利发国际lifa222 » 利发国际lifa222 » Linux » 用fail2ban阻止ssh暴力破解root密码

用fail2ban阻止ssh暴力破解root密码

 
最近几天发现wordpress网站服务器的老被SSH暴利破解,因为开启了注册功能,被黑客注册了帐号,然后就看到用此帐号发帖子,内容都是一些linux命令,好像在获取我的password文件和root权限,并不断用SSH尝试登陆我的服务器。
 
鉴于这种安全隐患的存在,我们可以安装fail2ban工具来实现防暴力破解,防止恶意攻击,锁定恶意攻击IP。
 
1、如果是centos系统,先yum安装fail2ban
[root@VM_152_184_centos /]# yum -y install fail2ban 2、为了更好的看到有哪些IP在尝试暴利破解,先定义好日志文件路径 [root@VM_152_184_centos /]# cat /etc/fail2ban/fail2ban.conf |grep -v ^#   [Definition]   loglevel = 3   logtarget = SYSLOG  //这里是日志路径,可以自定义,比如:/var/log/fail2ban.log   socket = /var/run/fail2ban/fail2ban.sock   pidfile = /var/run/fail2ban/fail2ban.pid 3、自定义主配置文件(当然,也可以不修改,保持默认配置) [root@VM_152_184_centos /]# cat /etc/fail2ban/jail.conf |grep -v ^# |less   [DEFAULT]   ignoreip = 127.0.0.1/8   bantime = 600  //屏蔽、锁定时间,单位:s   findtime = 600  //600s内尝试登陆失败超过规定次数将被锁定   maxretry = 3  //最大登陆失败次数   backend = auto   usedns = warn 4、最后,启动fail2ban,使其配置生效 [root@VM_152_184_centos /]# service fail2ban start 最后,再查看一下fail2ban日志文件,可以看到已经屏蔽的IP列表(Ban ip是屏蔽/锁定的IP,Unban ip是自动解锁的IP) [root@VM_152_184_centos /]# cat /var/log/fail2ban.log | grep "ban" 2014-04-15 21:12:18,053 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151 2014-04-15 21:42:19,037 fail2ban.actions: WARNING [ssh-iptables] Unban 198.104.137.151 2014-04-15 22:12:16,001 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.218 2014-04-15 22:42:16,305 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.218 2014-04-15 23:02:02,609 fail2ban.actions: WARNING [ssh-iptables] Ban 117.34.91.170 2014-04-15 23:26:10,651 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.172 2014-04-15 23:28:02,391 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151 2014-04-15 23:32:03,428 fail2ban.actions: WARNING [ssh-iptables] Unban 117.34.91.170 2014-04-15 23:46:07,364 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.205 2014-04-15 23:56:10,893 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.172 原文链接:用fail2ban阻止ssh暴力破解root密码,转载请注明来源!
0