使用fail2ban预防被挖洞的笔记

参考：http://www.javashuo.com/article/p-ahhqnbpg-eh.html

一、安装fail2ban：

yum -y install epel-release

yum -y install fail2ban

二、配置fail2ban：

修改/etc/fail2ban/jail.conf

[default]
destemail = abc@def.com
sender = nginx-1@def.com
#这里须要修改发送和接收邮件的邮箱

[nginx-get-404]
enabled = true
port = http,https
filter = nginx
action = iptables[name=nginx, port=http, protocol=tcp]
         %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
#这里增长了邮件通知
logpath = /var/log/nginx/access.log
bantime = 3600
findtime = 60
maxretry = 5

增长/etc/fail2ban/filter.d/nginx.conf

[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex = <HOST> -.*- .*GET /www/common/.*$
#ignoreregex是忽略的地址，防止因页面代码写的很差引起的错判，若是不须要能够留空

修改/etc/postfix/mail.cf

主要是修改releyhost = 10.0.30.1

自己有内部邮件的smtp转发服务器

三、检查fail2ban规则

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx.conf /etc/fail2ban/filter.d/nginx.conf --print-all-match --print-all-ignore

注意：上面有2次用到/etc/fail2ban/filter.d/nginx.conf，是由于我配置了ignoreregex的内容

四、启动fail2ban和postfix

service postfix restart
service fail2ban restart

五、检查fail2ban

fail2ban-client status

fail2ban-client status ngixn-get-404

分别检查的是fail2ban的总开关状态，和其中nginx-get-404功能的扫描状态