How to use Fail2Ban to protect your server from brute force attacks
An important task of Linux administrators is to protect the server from illegal attacks or access. By default, Linux systems come with well-configured firewalls, such as iptables, Uncomplicated Firewall (UFW), ConfigServer Security Firewall (CSF), etc., which can prevent a variety of attacks.
Any machine connected to the Internet is a potential target for malicious attacks. There is a tool called Fail2Ban that can be used to mitigate unauthorized access on the server.
Fail2Ban[1] is an intrusion prevention software that protects servers from brute force attacks. It is written in Python programming language. Fail2Ban works based on auth log files, by default it scans all auth log files, such as /var/log/auth.log, /var/log/apache/access.log etc., and ban IPs with malicious signs, such as too many failed passwords, looking for vulnerabilities, and other signs.
Typically, Fail2Ban is used to update firewall rules that deny IP addresses for a specified period of time. It also sends email notifications. Fail2Ban provides many filters for various services such as ssh, apache, nginx, squid, named, mysql, nagios, etc.
Fail2Ban can slow down false authentication attempts, but it does not eliminate the risk of weak authentication. This is just one of the security measures the server uses to prevent brute force attacks.
Fail2Ban is already packaged with most Linux distributions, so just use your distribution's package manager to install it.
For Debian/Ubuntu, use APT-GET command [2] or APT command [3] to install.
$ sudo apt install fail2ban
For Fedora, use the DNF command [4] to install.
$ sudo dnf install fail2ban
For CentOS/RHEL, enable the EPEL library [5] or RPMForge[6] library and install it using the YUM command [7].
$ sudo yum install fail2ban
For Arch Linux, use the Pacman command [8] to install.
$ sudo pacman -S fail2ban
For openSUSE, use the Zypper command [9] to install.
$ sudo zypper in fail2ban
默认情况下,Fail2Ban 将所有配置文件保存在 /etc/fail2ban/ 目录中。 主配置文件是 jail.conf,它包含一组预定义的过滤器。 所以,不要编辑该文件,这是不可取的,因为只要有新的更新,配置就会重置为默认值。
只需在同一目录下创建一个名为 jail.local 的新配置文件,并根据您的意愿进行修改。
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
默认情况下,大多数选项都已经配置的很完美了,如果要启用对任何特定 IP 的访问,则可以将 IP 地址添加到 ignoreip 区域,对于多个 IP 的情况,用空格隔开 IP 地址。
配置文件中的 DEFAULT 部分包含 Fail2Ban 遵循的基本规则集,您可以根据自己的意愿调整任何参数。
# nano /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1/8 192.168.1.100/24 bantime = 600 findtime = 600 maxretry = 3 destemail = 2daygeek@gmail.com
- ignoreip:本部分允许我们列出 IP 地址列表,Fail2Ban 不会禁止与列表中的地址匹配的主机
- bantime:主机被禁止的秒数
- findtime:如果在最近 findtime 秒期间已经发生了 maxretry 次重试,则主机会被禁止
- maxretry:是主机被禁止之前的失败次数
Fail2Ban 带有一组预定义的过滤器,用于各种服务,如 ssh、apache、nginx、squid、named、mysql、nagios 等。 我们不希望对配置文件进行任何更改,只需在服务区域中添加 enabled = true 这一行就可以启用任何服务。 禁用服务时将 true 改为 false 即可。
# SSH servers [sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
- enabled: 确定服务是打开还是关闭。
- port:指明特定的服务。 如果使用默认端口,则服务名称可以放在这里。 如果使用非传统端口,则应该是端口号。
- logpath:提供服务日志的位置
- backend:指定用于获取文件修改的后端。
进行更改后,重新启动 Fail2Ban 才能生效。
[For SysVinit Systems] # service fail2ban restart [For systemd Systems] # systemctl restart fail2ban.service
你可以使用下面的命令来确认是否在防火墙中成功添加了Fail2Ban iptables 规则。
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-apache-auth tcp -- anywhere anywhere multiport dports http,https f2b-sshd tcp -- anywhere anywhere multiport dports 1234 ACCEPT tcp -- anywhere anywhere tcp dpt:1234 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-apache-auth (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere
我做了一些失败的尝试来测试这个。 为了证实这一点,我要验证 /var/log/fail2ban.log 文件。
2017-11-05 14:43:22,901 fail2ban.server [7141]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-11-05 14:43:22,987 fail2ban.database [7141]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-11-05 14:43:22,996 fail2ban.database [7141]: WARNING New database created. Version '2'
2017-11-05 14:43:22,998 fail2ban.jail [7141]: INFO Creating new jail 'sshd'
2017-11-05 14:43:23,002 fail2ban.jail [7141]: INFO Jail 'sshd' uses poller {}
2017-11-05 14:43:23,019 fail2ban.jail [7141]: INFO Initiated 'polling' backend
2017-11-05 14:43:23,019 fail2ban.filter [7141]: INFO Set maxRetry = 5
2017-11-05 14:43:23,020 fail2ban.filter [7141]: INFO Set jail log file encoding to UTF-8
2017-11-05 14:43:23,020 fail2ban.filter [7141]: INFO Added logfile = /var/log/auth.log
2017-11-05 14:43:23,021 fail2ban.actions [7141]: INFO Set banTime = 600
2017-11-05 14:43:23,021 fail2ban.filter [7141]: INFO Set findtime = 600
2017-11-05 14:43:23,022 fail2ban.filter [7141]: INFO Set maxlines = 10
2017-11-05 14:43:23,070 fail2ban.server [7141]: INFO Jail sshd is not a JournalFilter instance
2017-11-05 14:43:23,081 fail2ban.jail [7141]: INFO Jail 'sshd' started
2017-11-05 14:43:23,763 fail2ban.filter [7141]: INFO [sshd] Found 103.5.134.167
2017-11-05 14:43:23,763 fail2ban.filter [7141]: INFO [sshd] Found 103.5.134.167
2017-11-05 14:43:23,764 fail2ban.filter [7141]: INFO [sshd] Found 181.129.54.170
2017-11-05 14:43:23,764 fail2ban.filter [7141]: INFO [sshd] Found 181.129.54.170
2017-11-05 14:43:23,765 fail2ban.filter [7141]: INFO [sshd] Found 181.129.54.170
2017-11-05 14:43:23,765 fail2ban.filter [7141]: INFO [sshd] Found 181.129.54.170
2017-11-05 15:19:06,192 fail2ban.server [7141]: INFO Stopping all jails
2017-11-05 15:19:06,874 fail2ban.jail [7141]: INFO Jail 'sshd' stopped
2017-11-05 15:19:06,879 fail2ban.server [7141]: INFO Exiting Fail2ban
2017-11-05 15:19:07,123 fail2ban.server [8528]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-11-05 15:19:07,123 fail2ban.database [8528]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-11-05 15:19:07,126 fail2ban.jail [8528]: INFO Creating new jail 'sshd'
2017-11-05 15:19:07,129 fail2ban.jail [8528]: INFO Jail 'sshd' uses poller {}
2017-11-05 15:19:07,141 fail2ban.jail [8528]: INFO Initiated 'polling' backend
2017-11-05 15:19:07,142 fail2ban.actions [8528]: INFO Set banTime = 60
2017-11-05 15:19:07,142 fail2ban.filter [8528]: INFO Set findtime = 60
2017-11-05 15:19:07,142 fail2ban.filter [8528]: INFO Set jail log file encoding to UTF-8
2017-11-05 15:19:07,143 fail2ban.filter [8528]: INFO Set maxRetry = 3
2017-11-05 15:19:07,144 fail2ban.filter [8528]: INFO Added logfile = /var/log/auth.log
2017-11-05 15:19:07,144 fail2ban.filter [8528]: INFO Set maxlines = 10
2017-11-05 15:19:07,189 fail2ban.server [8528]: INFO Jail sshd is not a JournalFilter instance
2017-11-05 15:19:07,195 fail2ban.jail [8528]: INFO Jail 'sshd' started
2017-11-05 15:20:03,263 fail2ban.filter [8528]: INFO [sshd] Found 103.5.134.167
2017-11-05 15:20:05,267 fail2ban.filter [8528]: INFO [sshd] Found 103.5.134.167
2017-11-05 15:20:12,276 fail2ban.filter [8528]: INFO [sshd] Found 103.5.134.167
2017-11-05 15:20:12,380 fail2ban.actions [8528]: NOTICE [sshd] Ban 103.5.134.167
2017-11-05 15:21:12,659 fail2ban.actions [8528]: NOTICE [sshd] Unban 103.5.134.167
要查看启用的监狱列表,请运行以下命令。
# fail2ban-client status Status |- Number of jail: 2 `- Jail list: apache-auth, sshd
通过运行以下命令来获取禁止的 IP 地址。
# fail2ban-client status ssh Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 3 `- action |- Currently banned: 1 | `- IP list: 192.168.1.115 `- Total banned: 1
要从 Fail2Ban 中删除禁止的 IP 地址,请运行以下命令。
# fail2ban-client set ssh unbanip 192.168.1.115
The above is the detailed content of How to use Fail2Ban to protect your server from brute force attacks. For more information, please follow other related articles on the PHP Chinese website!
Explain the architectural differences between Linux and Windows.May 06, 2025 am 12:01 AMThe main differences in architecture between Linux and Windows include: 1) Design philosophy and kernel structure: Linux uses a modular kernel, Windows uses a single kernel; 2) File system: Linux supports multiple file systems, Windows mainly uses NTFS; 3) Security: Linux is known for its permission management and open source features. Windows has a unique security mechanism but lags in repair; 4) Usage experience: Linux command line operation is more efficient, and Windows graphical interface is more intuitive.
What are some common security threats targeting Linux versus Windows?May 05, 2025 am 12:03 AMLinux and Windows systems face different security threats. Common Linux threats include Rootkit, DDoS attacks, exploits, and permission escalation; common Windows threats include malware, ransomware, phishing attacks, and zero-day attacks.
How does process management differ between Linux and Windows?May 04, 2025 am 12:04 AMThe main difference between Linux and Windows in process management lies in the implementation and concept of tools and APIs. Linux is known for its flexibility and power, relying on kernel and command line tools; while Windows is known for its user-friendliness and integration, mainly managing processes through graphical interfaces and system services.
What are the typical use cases for Linux versus Windows?May 03, 2025 am 12:01 AMLinuxisidealforcustomization,development,andservermanagement,whileWindowsexcelsineaseofuse,softwarecompatibility,andgaming.Linuxoffershighconfigurabilityfordevelopersandserversetups,whereasWindowsprovidesauser-friendlyinterfaceandbroadsoftwaresupport
What are the differences in user account management between Linux and Windows?May 02, 2025 am 12:02 AMThe main difference between Linux and Windows in user account management is the permission model and management tools. Linux uses Unix-based permissions models and command-line tools (such as useradd, usermod, userdel), while Windows uses its own security model and graphical user interface (GUI) management tools.
How does the command line environment of Linux make it more/less secure than Windows?May 01, 2025 am 12:03 AMLinux'scommandlinecanbemoresecurethanWindowsifmanagedcorrectly,butrequiresmoreuserknowledge.1)Linux'sopen-sourcenatureallowsforquicksecurityupdates.2)Misconfigurationcanleadtovulnerabilities.Windows'commandlineismorecontrolledbutlesscustomizable,with
How to Make a USB Drive Mount Automatically in LinuxApr 30, 2025 am 10:04 AMThis guide explains how to automatically mount a USB drive on boot in Linux, saving you time and effort. Step 1: Identify Your USB Drive Use the lsblk command to list all block devices. Your USB drive will likely be labeled /dev/sdb1, /dev/sdc1, etc
Best Cross-Platform Apps for Linux, Windows, and Mac in 2025Apr 30, 2025 am 09:57 AMCross-platform applications have revolutionized software development, enabling seamless functionality across operating systems like Linux, Windows, and macOS. This eliminates the need to switch apps based on your device, offering consistent experien
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
WebStorm Mac version
Useful JavaScript development tools
Notepad++7.3.1
Easy-to-use and free code editor
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
SublimeText3 Chinese version
Chinese version, very easy to use
