PS:我只在3个不同厂商的vps上试验过,其中阿里云ECS还有Hosteons的vps不管Centos 6还是7都不存在这个问题。唯独搬瓦工vps比较特别,死活无法一次性安装fail2ban到位,各种“No package fail2ban available.”
在多方搜索之后,终于在一个纯英文网站(很遗憾,不小心清理了浏览器缓存,找不到这个网址了)找到解决办法,最终成功安装。其实如果SSH改成密钥登录,压根就不用折腾这个,没办法,手痒呗。
好吧,还是开始吧。
默认centos源中没有fail2ban软件,需要先添加源,然后再安装。
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
[root@host ~]# yum -y install fail2ban
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.mirror.ndchost.com
* elrepo-kernel: repos.lax-noc.com
* extras: centos.sonn.com
* updates: mirror.scalabledns.com
No package fail2ban available.
Error: Nothing to do

这里可以看到fail2ban安装失败了。
检查源是否安装正确
yum install -y epel-release
[root@host ~]# yum install -y epel-release
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.scalabledns.com
* elrepo-kernel: repos.lax-noc.com
* extras: mirrors.xmission.com
* updates: centos.mirror.lstn.net
Package epel-release-6-8.noarch already installed and latest version
Nothing to do

检查是否启用了epel
yum repolist enabled
[root@host ~]# yum repolist enabled
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.hostduplex.com
* elrepo-kernel: repos.lax-noc.com
* extras: mirrors.xmission.com
* updates: mirror.rackspace.com
repo id repo name status
base CentOS-6 - Base 6,710+3
elrepo-kernel ELRepo.org Community Enterprise Linux Kernel Repository - el6 25
extras CentOS-6 - Extras 31
updates CentOS-6 - Updates 43
repolist: 6,809

编辑/etc/yum.repos.d/epel.repo并更改该[epel]部分
enabled=0
enabled=1
重新安装fail2ban,我这里使用了“一键安装部署Fail2ban,自动配置防SSH爆破。可自定义ip封禁时间,最高重试次数。”一键脚本。
//安装
wget http://www.seeit.life/scripts/fail2ban.sh
bash fail2ban.sh
//卸载
wget http://www.seeit.life/scripts/uninstallfail2ban.sh
bash uninstallfail2ban.sh
[root@host ~]# wget http://www.seeit.life/scripts/fail2ban.sh
--2018-07-15 16:15:46-- http://www.seeit.life/scripts/fail2ban.sh
Resolving www.seeit.life... 47.52.170.67
Connecting to www.seeit.life|47.52.170.67|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5700 (5.6K) [application/octet-stream]
Saving to: “fail2ban.sh”
100%[==========================================================================================>] 5,700 --.-K/s in 0s
2018-07-15 16:15:47 (207 MB/s) - “fail2ban.sh” saved [5700/5700]
[root@host ~]# bash fail2ban.sh
Welcome to Fail2ban!
This Shell Script can protect your server from SSH attacks with the help of Fail2ban and iptables
Do you want to change your SSH Port? [y/n]: y
Please input SSH port(Default: 12345): 12345
Input the maximun times for trying [2-10]: 3
Input the lasting time for blocking a IP [hours]: 9600
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.hostduplex.com
* elrepo-kernel: repos.lax-noc.com
* epel: mirrors.develooper.com
* extras: mirrors.xmission.com
* updates: mirror.rackspace.com
Package epel-release-6-8.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.hostduplex.com
* elrepo-kernel: repos.lax-noc.com
* epel: mirrors.develooper.com
* extras: mirrors.xmission.com
* updates: mirror.rackspace.com
Package fail2ban-0.9.6-1.el6.1.noarch already installed and latest version
Nothing to do
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]
Finish Installing ! Reboot the sshd now !
ssh: unrecognized service
Github: https://github.com/FunctionClub
http://seeit.life
Fail2ban is now runing on this server now!

这个脚本自动重启sshd失败,手动重启
[root@host ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

检查防火墙状态
[root@host ~]# iptables -nvL
Chain INPUT (policy DROP 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
0 0 f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 96 packets, 13498 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

这里看到fail2ban进程“f2b-SSH”已经生效了,监听22端口
这里如果ssh端口不是默认的22,那么需要修改port=ssh为port=xxx 。
编辑 /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
#action = iptables[name=SSH, port=SSH, protocol=tcp]
action = iptables[name=SSH, port=12345, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 3600
bantime = 34560000

重启SSH,重启fail2ban,保存防火墙规则
service sshd restart
service fail2ban restart
service iptables save

检查防火墙状态
[root@host ~]# iptables -nvL
Chain INPUT (policy DROP 8 packets, 352 bytes)
pkts bytes target prot opt in out source destination
20 1116 f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345
1 40 f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 92 packets, 41940 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-SSH (2 references)
pkts bytes target prot opt in out source destination
21 1156 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

大功告成,fail2ban同时监听了默认22端口和修改之后的端口。

5 thoughts on “搬瓦工vps正确安装fail2ban,防止SSH被爆破

  1. turn说道:

    如果”Do you want to change your SSH Port?”后输入了n,那么就不会走进这个循环。变量SSH_PORT的值就为空。
    等走到ssh_port=$SSH_PORT 这句的时候,变量ssh_port的值也为空。导致下面的配置文件出错。

    1. 言小五说道:

      @turn 额,看不懂。

  2. Rockszq说道:

    感谢分享

  3. 膜拜下技术大佬!!

    1. 言小五说道:

      @异星软件空间 哈哈,并非dalao,只是发现问题,找到解决办法了而已。

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注