Tutorial: Install fail2ban under Debian for active defense vps

What is fail2ban

fail2ban can monitor your system logs, and then match the error information in the logs (regular expression matching) to perform corresponding shielding actions (usually calling firewall shielding), such as: when someone is testing your SSH, SMTP, FTP Password, as long as it reaches your preset number of times, fail2ban will call the firewall to block the IP, and can send an e-mail to notify the system administrator. It is a very practical and powerful software! Let’s briefly introduce the functions and features of fail2ban. 1. Support a large number of services. Such as sshd, apache, qmail, proftpd, sasl, etc. 2. Support multiple actions. Such as iptables, tcp-wrapper, shorewall (iptables third-party tool), mail notifications (mail notification), etc. 3. Support wildcard characters in logpath options 4. Gamin support is required (Note: Gamin is a service tool used to monitor whether files and directories have been changed) 5. Python, iptables, tcp-wrapper, shorewall, and Gamin need to be installed. If you want to send emails, you must install postfix/sendmail

How to install fail2ban

Update first, no need to explain this: apt-get update apt-get upgrade –show-upgraded

One line of command completes the installation: apt-get install fail2ban

The configuration file is in the directory /etc/fail2ban/: /etc/fail2ban/fail2ban.conf #fail2ban configuration file /etc/fail2ban/jail.conf #Block configuration file /etc/fail2ban/filter.d/ #Specific filtering rule file directory /etc/fail2ban/action.d/ #Directory for taking corresponding measures after specific filtering rules are detected

Many parameters are actually included by default. All we have to do is set the enable attribute to true to start

fail2ban other

Monitor nginx logs

Assuming that the default log path of nginx is /var/log/nginx/access_log, it is necessary to prevent hackers from violently cracking the HTTP FORM login. The login detection link is

http://test.com/login_check.do According to analysis, normal logins generally do not exceed three or four times, and the login time generally does not exceed one minute; therefore, the specified detection period is 1 minute, and the maximum number of login attempts is 10; if the number of login attempts exceeds the specified number within the specified time, it is considered a hacker Trying a brute force attack.

The specific setting method is as follows:

1) First add the following content to the jail.conf file:

[nginx] ;Rule name enabled = true ;whether for user use port = http,https; monitoring port filter = nginx ;needs to filter matching rules logpath = /var/log/nginx/access_log; log path findtime =60; detection period in seconds, the same as below bantime =300 ;iptable ban IP time maxretry =10 ;Maximum number of attempts action = iptables[name=nginx, port=http, protocal=tcp]; When brute force cracking is found, iptalbes is used to block the IP. sendmail[name=nginx, dest=my-email@xx.com /* */] ;After discovering brute force cracking, take measures to send mail through sendmail. It should be noted that: iptables and sendmail must be aligned, otherwise an error will occur; don't ask me why I know, I will cry for a while -_-! !! 2) Then create the /etc/fail2ban/filter.d/nginx.conf file and add the following content:

[Definition] failregex =.*-.*-.*POST.*/login_check.do.* HTTP\/1.*http://test.com.*$; Need to match the regular rules of log discovery attack behavior, and match the built-in variables of fail2ban IP, cannot be modified ignoreregex = ;regex to be ignored After completing the above steps, you can run the command /etc/init.d/fail2ban restart to restart. Check that iptables has fail2ban-nginx rules and receive an email from sendmail that fail2ban has been started, which means it is OK.

However, operation and maintenance students may know that sendmail has a lot of delays in sending emails and is not easy to use. Using mutt instead of sendmail is a good choice. The process of installing mutt will not be explained here. Here I will introduce how to modify the configuration file that uses mutt to send actions.

1) First create a /etc/fail2ban/action.d/mutt.conf file, and then add the following content:

# Fail2Ban configuration file # # Author: Cyril Jaquier # # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = printf %%b “Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban"|mutt -s "[Fail2Ban] : started on `uname -n`" # Option: actionsstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = printf %%b “Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban"|mutt -s "[Fail2Ban] : stopped on `uname -n`" # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck= # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b “Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n Regards,\n Fail2Ban"|mutt -s "[Fail2Ban] : banned from `uname -n`" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban= [Init] # Default name of the chain # name=default # Destination/Addressee of the mutt # dest=root 2) Then add the following content under the jail.conf file:

action = mutt[name=nginx, dest=my-email@xx.com /* */] After restarting, you can use the mutt file to send emails.

Recommended site search: US anti-attack server, international domain name, mainland China proxy IP, view IP, registered unregistered domain name, US virtual host purchase, proxy server IP domain name query network, ftp free space PHP space rental,