CentOS8防暴力破解fail2ban

对于CentOS8系统来说，/etc/hosts.deny不起作用，所以安装DenyHosts没用。我们采用fail2ban来防ssh暴力破解。

[root@localhost ~]# yum install epel-release
[root@localhost ~]# dnf install fail2ban
Last metadata expiration check: 0:46:45 ago on Tue 06 Jul 2021 08:17:31 PM CST.
Dependencies resolved.
===================================================================================================================
 Package                     Architecture   Version                                        Repository         Size
===================================================================================================================
Installing:
 fail2ban                    noarch         0.11.2-1.el8                                   epel               19 k
Upgrading:
 platform-python-pip         noarch         9.0.3-19.el8                                   baseos            1.7 M
Installing dependencies:
 esmtp                       x86_64         1.2-15.el8                                     epel               57 k
 fail2ban-firewalld          noarch         0.11.2-1.el8                                   epel               19 k
 fail2ban-sendmail           noarch         0.11.2-1.el8                                   epel               22 k
 fail2ban-server             noarch         0.11.2-1.el8                                   epel              459 k
 libesmtp                    x86_64         1.0.6-18.el8                                   epel               70 k
 liblockfile                 x86_64         1.14-1.el8                                     appstream          32 k
 python3-pip                 noarch         9.0.3-19.el8                                   appstream          20 k
 python3-setuptools          noarch         39.2.0-6.el8                                   baseos            163 k
 python3-systemd             x86_64         234-8.el8                                      appstream          81 k
 python36                    x86_64         3.6.8-2.module_el8.4.0+790+083e3d81            appstream          19 k
Enabling module streams:
 python36                                   3.6                                                                   

Transaction Summary
===================================================================================================================
Install  11 Packages
Upgrade   1 Package

Total download size: 2.6 M
Is this ok [y/N]: y

[root@localhost ~]# systemctl enable --now fail2ban
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service.

[root@localhost ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-07-06 21:06:31 CST; 36s ago
     Docs: man:fail2ban(1)
  Process: 14368 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 14370 (fail2ban-server)
    Tasks: 3 (limit: 23494)
   Memory: 11.5M
   CGroup: /system.slice/fail2ban.service
           └─14370 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Jul 06 21:06:31 localhost.localdomain systemd[1]: Starting Fail2Ban Service...
Jul 06 21:06:31 localhost.localdomain systemd[1]: Started Fail2Ban Service.
Jul 06 21:06:31 localhost.localdomain fail2ban-server[14370]: Server read

fail2ban安装后有两个程序，fail2ban-server 和 fail2ban-client对应的主配置文件是fail2ban.conf 和 jail.conf。

fail2ban的.conf配置文件都是可以被.local覆盖，所以配置方式建议是添加.local文件，不修改原来的配置文件。

[root@localhost ~]# cd /etc/fail2ban/
[root@localhost fail2ban]# cp jail.conf jail.local
[root@localhost fail2ban]# vim jail.local
#白名单，不拦截，多个使用,分开
ignoreip = 127.0.0.1/8
#拦截后禁止访问的时间，时间单位可以是 s、m、h、d
bantime  = 10m
#如果将fail2ban设置在2两次失败后禁止IP，则这些失败必须在findtime持续时间内发生
findtime  = 10m
#禁止IP之前的失败次数
maxretry = 2
#[sshd]下添加
enabled = true

重启

systemctl restart fail2ban

查看被禁止的ip地址

iptables -L -n

 查看ssh黑名单

fail2ban-client status sshd