Fail2ban充当警惕的看门人,分析日志文件中指示恶意活动的模式。一旦检测到可疑行为,它会立即采取措施,暂时禁止违规的 IP 地址。让我们深入研究Fail2ban的主要功能和优点,以充分掌握其意义。
在 Debian 2 书虫上安装 Fail12ban
第 1 步。在我们安装任何软件之前,通过在终端中运行以下命令来确保您的系统是最新的非常重要:apt
<span class="pln">sudo apt update</span>
此命令将刷新存储库,允许您安装最新版本的软件包。
第 2 步。在 Debian 2 上安装 Fail12ban。
您可以通过运行以下命令来安装 Fail2Ban:
<span class="pln">sudo apt install fail2ban</span>
配置完成后,通过运行以下命令启动 Fail2Ban 服务:
<span class="pln">sudo systemctl start fail2ban sudo systemctl enable fail2ban</span>
第 3 步。正在配置 Fail2ban。
成功安装 Fail2ban 后,定制其配置以满足服务器的要求至关重要。
- A. 基本配置:
Fail2ban 的主配置文件位于 。让我们首先使用 nano 或 vim 等文本编辑器打开此文件:/etc/fail2ban/jail.local
<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">/</span><span class="pln">jail</span><span class="pun">.</span><span class="kwd">local</span>
在配置文件中,您可以自定义各种参数来微调 Fail2ban 的行为。例如:
<span class="pun">[</span><span class="pln">DEFAULT</span><span class="pun">]</span> <span class="com"># Set the ban time in seconds (e.g., 3600 seconds = 1 hour)</span><span class="pln"> bantime </span><span class="pun">=</span> <span class="lit">3600</span> <span class="com"># Enable email notifications for bans</span><span class="pln"> destemail </span><span class="pun">=</span><span class="pln"> your_email@example</span><span class="pun">.</span><span class="pln">com action </span><span class="pun">=</span> <span class="pun">%(</span><span class="pln">action_mw</span><span class="pun">)</span><span class="pln">s </span><span class="com"># Choose the backend (auto, polling, gamin, systemd, or more)</span><span class="pln"> backend </span><span class="pun">=</span> <span class="kwd">auto</span>
这些示例配置将封禁时间设置为一小时,为封禁启用电子邮件通知,并将电子邮件目标地址设置为“.”此外,后端设置为“自动”,这允许 Fail2ban 自动检测最适合您系统的后端。your_email@example.com
- 创建自定义监狱:
要使用 Fail2ban 保护特定服务,您可以创建自定义 jail 来监视相关日志文件并在必要时触发禁令。
保护 SSH 访问:
让我们创建一个自定义监狱来保护 SSH 访问。再次打开文件:jail.local
<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">/</span><span class="pln">jail</span><span class="pun">.</span><span class="kwd">local</span>
添加以下自定义监狱配置:
<span class="pun">[</span><span class="pln">sshd</span><span class="pun">]</span><span class="pln"> enabled </span><span class="pun">=</span> <span class="kwd">true</span><span class="pln"> port </span><span class="pun">=</span><span class="pln"> ssh filter </span><span class="pun">=</span><span class="pln"> sshd logpath </span><span class="pun">=</span> <span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log maxretry </span><span class="pun">=</span> <span class="lit">3</span><span class="pln"> bantime </span><span class="pun">=</span> <span class="lit">3600</span>
在此配置中,我们指定 Fail2ban 应监视默认端口 (22) 上的 SSH 服务 (sshd)。日志路径指向身份验证日志文件,并且在触发禁止之前,允许的最大重试次数设置为 3。禁令时间保持在一小时。
保护 Apache Web 服务器:
要创建用于保护 Apache Web 服务器的 jail,请再次打开该文件:jail.local
<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">/</span><span class="pln">jail</span><span class="pun">.</span><span class="kwd">local</span>
<span class="pun">[</span><span class="pln">apache</span><span class="pun">]</span><span class="pln"> enabled </span><span class="pun">=</span> <span class="kwd">true</span><span class="pln"> port </span><span class="pun">=</span><span class="pln"> http</span><span class="pun">,</span><span class="pln">https filter </span><span class="pun">=</span><span class="pln"> apache</span><span class="pun">-</span><span class="pln">auth logpath </span><span class="pun">=</span> <span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">apache2</span><span class="com">/*error.log maxretry = 5 bantime = 7200</span>
第 4 步。监控失败2ban。
由于 Fail2ban 努力保护您的服务器,您可能希望监控其活动并查看日志以随时了解潜在的安全威胁。
- A. 检查失败2禁止状态:
若要检查 Fail2ban 的状态并验证它是否正在主动保护您的服务器,请使用以下命令:
<span class="pln">sudo fail2ban</span><span class="pun">-</span><span class="pln">client status</span>
此命令将显示 Fail2ban 管理的所有监狱的状态,显示当前禁止的 IP 数量和上次禁止时间戳。
- B. 监控日志:
Fail2ban 将其操作记录在文件中。若要查看这些日志并调查任何潜在问题,请使用以下命令:/var/log/fail2ban.log
<span class="pln">sudo less </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">.</span><span class="pln">log</span>
通过定期查看日志,您可以保持主动的服务器安全方法。
感謝你使用這本教鬆在 Debian 2 Bookworm 上安裝 Fail12ban。有关其他帮助或有用信息,我们建议您查看官方 Fail2ban 网站.<
