翻译完成-/20171107 How To Protect Server Against Brute Force Attacks With Fail2ban On Linux.md

This commit is contained in:
Flowsnow 2018-01-11 11:37:50 +08:00
parent f559ed6e4c
commit 5f54d1eedc

View File

@ -1,67 +1,65 @@
translating by Flowsnow
How To Protect Server Against Brute Force Attacks With Fail2ban On Linux
如何在Linux上用Fail2ban保护服务器免受暴力攻击
======
One of the important task for Linux administrator is to protect server against illegitimate attack or access. By default Linux system comes with well-configured firewall such as Iptables, Uncomplicated Firewall (UFW), ConfigServer Security Firewall (CSF), etc, which will prevent many kinds of attacks.
Linux管理员的一个重要任务是保护服务器免受非法攻击或访问。 默认情况下Linux系统带有配置良好的防火墙比如IptablesUncomplicated FirewallUFWConfigServer Security FirewallCSF可以防止多种攻击。
Any machine which is connected to the internet is a potential target for malicious attacks. There is a tool called fail2ban is available to mitigate illegitimate access on server.
任何连接到互联网的机器都是恶意攻击的潜在目标。 有一个名为fail2ban的工具可用来缓解服务器上的非法访问。
### What Is Fail2ban?
### 什么是Fail2ban
[Fail2ban][1] is an intrusion prevention software, framework which protect server against brute force attacks. It's Written in Python programming language. Fail2ban work based on auth log files, by default it will scan the auth log files such as `/var/log/auth.log`, `/var/log/apache/access.log`, etc.. and bans IPs that show the malicious signs, too many password failures, seeking for exploits, etc.
[Fail2ban][1]是一款入侵防御软件,可以保护服务器免受暴力攻击。 它是用Python编程语言编写的。 Fail2ban基于auth日志文件工作默认情况下它会扫描所有auth日志文件如`/var/log/auth.log``/var/log/apache/access.log`等并禁止带有恶意标志的IP比如密码失败太多寻找漏洞等等标志。
Generally fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. Also it will send mail notification too. Fail2Ban comes with many filters for various services such as ssh, apache, nginx, squid, named, mysql, nagios, etc,.
通常fail2Ban用于更新防火墙规则用于在指定的时间内拒绝IP地址。 它也会发送邮件通知。 Fail2Ban为各种服务提供了许多过滤器如sshapachenginxsquidnamedmysqlnagios等。
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. this is one of the security for server which will prevent brute force attacks.
Fail2Ban能够降低错误认证尝试的速度,但是它不能消除弱认证带来的风险。 这只是服务器防止暴力攻击的安全手段之一。
### How to Install Fail2ban In Linux
### 如何在Linux中安装Fail2ban
Fail2ban is already packaged with most of the Linux distribution so, just use you distribution package manager to install it.
Fail2ban已经与大部分Linux发行版打包在一起了所以只需使用你的发行包版的包管理器来安装它。
对于**`Debian / Ubuntu`**,使用[APT-GET命令][2]或[APT命令][3]安装。
For **`Debian/Ubuntu`** , use [APT-GET Command][2] or [APT Command][3] to install tilda.
```
$ sudo apt install fail2ban
```
For **`Fedora`** , use [DNF Command][4] to install tilda.
对于**`Fedora`**,使用[DNF命令][4]安装。
```
$ sudo dnf install fail2ban
```
For **`CentOS/RHEL`** systems, enable [EPEL Repository][5] or [RPMForge Repository][6] and use [YUM Command][7] to install Terminator.
对于 **`CentOS/RHEL`**,启用[EPEL库][5]或[RPMForge][6]库,使用[YUM命令][7]安装。
```
$ sudo yum install fail2ban
```
For **`Arch Linux`** , use [Pacman Command][8] to install tilda.
对于**`Arch Linux`**,使用[Pacman命令][8]安装。
```
$ sudo pacman -S fail2ban
```
For **`openSUSE`** , use [Zypper Command][9] to install tilda.
对于 **`openSUSE`** , 使用[Zypper命令][9]安装.
```
$ sudo zypper in fail2ban
```
### How To Configure Fail2ban
### 如何配置Fail2ban
By default Fail2ban keeps all the configuration files in `/etc/fail2ban/` directory. The main configuration file is `jail.conf`, it contains a set of pre-defined filters. So, don't edit the file and it's not advisable because whenever new update comes the configuration get reset to default.
默认情况下Fail2ban将所有配置文件保存在`/etc/fail2ban/` 目录中。 主配置文件是`jail.conf`,它包含一组预定义的过滤器。 所以,不要编辑文件,这是不可取的,因为只要有新的更新配置就会重置为默认值。
只需在同一目录下创建一个名为`jail.local`的新配置文件,并根据您的意愿进行修改。
Just create a new configuration file called `jail.local` in the same directory and modify as per your wish.
```
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
```
By default most of the option was configured perfectly and if you want to enable access to any particular IP then you can add the IP address into `ignoreip` area, for more then one IP give a speace between the IP address.
默认情况下大多数选项都已经配置的很完美了如果要启用对任何特定IP的访问则可以将IP地址添加到`ignoreip` 区域对于多个ip的情况用空格隔开ip地址。
配置文件中的`DEFAULT`部分包含Fail2Ban遵循的基本规则集您可以根据自己的意愿调整任何参数。
The `DEFAULT` section contains the basic set of rules that Fail2Ban follow and you can adjust any parameter as per your wish.
```
# nano /etc/fail2ban/jail.local
@ -71,19 +69,19 @@ bantime = 600
findtime = 600
maxretry = 3
destemail = 2daygeek@gmail.com
```
* **ignoreip :** This section allow us to whitelist the list of IP address and Fail2ban will not ban a host which matches an address in this list
* **bantime :** The number of seconds that a host is banned
* **findtime :** A host is banned if it has generated "maxretry" during the last "findtime" seconds
* **maxretry :** "maxretry" is the number of failures before a host get banned.
* **ignoreip**本部分允许我们列出IP地址列表Fail2ban不会禁止与列表中的地址匹配的主机
* **bantime**主机被禁止的秒数
* **findtime**如果在上次“findtime”秒期间已经发生了“maxretry”次重试则主机会被禁止
* **maxretry**“maxretry”是主机被禁止之前的失败次数
### How To Configure Service
### 如何配置服务
Fail2ban带有一组预定义的过滤器用于各种服务如sshapachenginxsquidnamedmysqlnagios等。 我们不希望对配置文件进行任何更改,只需在服务区域中添加`enabled = true`这一行就可以启用任何服务。 禁用服务时将true改为false即可。
Fail2ban comes with set of pre-defined filters for various servicess such as ssh, apache, nginx, squid, named, mysql, nagios, etc,. We don't want to make any changes on configuration file and just add following line `enabled = true` in the service area to enable jail to any services. To disable make the line to `false` instead of ture.
```
# SSH servers
[sshd]
@ -91,31 +89,29 @@ enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
```
* **enabled :** Determines whether the service is turned on or off.
* **port :** It's refering to the particular service. If using the default port, then the service name can be placed here. If using a non-traditional port, this should be the port number.
* **logpath :** Gives the location of the service's logs./li>
* **backend :** "backend" specifies the backend used to get files modification.
* **enabled** 确定服务是打开还是关闭。
* **port **指的是特定的服务。 如果使用默认端口,则服务名称可以放在这里。 如果使用非传统端口,则应该是端口号。
* **logpath**提供服务日志的位置
* **backend**“后端”指定用于获取文件修改的后端。
### Restart Fail2Ban
### 重启Fail2Ban
After making changes restart Fail2Ban to take effect.
进行更改后重新启动Fail2Ban才能生效。
```
[For SysVinit Systems]
# service fail2ban restart
[For systemd Systems]
# systemctl restart fail2ban.service
```
### Verify Fail2Ban iptables rules
### 验证Fail2Ban iptables规则
You can confirm whether Fail2Ban iptables rules are added into firewall using below command.
你可以使用下面的命令来确认是否在防火墙中成功添加了Fail2Ban iptables规则。
```
# iptables -L
Chain INPUT (policy ACCEPT)
@ -139,9 +135,10 @@ target prot opt source destination
RETURN all -- anywhere anywhere
```
### How To Test Fail2ban
### 如何测试Fail2ban
我做了一些失败的尝试来测试这个。 为了证实这一点,我要验证`/var/log/fail2ban.log` 文件。
I have made some failed attempts to test this. To confirm this, I'm going to verify the `/var/log/fail2ban.log` file.
```
2017-11-05 14:43:22,901 fail2ban.server [7141]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-11-05 14:43:22,987 fail2ban.database [7141]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
@ -184,19 +181,17 @@ I have made some failed attempts to test this. To confirm this, I'm going to ver
2017-11-05 15:20:12,276 fail2ban.filter [8528]: INFO [sshd] Found 103.5.134.167
2017-11-05 15:20:12,380 fail2ban.actions [8528]: NOTICE [sshd] Ban 103.5.134.167
2017-11-05 15:21:12,659 fail2ban.actions [8528]: NOTICE [sshd] Unban 103.5.134.167
```
To Check list of jail enabled, run the following command.
要查看启用的监狱列表,请运行以下命令。
```
# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: apache-auth, sshd
```
To get the blocked Ip address by running following command.
通过运行以下命令来获取禁止的IP地址。
```
# fail2ban-client status ssh
Status for the jail: ssh
@ -208,13 +203,11 @@ Status for the jail: ssh
|- Currently banned: 1
| `- IP list: 192.168.1.115
`- Total banned: 1
```
To remove blocked IP address from Fail2Ban, run the following command.
要从Fail2Ban中删除禁止的IP地址请运行以下命令。
```
# fail2ban-client set ssh unbanip 192.168.1.115
```
--------------------------------------------------------------------------------
@ -222,7 +215,7 @@ To remove blocked IP address from Fail2Ban, run the following command.
via: https://www.2daygeek.com/how-to-install-setup-configure-fail2ban-on-linux/#
作者:[Magesh Maruthamuthu][a]
译者:[译者ID](https://github.com/译者ID)
译者:[Flowsnow](https://github.com/Flowsnow)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出