主機的安全性一直是個很重要的議題, 而一般人常常會忽略掉資安的嚴重性, 又或許對於 VPS 的新手來說, 若要幫主機增加防火牆時也不知從何處著手.
我之前曾在這篇 Vesta 控制面板 中提過安裝 CSF 防火牆來防護主機安全, 但在 Vesta 預設的情況下, 是需要再自行調整設定檔內部對應的路徑之後才能 100% 發揮 CSF 的作用, 所以不建議新手在 Vesta 中使用, 因此再補充這篇安裝 fail2Ban 來防止主機被惡意入侵.
安裝及設定方式
下載 fail2ban
apt-get install fail2ban
建立設定檔
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
編輯設定檔
nano /etc/fail2ban/jail.local
jail.local:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host # 若要限制 IP 登入主機, 將 your-IP 置換正確 IP, 若不限制時請將其刪除 ignoreip = 127.0.0.1/8 your-IP bantime = 86400 maxretry = 3 . . . # 設定要收到通知的電郵 destemail = your@gmail.com . . . # 這裡是設定觸發條件時的執行動作,可參考文件中的說明自訂條件 action = %(action_mwl)s . . . # SSH 登入防護 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 . . . # SSH DDOS 防護 [ssh-ddos] enabled = ture . . . # FTP 登入防護 [vsftpd] enabled = ture
存檔後重啟 fail2ban
service fail2ban restart
在設定檔中, 凡是被[ ]框起的部份, 都是能設定防護規則的地方, 可依需求另行設定, 在這附個當有人嚐試利用 SSH 登入主機時所收到的 Eamil 通知.
以下是 fail2ban 所發出的 Email 通知範例
Hi, The IP 94.102.63.27 has just been banned by Fail2Ban after 3 attempts against ssh. Here are more information about 94.102.63.27: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '94.102.48.0 - 94.102.63.255' % Abuse contact for '94.102.48.0 - 94.102.63.255' is 'abuse@ecatel.net' inetnum: 94.102.48.0 - 94.102.63.255 netname: NL-ECATEL-20080829 descr: Ecatel LTD country: NL org: ORG-EL38-RIPE admin-c: RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered organisation: ORG-EL38-RIPE org-name: Ecatel LTD org-type: LIR address: Ecatel LTD address: P.O.Box 19533 address: 2500 CM Den Haag address: NETHERLANDS phone: +31702204015 fax-no: +31702204015 abuse-c: AR16168-RIPE mnt-ref: ECATEL-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT admin-c: EL25-RIPE source: RIPE # Filtered person: Reinier van Eeden address: Archangelkade 1-3 address: 1013 BE Amsterdam mnt-by: IQARUS-MNT phone: +31 64 607 11 12 nic-hdl: RvE16-RIPE source: RIPE # Filtered % Information related to '94.102.48.0/20AS29073' route: 94.102.48.0/20 descr: AS29073 Route object origin: AS29073 mnt-by: ECATEL-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.75 (DB-2) Regards, Fail2Ban