最近连接服务器时不时连接不上, 查看了一下日志发现有个ip直接2w+次爆破密码,为了减小风险,我们用 firewall + fail2ban 搭配使用,拦截多次登陆失败的ip。
查看异常登陆日志
grep "Failed password for root" /var/log/secure| awk '{print $11}' | sort | uniq -c | sort -nr | more
首先确认firewall为开启状态
firewall-cmd --state
running
安装fail2ban
yum -y install epel-release
yum -y install fail2ban
新建配置文件
vim /etc/fail2ban/jail.local
配置如下
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 22
action = %(action_mwl)s
logpath = /var/log/secure
启动fail2ban
systemctl start fail2ban
查看fail2ban状态
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 8
| |- Total failed: 133
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 13
|- Total banned: 13
`- Banned IP list: 49.88.112.78 222.186.52.124 190.13.173.67 121.58.228.94 222.186.52.89 106.12.33.181 68.183.1.175 112.85.42.238 144.217.40.3 159.65.13.203 222.186.30.111 134.175.80.27 122.195.200.148
Banned IP list为被封禁ip
大概看了一下都是江苏连云港的IP,感觉很诡异。