《Linux – 5分鐘搞懂Fail2ban入侵偵測防禦工具 – 學習筆記》

Telegram share !

相信很多的系統維運人員都會遇過當Web Server被攻擊,束手無策的時候,而Fail2Ban 是一套,可藉由分析系統紀錄檔,並透過設定過濾條件 (filter) 及動作 (action),當符合我們所設定的過濾條件時,將觸發相對action來達到自動化阻擋的效果(如網站被DDOS系統自動封鎖來源 IP、寄信通知管理者、查詢來源 IP 資訊等)。

Fail2Ban 可以有效防止暴力破解攻擊,保護您的 Linux 伺服器免受惡意攻擊。本筆記我會將我所知道的知識分享給大家參考,我也順便紀錄下來當作備忘錄,也希望藉由此次分享讓初學者能更快掌握相關語法。

服務安裝與功能說明

1.安裝 Fail2ban套件

若在 Ubuntu Linux 中,可以使用 apt 安裝 Fail2ban

# 安裝 fail2ban 套件
root@ip-192-168-0-99:/# sudo apt install fail2ban

# 查看 fail2ban 服務
root@ip-192-168-0-99:/# systemctl status fail2ban

2.Fail2ban Service操作

Fail2ban可以使用 systemctl 指令來操控

# 查詢 fail2ban 狀態
systemctl status fail2ban

# 啟動 fail2ban
sudo systemctl start fail2ban

# 重新啟動 fail2ban
sudo systemctl restart fail2ban

# 停止 fail2ban
sudo systemctl stop fail2ban

# 啟用 fail2ban
sudo systemctl enable fail2ban

# 停用 fail2ban
sudo systemctl disable fail2ban --now

3.Fail2ban 套件操作

3.1查詢 fail2ban 目前的狀態

可以查看指定服務的 Fail2ban 狀態,包含採用的 filters 與 actions

# 查詢 fail2ban 目前的狀態
fail2ban-client status 

Status
|- Number of jail:	6
`- Jail list:	nginx-botsearch, nginx-ddos, nginx-http-auth, nginx-loging, nginx-noproxy, sshd
#表示以上六種服務都列入fail2ban控管
3.2 fail2ban-client常用指令
# Starts the Fail2ban server and jails.
fail2ban-client start      

# Reloads Fail2ban's configuration files.
fail2ban-client reload     

# Replaces JAIL with the name of a Fail2ban jail; this will reload the jail.
fail2ban-client reload JAIL
# Terminates the server.
fail2ban-client stop       

# Will show the status of the server, and enable jails.
fail2ban-client status     

# Will show the status of the jail, including any currently-banned IPs.
fail2ban-client status JAIL 
3.3查詢是否有 ip 被fail2ban擋掉
# 查看 sshd 服務的 fail2ban 狀態
root@ip-192-168-0-99:/#  fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
root@10-0-0-8:/#

※在 Filter 中可以看到其採用的系統記錄檔,而 Actions 中則會列出目前被阻擋(列入黑名單)的 IP 位址清單

3.4.取消被 ban 掉的 IP
root@ip-192-168-0-99:/# fail2ban-client set sshd unbanip [your ip address]
3.5.查詢阻擋的 IP 位址

若只要單純查詢被 Fail2ban 阻擋的 IP 位址清單,可以使用以下指令:

# 查詢被 Fail2ban 阻擋的 IP 位址清單
root@ip-192-168-0-99:/# sudo fail2ban-client get sshd banip

若想查看各個 IP 位址被阻的的開始時間與預定解除時間,可以加上 –with-time 參數

# 查詢被 Fail2ban 阻擋的 IP 位址清單(含時間)
root@ip-192-168-0-99:/# sudo fail2ban-client get sshd banip --with-time

10.15.15.39   2024-05-24 12:44:36 + 600 = 2024-05-24 18:24:16
31.155.166.16   2024-05-24 12:44:10 + 600 = 2024-05-24 18:56:15
3.6.移除阻擋的 IP 位址

被 Fail2ban 阻擋的 IP 位址會在 bantime 所設定的時間之後自動解除,若要提前開放特定的 IP 位址,可以使用以下指令

# 解除 sshd 服務中阻擋的 IP 位址
root@ip-192-168-0-99:/# sudo fail2ban-client set sshd unbanip 10.15.15.39 

# 也可以一次開放多個 IP 位址
root@ip-192-168-0-99:/# sudo fail2ban-client set sshd unbanip 10.15.15.39  31.155.166.16

# 若要解除所有被 Fail2ban 阻擋的 IP 位址,可以加上 --all 參數
# 解除 sshd 服務中所有阻擋的 IP 位址
root@ip-192-168-0-99:/# sudo fail2ban-client set sshd unbanip --all
3.7.加入阻擋的 IP 位址

我們也可以手動將特定 IP 位址加入至 Fail2ban 的阻擋清單內

# 在 sshd 服務中加入阻擋的 IP 位址
sudo fail2ban-client set sshd banip 10.15.15.39 

# 亦可加入多組要進行阻擋的 IP 位址
# 在 sshd 服務中加入阻擋的 IP 位址
sudo fail2ban-client set sshd banip 10.15.15.39  31.155.166.16
3.8.調整 IP 位址白名單

IP 位址白名單也可以透過 fail2ban-client 指令手動調整

# 在 sshd 服務中加入白名單 IP 位址
sudo fail2ban-client set sshd addignoreip 192.168.1.2

# 在 sshd 服務中移除白名單 IP 位址
sudo fail2ban-client set sshd delignoreip 192.168.1.2
3.9.更多fail2ban-client 指令說明

除了這幾個常用功能之外,fail2ban-client 還有非常多的功能,詳細的說明可以參考 fail2ban-client 指令的線上手冊或參數說明

# 查詢 fail2ban-client 線上手冊
man fail2ban-client

# 顯示 fail2ban-client 參數說明
fail2ban-client -h
3.10.查詢目前fail2ban-client 阻擋狀態
fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status
Status for the jail: nginx-botsearch
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	44696
|  `- File list:	/var/log/nginx/error.log /var/log/nginx/technews.tw_access.log
`- Actions
   |- Currently banned:	2
   |- Total banned:	714
   `- Banned IP list:	10.15.15.39  31.155.166.16
Status for the jail: nginx-ddos
|- Filter
|  |- Currently failed:	8
|  |- Total failed:	1486656
|  `- File list:	/var/log/nginx/error.log /var/log/nginx/access.log /backup/log/nginx/technews.co_access.log /backup/log/nginx/technews.tw_access.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	6
   `- Banned IP list:	
Status for the jail: nginx-http-auth
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/nginx/error.log /backup/log/nginx/technews.co_error.log /backup/log/nginx/technews.tw_error.log /var/log/nginx/technews.tw_access.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
Status for the jail: nginx-loging
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	72327
|  `- File list:	/var/log/nginx/access.log
`- Actions
   |- Currently banned:	5
   |- Total banned:	820
   `- Banned IP list:	10.15.15.39  31.155.166.16  31.155.166.99
Status for the jail: nginx-noproxy
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/nginx/error.log /backup/log/nginx/technews.co_error.log /backup/log/nginx/technews.tw_error.log /backup/log/nginx/technews.tw_access.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

Reference

  • Linode:Using Fail2ban to Secure Your Server – A Tutorial:連結
  • DigitalOcean:How To Protect SSH with Fail2Ban on Ubuntu 14.04:連結
  • Tecmint:How to Use Fail2ban to Secure Your Linux Server:連結
  • Linuxize:How to Install and Configure Fail2ban on Ubuntu 20.04:連結