如何配置 fail2ban 来保护 Apache 服务器
生产环境中的 Apache 服务器可能会受到不同的攻击。攻击者或许试图通过暴力攻击或者执行恶意脚本来获取未经授权或者禁止访问的目录。一些恶意爬虫或许会扫描你网站下的各种安全漏洞,或者通过收集email地址和web表单来发送垃圾邮件。
Apache服务器具有全面的日志功能,可以捕捉到各种攻击所反映的异常事件。然而,它还不能系统地解析具体的apache 日志并迅速地对潜在的攻击进行反应(比如,禁止/解禁IP地址)。这时候fail2ban可以解救这一切,解放了系统管理员的工作。
fail2ban是一款入侵防御工具,可以基于系统日志检测不同的工具并且可以自动采取保护措施比如:通过iptables禁止ip、通过 /etc/hosts.deny 阻止连接、或者通过邮件发送通知。fail2ban具有一系列预定义的“监狱”,它使用特定程序日志过滤器来检测通常的攻击。你也可以编写自定义的规则来检测来自任意程序的攻击。
什么是 Fail2ban 监狱
让我们更深入地了解 fail2ban 监狱。监狱定义了具体的应用策略,它会为指定的程序触发一个保护措施。fail2ban在 /etc/fail2ban/jail.conf 下为一些流行程序如Apache、Dovecot、Lighttpd、MySQL、Postfix、SSH 等预定义了一些监狱。每个监狱都通过特定的程序日志过滤器(在/etc/fail2ban/fileter.d 下面)来检测通常的攻击。让我看一个例子监狱:SSH监狱。
<span class="pun">[</span><span class="pln">ssh</span><span class="pun">]</span><span class="pln">enabled </span><span class="pun">=</span><span class="kwd">true</span><span class="pln">port </span><span class="pun">=</span><span class="pln"> ssh</span><span class="pln">filter </span><span class="pun">=</span><span class="pln"> sshd</span><span class="pln">logpath </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span><span class="pln">maxretry </span><span class="pun">=</span><span class="lit">6</span><span class="pln">banaction </span><span class="pun">=</span><span class="pln"> iptables</span><span class="pun">-</span><span class="pln">multiport</span>
SSH监狱的配置定义了这些参数:
- [ssh]: 方括号内是监狱的名字。
- enabled:是否启用监狱
- port: 端口号(或者对应的服务名称)
- filter: 检测攻击的日志解析规则
- logpath: 所检测的日志文件
- maxretry: 最大失败次数
- banaction: 所进行的禁止操作
定义在监狱配置中的任意参数都会覆盖fail2ban-wide 中相应的默认配置参数。相反,任何缺少的参数都会使用定义在[DEFAULT] 字段的默认值。
预定义的日志过滤器都放在/etc/fail2ban/filter.d,而可以采取的禁止操作放在 /etc/fail2ban/action.d。
如果你想要覆盖fail2ban的默认操作或者定义任何自定义监狱,你可以创建/etc/fail2ban/jail.local*文件。本篇教程中,我会使用/etc/fail2ban/jail.local。
启用预定义的apache监狱
fail2ban的默认安装为Apache服务提供了一些预定义监狱和过滤器。我要启用这些内建的Apache监狱。由于Debian和RedHat配置的稍微不同,我会分别提供它们的配置文件。
在Debian 或者 Ubuntu启用Apache监狱
要在基于Debian的系统上启用预定义的apache监狱,如下创建/etc/fail2ban/jail.local。
<span class="pln">$ sudo vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">/</span><span class="pln">jail</span><span class="pun">.</span><span class="kwd">local</span>
<span class="com"># 检测密码认证失败</span><span class="pun">[</span><span class="pln">apache</span><span class="pun">]</span><span class="pln">enabled </span><span class="pun">=</span><span class="kwd">true</span><span class="pln">port </span><span class="pun">=</span><span class="pln"> http</span><span class="pun">,</span><span class="pln">https</span><span class="pln">filter </span><span class="pun">=</span><span class="pln"> apache</span><span class="pun">-</span><span class="pln">auth</span><span class="pln">logpath </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">apache</span><span class="pun">*</span><span class="com">/*error.log</span><span class="com">maxretry = 6</span><span class="com"># 检测漏洞和 PHP 脆弱性扫描 </span><span class="com">[apache-noscript]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-noscript</span><span class="com">logpath = /var/log/apache*/</span><span class="pun">*</span><span class="pln">error</span><span class="pun">.</span><span class="pln">log</span><span class="pln">maxretry </span><span class="pun">=</span><span class="lit">6</span><span class="com"># 检测 Apache 溢出攻击 </span><span class="pun">[</span><span class="pln">apache</span><span class="pun">-</span><span class="pln">overflows</span><span class="pun">]</span><span class="pln">enabled </span><span class="pun">=</span><span class="kwd">true</span><span class="pln">port </span><span class="pun">=</span><span class="pln"> http</span><span class="pun">,</span><span class="pln">https</span><span class="pln">filter </span><span class="pun">=</span><span class="pln"> apache</span><span class="pun">-</span><span class="pln">overflows</span><span class="pln">logpath </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">apache</span><span class="pun">*</span><span class="com">/*error.log</span><span class="com">maxretry = 2</span><span class="com"># 检测在服务器寻找主目录的尝试</span><span class="com">[apache-nohome]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-nohome</span><span class="com">logpath = /var/log/apache*/</span><span class="pun">*</span><span class="pln">error</span><span class="pun">.</span><span class="pln">log</span><span class="pln">maxretry </span><span class="pun">=</span><span class="lit">2</span>
由于上面的监狱没有指定措施,这些监狱都将会触发默认的措施。要查看默认的措施,在/etc/fail2ban/jail.conf中的[DEFAULT]下找到“banaction”。
<span class="pln">banaction </span><span class="pun">=</span><span class="pln"> iptables</span><span class="pun">-</span><span class="pln">multiport</span>
本例中,默认的操作是iptables-multiport(定义在/etc/fail2ban/action.d/iptables-multiport.conf)。这个措施使用iptable的多端口模块禁止一个IP地址。
在启用监狱后,你必须重启fail2ban来加载监狱。
<span class="pln">$ sudo service fail2ban restart </span>
在CentOS/RHEL 或者 Fedora中启用Apache监狱
要在基于红帽的系统中启用预定义的监狱,如下创建/etc/fail2ban/jail.local。
<span class="pln">$ sudo vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fail2ban</span><span class="pun">/</span><span class="pln">jail</span><span class="pun">.</span><span class="kwd">local</span>
<span class="com"># 检测密码认证失败</span><span class="pun">[</span><span class="pln">apache</span><span class="pun">]</span><span class="pln">enabled </span><span class="pun">=</span><span class="kwd">true</span><span class="pln">port </span><span class="pun">=</span><span class="pln"> http</span><span class="pun">,</span><span class="pln">https</span><span class="pln">filter </span><span class="pun">=</span><span class="pln"> apache</span><span class="pun">-</span><span class="pln">auth</span><span class="pln">logpath </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">httpd</span><span class="com">/*error_log</span><span class="com">maxretry = 6</span><span class="com"># 检测抓取邮件地址的爬虫</span><span class="com">[apache-badbots]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-badbots</span><span class="com">logpath = /var/log/httpd/*access_log</span><span class="com">bantime = 172800</span><span class="com">maxretry = 1</span><span class="com"># 检测漏洞和 PHP 脆弱性扫描 </span><span class="com">[apache-noscript]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-noscript</span><span class="com">logpath = /var/log/httpd/*error_log</span><span class="com">maxretry = 6</span><span class="com"># 检测 Apache 溢出攻击 </span><span class="com">[apache-overflows]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-overflows</span><span class="com">logpath = /var/log/httpd/*error_log</span><span class="com">maxretry = 2</span><span class="com"># 检测在服务器寻找主目录的尝试</span><span class="com">[apache-nohome]</span><span class="com">enabled = true</span><span class="com">port = http,https</span><span class="com">filter = apache-nohome</span><span class="com">logpath = /var/log/httpd/*error_log</span><span class="com">maxretry = 2</span><span class="com"># 检测执行不存在的脚本的企图</span><span class="com"># 这些都是流行的网站服务程序</span><span class="com"># 如:webmail, phpMyAdmin,WordPress</span><span class="com">port = http,https</span><span class="com">filter = apache-botsearch</span><span class="com">logpath = /var/log/httpd/*error_log</span><span class="com">maxretry = 2</span>
注意这些监狱文件默认的操作是iptables-multiport(定义在/etc/fail2ban/jail.conf中[DEFAULT]字段下的“banaction”中)。这个措施使用iptable的多端口模块禁止一个IP地址。
启用监狱后,你必须重启fail2ban来加载监狱。
在 Fedora 或者 CentOS/RHEL 7中:
<span class="pln">$ sudo systemctl restart fail2ban </span>
在 CentOS/RHEL 6中:
<span class="pln">$ sudo service fail2ban restart </span>
检查和管理fail2ban禁止状态
监狱一旦激活后,你可以用fail2ban的客户端命令行工具来监测当前的禁止状态。
查看激活的监狱列表:
<span class="pln">$ sudo fail2ban</span><span class="pun">-</span><span class="pln">client status </span>
查看特定监狱的状态(包含禁止的IP列表):
<span class="pln">$ sudo fail2ban</span><span class="pun">-</span><span class="pln">client status </span><span class="pun">[监狱名]</span>
你也可以手动禁止或者解禁IP地址:
要用制定监狱禁止IP:
<span class="pln">$ sudo fail2ban</span><span class="pun">-</span><span class="pln">client </span><span class="kwd">set</span><span class="pun">[</span><span class="pln">name</span><span class="pun">-</span><span class="pln">of</span><span class="pun">-</span><span class="pln">jail</span><span class="pun">]</span><span class="pln"> banip </span><span class="pun">[</span><span class="pln">ip</span><span class="pun">-</span><span class="pln">address</span><span class="pun">]</span>
要解禁指定监狱屏蔽的IP:
<span class="pln">$ sudo fail2ban</span><span class="pun">-</span><span class="pln">client </span><span class="kwd">set</span><span class="pun">[</span><span class="pln">name</span><span class="pun">-</span><span class="pln">of</span><span class="pun">-</span><span class="pln">jail</span><span class="pun">]</span><span class="pln"> unbanip </span><span class="pun">[</span><span class="pln">ip</span><span class="pun">-</span><span class="pln">address</span><span class="pun">]</span>
总结
本篇教程解释了fail2ban监狱如何工作以及如何使用内置的监狱来保护Apache服务器。依赖于你的环境以及要保护的web服务器类型,你或许要调整已有的监狱或者编写自定义监狱和日志过滤器。查看outfail2ban的官方Github页面来获取最新的监狱和过滤器示例。
你有在生产环境中使用fail2ban么?分享一下你的经验吧。
Apache 的详细介绍:请点这里
Apache 的下载地址:请点这里
via: http://xmodulo.com/configure-fail2ban-apache-http-server.html
相关推荐
Kafka 2020-09-18
Wepe0 2020-10-30
杜倩 2020-10-29
windle 2020-10-29
minerd 2020-10-28
mengzuchao 2020-10-22
Junzizhiai 2020-10-10
bxqybxqy 2020-09-30
风之沙城 2020-09-24
kingszelda 2020-09-22
大唐帝国前营 2020-08-18
yixu0 2020-08-17
TangCuYu 2020-08-15
xiaoboliu00 2020-08-15
songshijiazuaa 2020-08-15
xclxcl 2020-08-03
zmzmmf 2020-08-03
newfarhui 2020-08-03
likesyour 2020-08-01