背景介绍

双十一的时候薅羊毛租了台腾讯云的虚机, 是真便宜, 只是没想到才跑了一个月, 系统里面就收集到了巨多的 SSH 恶意登录失败记录.

只能说, 互联网真的是太不安全了. 之前有用过 fail2ban 在 CentOS 7 上面做过防护, 不过那已经是好久好久之前的故事了, 好多方法已经不再适用. 下面记录一下在 Debian 12 上安装和配置 fail2ban 的过程.

配置过程

# 安装 ufw 和 fail2ban
sudo apt install -y ufw fail2ban# 配置 ufw 防火墙放行 SSH 端口
sudo ufw allow SSH# 开启 ufw
sudo ufw enable
sudo systemctl enable ufw --now

下面开始编辑 fail2ban 配置文件

sudo vim /etc/fail2ban/jail.d/defaults-debian.conf

[DEFAULT]
# 忽略的 IP 地址, 相当于白名单
ignoreip = 1.1.1.1
# [重点] 指定使用 ufw 作为防护的操作
banaction = ufw[sshd]
enabled = true
# [重点] Debian 12 中的 SSH 审计日志都在 systemd 里面, 所以一定要指定
backend = systemd
filter = sshd

保存配置后启动原神 服务

sudo systemctl enable fail2ban --now

测试验证

检查当前 fail2ban 的状态, 还没有 Banned IP

sudo fail2ban-client status sshdStatus for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions|- Currently banned: 0|- Total banned:     0`- Banned IP list:

再开个 SSH 链接, 故意输错密码5次, 再访问就直接 ssh: connect to host 172.17.65.147 port 22: Connection timed out

查看 fail2ban 的日志:

root@lpwm-virtualmachine:/var/log# cat fail2ban.log
2024-12-24 23:01:07,663 fail2ban.server         [1975]: INFO    --------------------------------------------------
2024-12-24 23:01:07,663 fail2ban.server         [1975]: INFO    Starting Fail2ban v1.0.2
2024-12-24 23:01:07,663 fail2ban.observer       [1975]: INFO    Observer start...
2024-12-24 23:01:07,668 fail2ban.database       [1975]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2024-12-24 23:01:07,669 fail2ban.database       [1975]: WARNING New database created. Version '4'
2024-12-24 23:01:07,669 fail2ban.jail           [1975]: INFO    Creating new jail 'sshd'
2024-12-24 23:01:07,681 fail2ban.jail           [1975]: INFO    Jail 'sshd' uses systemd {}
2024-12-24 23:01:07,682 fail2ban.jail           [1975]: INFO    Initiated 'systemd' backend
2024-12-24 23:01:07,682 fail2ban.filter         [1975]: INFO      maxLines: 1
2024-12-24 23:01:07,689 fail2ban.filtersystemd  [1975]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2024-12-24 23:01:07,689 fail2ban.filter         [1975]: INFO      maxRetry: 5
2024-12-24 23:01:07,689 fail2ban.filter         [1975]: INFO      findtime: 600
2024-12-24 23:01:07,689 fail2ban.actions        [1975]: INFO      banTime: 600
2024-12-24 23:01:07,689 fail2ban.filter         [1975]: INFO      encoding: UTF-8
2024-12-24 23:01:07,690 fail2ban.jail           [1975]: INFO    Jail 'sshd' started
2024-12-24 23:01:07,691 fail2ban.filtersystemd  [1975]: INFO    [sshd] Jail is in operation now (process new journal entries)
2024-12-24 23:02:50,864 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:02:50
2024-12-24 23:02:51,404 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:02:51
2024-12-24 23:02:54,154 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:02:53
2024-12-24 23:03:21,154 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:03:20
2024-12-24 23:03:23,904 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:03:23
2024-12-24 23:03:23,920 fail2ban.actions        [1975]: NOTICE  [sshd] Ban 172.17.64.1
2024-12-24 23:03:26,654 fail2ban.filter         [1975]: INFO    [sshd] Found 172.17.64.1 - 2024-12-24 23:03:26

再次检查 fail2ban 状态, 可以看到 Banned IP 多了一个:

root@lpwm-virtualmachine:/var/log# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     6
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions|- Currently banned: 1|- Total banned:     1`- Banned IP list:   172.17.64.1

查看 ufw 状态, 也多了一条 REJECT 的记录:

root@lpwm-virtualmachine:/var/log# ufw status
Status: activeTo                         Action      From
--                         ------      ----
Anywhere                   REJECT      172.17.64.1                # by Fail2Ban after 5 attempts against sshd
SSH                        ALLOW       Anywhere
WWW                        ALLOW       Anywhere
SSH (v6)                   ALLOW       Anywhere (v6)
WWW (v6)                   ALLOW       Anywhere (v6)

后话

以上均使用的是 fail2ban 的默认配置, 即最多连续 5 次错误登录就会自动加到 ufw 防火墙规则中给 Ban 掉, 如果需要调整具体的规则, 可以修改 /etc/fail2ban/jail.d/defaults-debian.conf, 完整配置说明请参考 https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf