背景介绍
双十一的时候薅羊毛租了台腾讯云的虚机, 是真便宜, 只是没想到才跑了一个月, 系统里面就收集到了巨多的 SSH 恶意登录失败记录.
只能说, 互联网真的是太不安全了. 之前有用过 fail2ban 在 CentOS 7 上面做过防护, 不过那已经是好久好久之前的故事了, 好多方法已经不再适用. 下面记录一下在 Debian 12 上安装和配置 fail2ban 的过程.
配置过程
# 安装 ufw 和 fail2ban
sudo apt install -y ufw fail2ban# 配置 ufw 防火墙放行 SSH 端口
sudo ufw allow SSH# 开启 ufw
sudo ufw enable
sudo systemctl enable ufw --now
下面开始编辑 fail2ban 配置文件
sudo vim /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT]
# 忽略的 IP 地址, 相当于白名单
ignoreip = 1.1.1.1
# [重点] 指定使用 ufw 作为防护的操作
banaction = ufw[sshd]
enabled = true
# [重点] Debian 12 中的 SSH 审计日志都在 systemd 里面, 所以一定要指定
backend = systemd
filter = sshd
保存配置后启动原神 服务
sudo systemctl enable fail2ban --now
测试验证
检查当前 fail2ban 的状态, 还没有 Banned IP
sudo fail2ban-client status sshdStatus for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions|- Currently banned: 0|- Total banned: 0`- Banned IP list:
再开个 SSH 链接, 故意输错密码5次, 再访问就直接 ssh: connect to host 172.17.65.147 port 22: Connection timed out
查看 fail2ban 的日志:
root@lpwm-virtualmachine:/var/log# cat fail2ban.log
2024-12-24 23:01:07,663 fail2ban.server [1975]: INFO --------------------------------------------------
2024-12-24 23:01:07,663 fail2ban.server [1975]: INFO Starting Fail2ban v1.0.2
2024-12-24 23:01:07,663 fail2ban.observer [1975]: INFO Observer start...
2024-12-24 23:01:07,668 fail2ban.database [1975]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2024-12-24 23:01:07,669 fail2ban.database [1975]: WARNING New database created. Version '4'
2024-12-24 23:01:07,669 fail2ban.jail [1975]: INFO Creating new jail 'sshd'
2024-12-24 23:01:07,681 fail2ban.jail [1975]: INFO Jail 'sshd' uses systemd {}
2024-12-24 23:01:07,682 fail2ban.jail [1975]: INFO Initiated 'systemd' backend
2024-12-24 23:01:07,682 fail2ban.filter [1975]: INFO maxLines: 1
2024-12-24 23:01:07,689 fail2ban.filtersystemd [1975]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2024-12-24 23:01:07,689 fail2ban.filter [1975]: INFO maxRetry: 5
2024-12-24 23:01:07,689 fail2ban.filter [1975]: INFO findtime: 600
2024-12-24 23:01:07,689 fail2ban.actions [1975]: INFO banTime: 600
2024-12-24 23:01:07,689 fail2ban.filter [1975]: INFO encoding: UTF-8
2024-12-24 23:01:07,690 fail2ban.jail [1975]: INFO Jail 'sshd' started
2024-12-24 23:01:07,691 fail2ban.filtersystemd [1975]: INFO [sshd] Jail is in operation now (process new journal entries)
2024-12-24 23:02:50,864 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:02:50
2024-12-24 23:02:51,404 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:02:51
2024-12-24 23:02:54,154 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:02:53
2024-12-24 23:03:21,154 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:03:20
2024-12-24 23:03:23,904 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:03:23
2024-12-24 23:03:23,920 fail2ban.actions [1975]: NOTICE [sshd] Ban 172.17.64.1
2024-12-24 23:03:26,654 fail2ban.filter [1975]: INFO [sshd] Found 172.17.64.1 - 2024-12-24 23:03:26
再次检查 fail2ban 状态, 可以看到 Banned IP 多了一个:
root@lpwm-virtualmachine:/var/log# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 6
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions|- Currently banned: 1|- Total banned: 1`- Banned IP list: 172.17.64.1
查看 ufw 状态, 也多了一条 REJECT 的记录:
root@lpwm-virtualmachine:/var/log# ufw status
Status: activeTo Action From
-- ------ ----
Anywhere REJECT 172.17.64.1 # by Fail2Ban after 5 attempts against sshd
SSH ALLOW Anywhere
WWW ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
WWW (v6) ALLOW Anywhere (v6)
后话
以上均使用的是 fail2ban 的默认配置, 即最多连续 5 次错误登录就会自动加到 ufw 防火墙规则中给 Ban 掉, 如果需要调整具体的规则, 可以修改 /etc/fail2ban/jail.d/defaults-debian.conf, 完整配置说明请参考 https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
