false)filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.confaction = iptables[name=SSH, port=ssh, protocol=tcp]#动作的相关参数,对应action.d/iptables.conf文件logpath = /var/log/secure #检测的日志文件pathbantime = 3600findtime = 300maxretry = 3
防攻击规则参见:
(1)SSH防攻击规则
[ssh-iptables]enabled = truefilter = sshdaction = iptables[name=SSH, port=ssh, protocol=tcp]sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]logpath = /var/log/securemaxretry = 5[ssh-ddos]enabled = truefilter = sshd-ddosaction = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]logpath = /var/log/messagesmaxretry = 2[osx-ssh-ipfw]enabled = truefilter = sshdaction = osx-ipfwlogpath = /var/log/secure.logmaxretry = 5[ssh-apf]enabled = truefilter = sshdaction = apf[name=SSH]logpath = /var/log/securemaxretry = 5[osx-ssh-afctl]enabled = truefilter = sshdaction = osx-afctl[bantime=600]logpath = /var/log/secure.logmaxretry = 5[selinux-ssh]enabled = truefilter = selinux-sshaction = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]logpath = /var/log/audit/audit.logmaxretry = 5
(2)proftp防攻击规则
[proftpd-iptables]enabled = truefilter = proftpdaction = iptables[name=ProFTPD, port=ftp, protocol=tcp]sendmail-whois[name=ProFTPD, dest=you@example.com]logpath = /var/log/proftpd/proftpd.logmaxretry = 6
(3)邮件防攻击规则
[sasl-iptables]enabled = truefilter = postfix-saslbackend = pollingaction = iptables[name=sasl, port=smtp, protocol=tcp]sendmail-whois[name=sasl, dest=you@example.com]logpath = /var/log/mail.log[dovecot]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/mail.log[dovecot-auth]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]logpath = /var/log/secure[perdition]enabled = truefilter = perditionaction = iptables-multiport[name=perdition,port="110,143,993,995"]logpath = /var/log/maillog[uwimap-auth]enabled = truefilter = uwimap-authaction = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]logpath = /var/log/maillog
(4)apache防攻击规则
[apache-tcpwrapper]enabled = truefilter = apache-authaction = hostsdenylogpath = /var/log/httpd/error_logmaxretry = 6[apache-badbots]enabled = truefilter = apache-badbotsaction = iptables-multiport[name=BadBots, port="http,https"]sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]logpath = /var/log/httpd/access_logbantime = 172800maxretry = 1[apache-shorewall]enabled = truefilter = apache-noscriptaction = shorewallsendmail[name=Postfix, dest=you@example.com]logpath = /var/log/httpd/error_log
(5)nginx防攻击规则
[nginx-http-auth]enabled = truefilter = nginx-http-authaction = iptables-multiport[name=nginx-http-auth,port="80,443"]logpath = /var/log/nginx/error.log
(6)lighttpd防规击规则
[suhosin]enabled = truefilter = suhosinaction = iptables-multiport[name=suhosin, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2[lighttpd-auth]enabled = truefilter = lighttpd-authaction = iptables-multiport[name=lighttpd-auth, port="http,https"]# adapt the following two items as neededlogpath = /var/log/lighttpd/error.logmaxretry = 2
(7)vsftpd防攻击规则
[vsftpd-notification]enabled = truefilter = vsftpdaction = sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800[vsftpd-iptables]enabled = truefilter = vsftpdaction = iptables[name=VSFTPD, port=ftp, protocol=tcp]sendmail-whois[name=VSFTPD, dest=you@example.com]logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800
(8)pure-ftpd防攻击规则
[pure-ftpd]enabled = truefilter = pure-ftpdaction = iptables[name=pure-ftpd, port=ftp, protocol=tcp]logpath = /var/log/pureftpd.logmaxretry = 2bantime = 86400
(9)mysql防攻击规则
[mysqld-iptables]enabled = truefilter = mysqld-authaction = iptables[name=mysql, port=3306, protocol=tcp]sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]logpath = /var/log/mysqld.logmaxretry = 5
(10)apache phpmyadmin防攻击规则
[apache-phpmyadmin]enabled = truefilter = apache-phpmyadminaction = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath = /var/log/httpd/error_logmaxretry = 3# /etc/fail2ban/filter.d/apache-phpmyadmin.conf将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.# Fail2Ban configuration file## Bans bots scanning for non-existing phpMyAdmin installations on your webhost.## Author: Gina Haeussge#[Definition]docroot = /var/wwwbadadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2# Option: failregex# Notes.: Regexp to match often probed and not available phpmyadmin paths.# Values: TEXT#failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =# service fail2ban restart
第五、新建防攻击规则
以nginx为例,具体设置方法如下:
(1)首先在jail.conf文件下追加以下内容:
[nginx] ;规则名字enabled = true ;是否户用port = http,https ;监控端口filter = nginx ;需要过滤匹配规则logpath = /var/log/nginx/access_log; 日志路径findtime =60 ;检测周期 单位秒 以下一样bantime =300 ;iptable封禁IP时间maxretry =10 ;最大尝试次数action = iptables[name=nginx, port=http, protocal=tcp] ;发现暴力破解采取iptalbes封禁IP的措施sendmail[name=nginx, dest=my-email@xx.com] ;发现暴力破解后采取sendmail发送邮件的措施,需要注意的是:iptables和sendmail必须对齐,要不然会发生错误;不要问我为什么会知道。
(2)然后创建 /etc/fail2ban/filter.d/nginx.conf文件,并添加以下内容:
[Definition]failregex =<HOST>.*-.*-.*POST.*/login_check.do.* HTTP\/1.*http://test.com.*$ ;需要匹配日志发现攻击行为的正则,<HOST>为fail2ban内置变量匹配IP,不可修改ignoreregex = ;需要忽略的正则
(3)systemctl restart fail2ban 立即生效。
第六、查询限制列表 iptables -L --line-numbers
红色的表示已经由fail2ban限制了。
[root@bogon ~]# iptables -L --line-numbersChain INPUT (policy ACCEPT)num target prot opt source destination1 f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh2 f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh3 ACCEPT udp -- anywhere anywhere udp dpt:domain4 ACCEPT tcp -- anywhere anywhere tcp dpt:domain5 ACCEPT udp -- anywhere anywhere udp dpt:bootps6 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps7 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED8 ACCEPT all -- anywhere anywhere9 INPUT_direct all -- anywhere anywhere10 INPUT_ZONES_SOURCE all -- anywhere anywhere11 INPUT_ZONES all -- anywhere anywhere12 ACCEPT icmp -- anywhere anywhere13 REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedChain f2b-SSH (2 references)num target prot opt source destination1 REJECT all -- 58.218.211.38 anywhere reject-with icmp-port-unreachable2 RETURN all -- anywhere anywhereYou have new mail in /var/spool/mail/root
第七、解除fail2ban绑定的IP
查询限制列表
# iptables -L --line-numbersChain f2b-SSH (2 references)num target prot opt source destination1 REJECT all -- 58.218.211.38 anywhere reject-with icmp-port-unreachable2 RETURN all -- anywhere anywhere
解除限制
# iptables -D f2b-SSH 1上面是解除第一个拒绝的IP
第八、统计登陆失败的IP
[root@bogon ~]# find /var/log -name 'secure*' -type f | while read line;do awk '/Failed/{print $(NF-3)}' $line;done | awk '{a[$0]++}END{for (j in a) if(a[j] > 20) print j"="a[j]}' | sort -n -t'=' -k 2202.99.172.155=24123.126.110.69=25222.74.228.85=1365.189.139.232=557222.178.229.67=1005222.186.15.82=188359.63.188.44=674858.218.211.38=6752[root@bogon ~]#
有上面几个IP尝试通过不同的端口攻击我的服务器
另外给root账户设置24位随机密码:
rootpass=`date +%s | sha256sum | base64 | head -c 24` && echo root:$rootpass | chpasswd && echo $rootpass