搬瓦工VPS开通后,SSH端口会立即成为暴力破解的目标。查看/var/log/auth.log就会发现大量来自全球各地的失败登录尝试。Fail2ban可以监控日志文件,自动封禁多次登录失败的IP地址,是VPS安全防护的必备工具。
Tip: Fail2ban配合SSH密钥登录和防火墙使用效果最佳。
# Ubuntu/Debian
apt update
apt install fail2ban -y
# CentOS/RHEL
dnf install epel-release -y
dnf install fail2ban -y
# 启动并设置开机自启
systemctl start fail2ban
systemctl enable fail2ban
# 查看版本
fail2ban-client versionFail2ban的主配置文件是/etc/fail2ban/jail.conf,但不要直接修改此文件(更新时会被覆盖)。应创建jail.local进行自定义配置:
# 创建本地配置文件
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local修改全局默认配置:
[DEFAULT]
# 封禁时间(秒),默认10分钟,建议设为1小时
bantime = 3600
# 检测时间窗口(秒)
findtime = 600
# 最大失败次数
maxretry = 5
# 封禁动作(使用iptables)
banaction = iptables-multiport
# 如果使用UFW,改为:
# banaction = ufw
# 忽略的IP(你自己的IP)
ignoreip = 127.0.0.1/8 ::1
# 添加你的固定IP:ignoreip = 127.0.0.1/8 ::1 your_home_ipSSH是最需要保护的服务,在jail.local中配置SSH jail:
[sshd]
enabled = true
port = ssh
# 如果修改了SSH端口,改为:port = 2222
filter = sshd
logpath = /var/log/auth.log # Ubuntu/Debian
# logpath = /var/log/secure # CentOS
maxretry = 3
bantime = 3600
findtime = 600配置更严格的SSH防护(渐进式封禁):
# 累犯加重处罚
[sshd-aggressive]
enabled = true
port = ssh
filter = sshd[mode=aggressive]
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400 # 首次封禁24小时
findtime = 3600
# 多次被封的IP永久封禁(需要recidive jail)
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = 604800 # 封禁7天
findtime = 86400 # 24小时内
maxretry = 3 # 被封3次后触发保护Web服务免受恶意扫描和CC攻击:
# Nginx HTTP认证暴力破解防护
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600
# Nginx恶意请求防护
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400
# Nginx请求限速防护
[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 10
bantime = 3600可以创建自定义过滤器来匹配特定的日志模式:
# 创建WordPress登录防护过滤器
cat > /etc/fail2ban/filter.d/wordpress-login.conf << 'EOF'
[Definition]
failregex = ^ .* "POST /wp-login.php
^ .* "POST /xmlrpc.php
ignoreregex =
EOF
# 在jail.local中启用
[wordpress-login]
enabled = true
port = http,https
filter = wordpress-login
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 3600
findtime = 300 创建MySQL暴力破解防护过滤器:
# 创建MySQL过滤器
cat > /etc/fail2ban/filter.d/mysql-auth.conf << 'EOF'
[Definition]
failregex = Access denied for user .* from
ignoreregex =
EOF
# 在jail.local中启用
[mysql-auth]
enabled = true
port = 3306
filter = mysql-auth
logpath = /var/log/mysql/error.log
maxretry = 5
bantime = 3600 # 检查配置文件语法
fail2ban-client -t
# 重启Fail2ban
systemctl restart fail2ban
# 查看所有jail状态
fail2ban-client status
# 查看特定jail详情
fail2ban-client status sshd
# 查看被封禁的IP列表
fail2ban-client get sshd banned# 手动封禁IP
fail2ban-client set sshd banip 203.0.113.50
# 手动解封IP
fail2ban-client set sshd unbanip 203.0.113.50
# 解封所有IP
fail2ban-client unban --all
# 查看Fail2ban日志
tail -100 /var/log/fail2ban.log
# 查看封禁统计
fail2ban-client status sshd
# 输出示例:
# Currently banned: 12
# Total banned: 156可以配置Fail2ban在封禁IP时发送邮件通知:
# 安装发送邮件工具
apt install mailutils -y # Ubuntu/Debian
# 在jail.local的[DEFAULT]段添加:
[DEFAULT]
destemail = your_email@example.com
sender = fail2ban@your_domain.com
mta = sendmail
action = %(action_mwl)s # 发送邮件+日志+whois信息Fail2ban是VPS安全防护体系的重要组成部分,配合防火墙、SSH密钥登录可以有效抵御绝大多数自动化攻击。完整安全方案请参考VPS安全加固指南。
Tip: 更多教程请查看新手教程。