PS:我只在3个不同厂商的VPS上测过,其中阿里云ECS和Hosteons的VPS在Centos 6或7上都没问题。唯独搬瓦工VPS比较特别,总是无法直接安装Fail2ban,出现各种“No package fail2ban available.”的错误。
经过多方查找,我在一个英文网站上(遗憾的是不小心清理了浏览器缓存,忘记网址了)找到了解决方案,最终成功安装。如果SSH改成密钥登录,基本上就不需要折腾这个,但无奈好奇心作祟。
好吧,我们开始吧。
默认的CentOS源中缺少Fail2ban软件,所以需要先添加源,然后再进行安装。
`rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
[root@host ~]# yum -y install fail2ban
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
base: centos.mirror.ndchost.com
elrepo-kernel: repos.lax-noc.com
extras: centos.sonn.com
updates: mirror.scalabledns.com
No package fail2ban available.
Error: Nothing to do`
从这里可以看到Fail2ban安装失败了。
检查源是否安装正确
`yum install -y epel-release
[root@host ~]# yum install -y epel-release
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirror.scalabledns.com
elrepo-kernel: repos.lax-noc.com
extras: mirrors.xmission.com
updates: centos.mirror.lstn.net
Package epel-release-6-8.noarch already installed and latest version
Nothing to do`
检查是否启用了epel
`yum repolist enabled
[root@host ~]# yum repolist enabled
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: mirror.hostduplex.com
elrepo-kernel: repos.lax-noc.com
extras: mirrors.xmission.com
updates: mirror.rackspace.com
repo id repo name status
base CentOS-6 - Base 6,710+3
elrepo-kernel ELRepo.org Community Enterprise Linux Kernel Repository - el6 25
extras CentOS-6 - Extras 31
updates CentOS-6 - Updates 43
repolist: 6,809`
编辑/etc/yum.repos.d/epel.repo并将该[epel]部分的
enabled=0
改为
enabled=1
重新安装Fail2ban,我这里采用了“一键安装部署Fail2ban,自动配置防SSH爆破。可自定义IP封禁时间,最高重试次数。”的一键脚本。
`//安装
wget http://www.seeit.life/scripts/fail2ban.sh
bash fail2ban.sh
//卸载
wget http://www.seeit.life/scripts/uninstallfail2ban.sh
bash uninstallfail2ban.sh
[root@host ~]# wget http://www.seeit.life/scripts/fail2ban.sh
–2018-07-15 16:15:46– http://www.seeit.life/scripts/fail2ban.sh
Resolving www.seeit.life… 47.52.170.67
Connecting to www.seeit.life|47.52.170.67|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5700 (5.6K) [application/octet-stream]
Saving to: “fail2ban.sh”
100%[==========================================================================================>] 5,700 –.-K/s in 0s
2018-07-15 16:15:47 (207 MB/s) - “fail2ban.sh” saved [5700/5700]
[root@host ~]# bash fail2ban.sh
Welcome to Fail2ban!
This Shell Script can protect your server from SSH attacks with the help of Fail2ban and iptables
Do you want to change your SSH Port? [y/n]: y
Please input SSH port(Default: 12345): 12345
Input the maximum times for trying [2-10]: 3
Input the lasting time for blocking an IP [hours]: 9600
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirror.hostduplex.com
elrepo-kernel: repos.lax-noc.com
epel: mirrors.develooper.com
extras: mirrors.xmission.com
updates: mirror.rackspace.com
Package epel-release-6-8.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirror.hostduplex.com
elrepo-kernel: repos.lax-noc.com
epel: mirrors.develooper.com
extras: mirrors.xmission.com
updates: mirror.rackspace.com
Package fail2ban-0.9.6-1.el6.1.noarch already installed and latest version
Nothing to do
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]
Finish Installing ! Reboot the sshd now !
ssh: unrecognized service
Github: https://github.com/FunctionClub
Fail2ban is now running on this server now!`
这里脚本自动重启sshd失效,需要手动重启
`[root@host ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]`
检查防火墙状态
`[root@host ~]# iptables -nvL
Chain INPUT (policy DROP 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
0 0 f2b-SSH tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 96 packets, 13498 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0`
这里可以看到Fail2ban进程“f2b-SSH”已经生效,正在监听22端口
如果SSH端口不是默认的22,需要修改port=ssh为port=xxx。
编辑 /etc/fail2ban/jail.local
`[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
#action = iptables[name=SSH, port=SSH, protocol=tcp]
action = iptables[name=SSH, port=12345, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 3600
bantime = 34560000`
重启SSH,重启fail2ban,并保存防火墙规则
`service sshd restart
service fail2ban restart
service iptables save`
检查防火墙状态
`[root@host ~]# iptables -nvL
Chain INPUT (policy DROP 8 packets, 352 bytes)
pkts bytes target prot opt in out source destination
20 1116 f2b-SSH tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345
1 40 f2b-SSH tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 92 packets, 41940 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-SSH (2 references)
pkts bytes target prot opt in out source destination
21 1156 RETURN all – * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0`
大功告成,Fail2ban同时监听了默认22端口和更改后的端口。