VPS配置iptables和安装fail2ban阻止SSH暴力破解

我的VPS之路从DigitalOcean到Linode再到Vultr,开过很多VPS,本身对linux不是很熟,只会看别人教程复制粘贴命令的水平。每次创建完VPS都是裸奔。一直以来也没觉得有什么问题。直到有天,在一个刚创建不到一周VPS的/var/log目录下发现auth.log文件高达18M,并且还有几个auth.log压缩包。打开后直接震惊了。 登录失败计数 这还只是其中一个压缩包。密码设计的复杂随机,这种穷举方式想要破解基本没可能,但被别人这样试来试去总归不好。

fail2ban是由Python语言开发监控软件,通过监控系统日志的错误登录信息来调用iptables屏蔽相应登录IP,以阻止某个IP不停尝试密码。本本主题就是使用iptables和fail2ban来阻止这种暴力破解。

配置iptables 点击查看Debian官方教程

查看iptables的配置内容

iptables -L  

如果是如下结果

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

说明iptables没做任何配置,跟没装iptables一样。我们先创建一个配置文件。

nano /etc/iptables.test.rules  

下面是Debian官方推荐的默认配置,添加到刚创建的配置文件。

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT  

激活这个配置。

iptables-restore < /etc/iptables.test.rules  

再看看iptables的配置

iptables -L  

把刚才的配置保存起来

iptables-save > /etc/iptables.up.rules  

让这个配置重启后依然有效

nano /etc/network/if-pre-up.d/iptables  

添加以下内容

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

让这个文件可执行

chmod +x /etc/network/if-pre-up.d/iptables  

到此结束。我们已经完成Debian官方网站的推荐设置。

安装配置fail2ban

采用apt-get方式安装fail2ban。

apt-get install fail2ban  

安装完后fail2ban就自动开始运行。接下来配置fail2ban。 首先将配置jail.conf复制一份到jail.local。这是因为fail2ban升级时覆盖旧的jail.conf导致配置丢失。但jail.local不受影响。

cd /etc/fail2ban  
cp jail.conf jail.local  

jail.local文件需要修改的参数说明:
打开jail.local文件后可看到方括号圈起来的[DEFAULT]、[ssh]、[apache]、[vsftpd]等等。其中[DEFAULT]的参数如下

findtime = 6000  
#findtime ,对尝试登录ip在一定时间范围内监控。单位为秒。 
bantime  = 36000000  
#bantime  给垃圾ip设置阻止时间,单位为秒。建议至少设置一天
maxretry = 2  
#maxretry 尝试多少次错误密码后触发fail2ban。 默认是6次。
backend = polling  
#backend这个要设置为polling,默认是auto
action = iptables[name=SSH, port=ssh, protocol=tcp]  

其他[ssh]、[apache]、[vsftpd]下面都有一个enabled选项,如果想开启对应的监控则将enabled = false改为enabled = true其中[SSH]配置里加上一句:

action = iptables[name=SSH, port=ssh, protocol=tcp]  

设置好后,其他选项默认就OK。重启fail2ban。

service fail2ban restart  

再看看iptables的配置变化

iptables -L  

出现以下内容则说明fail2ban正在工作

Chain fail2ban-SSH (1 references)  
target     prot opt source               destination  
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh-ddos (1 references)  
target     prot opt source               destination  
RETURN     all  --  anywhere  

完成操作后可以在/var/log/fail2ban.log查看屏蔽日志。

2015-11-11 15:24:15,882 fail2ban.actions: WARNING [ssh] Ban 190.146.247.87  
2015-11-11 16:20:37,711 fail2ban.actions: WARNING [ssh] Ban 149.202.52.100  
2015-11-11 23:12:49,150 fail2ban.actions: WARNING [ssh] Ban 95.237.253.122  
2015-11-11 23:12:54,164 fail2ban.actions: WARNING [ssh] Ban 109.161.226.66  
2015-11-11 23:17:10,469 fail2ban.actions: WARNING [ssh] Ban 186.225.222.223  
2015-11-11 23:20:20,699 fail2ban.actions: WARNING [ssh] Ban 177.19.164.147  
2015-11-11 23:27:13,192 fail2ban.actions: WARNING [ssh] Ban 117.253.165.17  
2015-11-11 23:37:40,954 fail2ban.actions: WARNING [ssh] Ban 117.253.154.207  
2015-11-11 23:39:49,117 fail2ban.actions: WARNING [ssh] Ban 95.167.185.106  
2015-11-11 23:46:47,625 fail2ban.actions: WARNING [ssh] Ban 182.74.51.82  
2015-11-11 23:51:17,956 fail2ban.actions: WARNING [ssh] Ban 117.245.4.7  
2015-11-11 23:54:23,182 fail2ban.actions: WARNING [ssh] Ban 186.192.9.237  
2015-11-12 00:05:46,003 fail2ban.actions: WARNING [ssh] Ban 109.161.192.105  
2015-11-12 00:30:20,767 fail2ban.actions: WARNING [ssh] Ban 158.69.195.20  
2015-11-12 00:40:23,478 fail2ban.actions: WARNING [ssh] Ban 46.183.167.240  
2015-11-12 00:41:04,535 fail2ban.actions: WARNING [ssh] Ban 177.43.251.147  
2015-11-12 00:46:09,895 fail2ban.actions: WARNING [ssh] Ban 182.71.144.202  
2015-11-12 00:48:40,081 fail2ban.actions: WARNING [ssh] Ban 46.138.122.206  
2015-11-12 01:21:27,399 fail2ban.actions: WARNING [ssh] Ban 58.185.2.22  
2015-11-12 06:25:03,052 fail2ban.actions: WARNING [ssh] Ban 182.100.67.59  

其他

理论上本教程是适用Debian和Ubuntu的。但似乎不适合Debian8版本。只是我给vps安装fail2ban后感觉它并不能过滤所有的满足条件的登录尝试。网上搜索资料也没个说的清楚。不过大家建议在无效时进行以下操作:

service rsyslog restart  
service fail2ban stop  
service fail2ban start  

2015.11.12更新

经实践,重启日志服务和用stop,start命令重启fail2ban确实起到作用,目前已可以完美运行。 如有更高安全需求可更改SSH端口,禁用密码改用密钥认证登录。强烈推荐更改SSH端口