Centos 7 防止 ssh 爆破

Scroll Down

最近连接服务器时不时连接不上, 查看了一下日志发现有个ip直接2w+次爆破密码,为了减小风险,我们用 firewall + fail2ban 搭配使用,拦截多次登陆失败的ip。

查看异常登陆日志

grep "Failed password for root" /var/log/secure| awk '{print $11}' | sort | uniq -c | sort -nr | more

首先确认firewall为开启状态

firewall-cmd --state
running

安装fail2ban

yum -y install epel-release 
yum -y install fail2ban

新建配置文件

vim /etc/fail2ban/jail.local

配置如下

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure

启动fail2ban

systemctl start fail2ban

查看fail2ban状态

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 8
|  |- Total failed:     133
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 13
   |- Total banned:     13
   `- Banned IP list:   49.88.112.78 222.186.52.124 190.13.173.67 121.58.228.94 222.186.52.89 106.12.33.181 68.183.1.175 112.85.42.238 144.217.40.3 159.65.13.203 222.186.30.111 134.175.80.27 122.195.200.148

Banned IP list为被封禁ip

大概看了一下都是江苏连云港的IP,感觉很诡异。