安装配置脚本(ssh 端口和 ignoreip 自行修改):
# 安装 fail2ban logd opkg update opkg install fail2ban logd # 创建日志目录 mkdir -p /var/log # 配置 syslog 写入文件(uci方式) uci set system.@system[0].log_file='/var/log/messages' uci set system.@system[0].log_size='10240' # 10MB uci commit system /etc/init.d/log restart # 创建 dropbear 过滤器 cat > /etc/fail2ban/filter.d/dropbear.conf << 'EOF' [Definition] failregex = ^.*dropbear\[\d+\]: Login attempt for nonexistent user from <HOST>:\d+$ ^.*dropbear\[\d+\]: Bad password attempt for '.*' from <HOST>:\d+$ ^.*dropbear\[\d+\]: Exit before auth from <<HOST>:\d+>: \(user '.*', .* fails\): Exited normally$ ignoreregex = EOF # 创建 jail 配置 cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # 基础封禁参数 bantime = 600 findtime = 600 maxretry = 5 # 递进式封禁设置 bantime.increment = true bantime.factor = 2 bantime.max = -1 # 惯犯快速通道 recidive.threshold = 3 recidive.bantime = -1 # 网络层配置 banaction = nftables-multiport chain = input # 白名单(务必添加你的管理IP!) ignoreip = 127.0.0.1/8 ::1 192.168.100.0/24 192.168.1.0/24 [dropbear] enabled = true port = 22 filter = dropbear logpath = /var/log/messages action = nftables-multiport[name=dropbear, port="22", protocol=tcp] EOF # 重启 fail2ban /etc/init.d/fail2ban restart
常用指令:
# 查看 fail2ban 运行状态 /etc/init.d/fail2ban status # 查看封禁 IP 列表 fail2ban-client status dropbear # 手动封禁指定 IP fail2ban-client set dropbear banip 111.183.145.241 # 解封指定 IP fail2ban-client set dropbear unbanip 111.183.145.241 # 解封所有 IP fail2ban-client unban --all # 查看 fail2ban 日志 tail -f /var/log/fail2ban.log # 重启 fail2ban /etc/init.d/fail2ban restart # 查看登录失败日志 cat /var/log/messages | egrep --color=auto "Bad (password|publickey)|invalid user|Connection (closed|refused)|authentication failure|not allowed" # 测试过滤器规则(建议手动测试一下,前面的正则表达式万一匹配不上那就是白给) fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/dropbear.conf --print-all-matched # fail2ban 重读日志,比如删除 nginx 日志后执行,不影响已创建的封禁记录 fail2ban-client flushlogs
常规 Linux 版参考这个:https://www.cnblogs.com/nihaorz/p/19667506
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。