Fail2ban

安装

这将安装 fail2ban 软件包。它包含 iptables 软件包 (另请参阅 Configure_Networking#Firewalling_with_iptables_and_ip6tables)

apk add fail2ban

启用 fail2ban 服务，以便它在启动时启动

rc-update add fail2ban

立即启动 fail2ban 服务并创建配置文件

rc-service fail2ban start

列出服务以验证 fail2ban 是否已启用

rc-status

配置

• 配置文件位于 /etc/fail2ban

SSH 守护进程

• 默认的 "ssh" jail 在 2015 年添加 (参见 https://bugs.alpinelinux.org/issues/966 和 commit)

Alpine 新 sshd 密钥过滤器

• 开箱即用，alpine 带有 /etc/fail2ban/filter.d/alpine-sshd.conf，可防止密码失败以及额外的 ddos 保护 /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
• 但是，如果您在 /etc/ssh/sshd_config 中关闭 PasswordAuthentication，则上述过滤器将不起作用
• 有一些反对 fail2ban 实用性的观点: Fail2ban 从根本上来说是解决问题的错误答案。如果您要花时间安装此类东西，您应该改为关闭密码验证 (仅依赖密钥)
  • 但它似乎很有用 : 即使在 SSH 密码验证关闭的情况下，我也使用过 Fail2Ban。它仍然有助于防止大量的错误日志 通过
• 我们可以找到以下类型的日志，在 https://github.com/fail2ban/fail2ban/issues/1719 中报告，并在 0.10 版本中解决

Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]

• 他们的修复是 mode=aggressive，但它在 alpine 中不起作用

cat /etc/fail2ban/jail.d/alpine-ssh.conf [sshd] enabled = true filter = alpine-sshd[mode=aggressive] port = ssh logpath = /var/log/messages maxretry = 2 

• 以上日志消息对应于以下用例
  • 尝试在没有私钥的情况下登录
  • 尝试使用错误的私钥登录
  • 尝试使用错误的密码短语登录不会被记录
• https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 解决方案开箱即用不起作用，因此 alpine 的自定义设置是

vi /etc/fail2ban/jail.d/alpine-ssh.conf

[sshd]
enabled  = true
filter   = alpine-sshd
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = ssh
logpath  = /var/log/messages
maxretry = 2

vi /etc/fail2ban/filter.d/alpine-sshd-key.conf

# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

• rc-service fail2ban restart

如何测试新过滤器

fail2ban-regex /var/log/messages alpine-sshd-key.conf

解封 IP

fail2ban-client set sshd unbanip BannedIP

或

fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd

不同的 ssh 端口号

您可以通过 https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number 将端口值更改为任何正整数

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

增加 bantime

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h