Day18 作业

[root@zzp ~]# tar -xvf fail2ban-0.9.4.tar.gz
[root@zzp ~]# ls
Centos_repo.back  fail2ban-0.9.4  fail2ban-0.9.4.tar.gz

[root@zzp fail2ban-0.9.4]# ls
bin              DEVELOP                 fail2ban-testcases-all-python3  MANIFEST        setup.cfg
ChangeLog        doc                     files                           MANIFEST.in     setup.py
config           fail2ban                FILTERS                         README.md       THANKS
CONTRIBUTING.md  fail2ban-2to3           kill-server                     README.Solaris  TODO
COPYING          fail2ban-testcases-all  man                             RELEASE         Vagrantfile
[root@zzp fail2ban-0.9.4]# python setup.py install     #安装
running install
running build
running build_py

[root@zzp fail2ban-0.9.4]# ll /etc/fail2ban/
总用量 68
drwxr-xr-x. 2 root root  4096 11月 18 10:11 action.d    #动作  调用防火墙 发文件 需要用
-rw-rw-r--. 1 root root  2328 3月   8 2016 fail2ban.conf    #主配置文件定义了一些日志的文件位置
drwxr-xr-x. 2 root root  4096 11月 18 10:11 fail2ban.d    #目录
drwxr-xr-x. 3 root root  4096 11月 18 10:11 filter.d
-rw-rw-r--. 1 root root 20839 3月   8 2016 jail.conf      #监狱文件，主配置文件 定义阈值超过阈值就屏蔽掉
drwxr-xr-x. 2 root root  4096 11月 18 10:11 jail.d
-rw-rw-r--. 1 root root  2361 3月   8 2016 paths-common.conf
-rw-rw-r--. 1 root root   642 3月   8 2016 paths-debian.conf
-rw-rw-r--. 1 root root  1059 3月   8 2016 paths-fedora.conf
-rw-rw-r--. 1 root root  1174 3月   8 2016 paths-freebsd.conf
-rw-rw-r--. 1 root root   659 3月   8 2016 paths-opensuse.conf
-rw-rw-r--. 1 root root   290 3月   8 2016 paths-osx.conf

[root@zzp fail2ban]# vim /etc/fail2ban/jail.conf 

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
sendmail-whois[name=SSH,dest=root,sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600

[root@zzp ~]# cd /root/fail2ban-0.9.4     进入解压后的文件里
[root@zzp fail2ban-0.9.4]# ls
bin              COPYING        fail2ban-testcases-all          man             RELEASE    Vagrantfile
build            DEVELOP        fail2ban-testcases-all-python3  MANIFEST        setup.cfg
ChangeLog        doc            files                           MANIFEST.in     setup.py
config           fail2ban       FILTERS                         README.md       THANKS
CONTRIBUTING.md  fail2ban-2to3  kill-server                     README.Solaris  TODO
[root@zzp fail2ban-0.9.4]# cp files/redhat-initd  /etc/init.d/fail2ban   #添加启动脚本

[root@zzp ~]# service iptables restart
iptables：将链设置为政策 ACCEPT：filter                    [确定]
iptables：清除防火墙规则：                                 [确定]
iptables：正在卸载模块：                                   [确定]
iptables：应用防火墙规则：                                 [确定]
[root@zzp ~]# service fail2ban restart
关闭fail2ban:                                              [确定]
启动fail2ban:                                              [确定]

[root@zzp ~]# fail2ban-client status
Status
|- Number of jail:   1
`- Jail list:  ssh-iptables
[root@zzp ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:  7
|  `- File list:   /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:  2
   `- Banned IP list:   192.168.1.124 192.168.224.7

使用工具fail2ban
fail2ban会监控系统日志   /var/log/secure，匹配日志的信息，登录失败次数过多，调用防火墙屏蔽掉，或发送邮件
1.安装epel源
[root@zzp124 ~]# yum install epel-release -y
[root@zzp124 ~]# ls /etc/yum.repos.d/
CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-Media.repo    CentOS-Vault.repo  epel-testing.repo
CentOS-CR.repo    CentOS-fasttrack.repo  CentOS-Sources.repo  epel.repo          rehat.repo
[root@zzp124 ~]# 
2.安装fail2ban工具
[root@zzp124 ~]# yum install -y fail2ban
3.配置fail2ban
[root@zzp124 ~]# vim /etc/fail2ban/jail.conf 
# see `filter.d/traefik-auth.conf` for details and service example.
port    = http,https
logpath = /var/log/traefik/access.log


[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
sendmail-whois[name=SSH,dest=root,sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600

                                   
4.重启fail2ban，设置开机自启
[root@zzp124 ~]# systemctl restart fail2ban.service 
[root@zzp124 ~]# systemctl enable fail2ban.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.
5.测试成功
[root@zzp124 yum.repos.d]# fail2ban-client status
Status
|- Number of jail:   1
`- Jail list:  ssh-iptables
[root@zzp124 yum.repos.d]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 1
|  |- Total failed:  4
|  `- File list:   /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned:  1
   `- Banned IP list:   192.168.1.122
[root@zzp124 yum.repos.d]#

#!/bin/bash
cat /var/log/secure |grep "Failed password" |awk '{print $11}' |sort -u >ip.txt
sort -u ip.txt -o ip.txt
touch heikeIP.txt
ipnum=$(cat ip.txt |wc -l)
for((i=1 ;i<=${ipnum} ;i++))
do
        failNum=$(cat /var/log/secure|grep `sed -n ${i}p ip.txt `|grep "Failed password"|wc -l)
        if [ ${failNum} -gt 3 ] ; then
                echo $(sed -n ${i}p ip.txt) >> heikeIP.txt
        fi
done
sort -u heikeIP.txt -o  heikeIP.txt
hkIPnum=$(cat heikeIP.txt | wc -l)
for (( i=1 ; i<=${hkIPnum}; i++ ))
do
        echo "ssh:`sed -n ${i}p heikeIP.txt ` "  >> /etc/hosts.deny
done
sleep 3
for (( i=1 ; i<=${hkIPnum}; i++ ))
do
        echo "ssh:`sed -n ${i}p heikeIP.txt ` "  >> /etc/hosts.allow
done