背景
fail2ban
是用来通过服务日志
,监控异常IP
, 并根据配置,自动封禁这些IP
。
最近在把opensips
部署到外网之后,发现外网有很多攻击IP
, 于是想通过fail2ban
来监控攻击IP
。
fail2ban
的官方地址:fail2ban
当然前提是opensips
要把日志输出LOG_LOCAL0
, 然后使用rsyslog
来收集日志。
本次测试的fail2ban
的版本为:
1.1.1.1
测试
安装准备
- Python3.7
- nftables
本次采用手动安装, 先安装Python3.7
, fail2ban
默认使用的是nftables
来拦截IP
, 再安装nftables
:yum install -y nftables
。
安装fail2ban
- 安装fail2ban:
1
2
3
|
git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
python3.7 setup.py install
|
- 运行fail2ban:
1
2
3
4
|
cp fail2ban/build/fail2ban.service /etc/systemd/system/
systemctl daemon-reload
systemctl start fail2ban
systemctl enable fail2ban
|
如果systemctl start fail2ban
运行失败,日志也没什么报错,但是手动运行/usr/local/bin/fail2ban-server -xf start
成功,
那么就是python
环境问题,请在fail2ban.service
里添加:Environment="PYTHONPATH=/usr/local/lib/python3.7/site-packages"
配置fail2ban
fail2ban
的配置文件在/etc/fail2ban/
下,
1
2
|
cp jail.conf jail.local
cp fail2ban.conf fail2ban.local
|
由于没使用数据库,所以需要设置dbfile = None
- 在
fail2ban.local
里:
jail.lcal
新增:
1
2
3
4
5
6
7
8
|
[sbc]
enabled = true
port = 5060,5080,5088
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /data/opensips/log/opensips.log
maxretry = 5
bantime = 3600
|
- 新增
filter/sbc.conf
1
2
3
4
5
6
7
8
9
10
11
|
[INCLUDES]
before = common.conf
[Definition]
_daemon = sbc
mode = normal
failregex= user:\d+,ip:<HOST> not match white list
|
主要是failregex
的配置,这个是opensips
的日志中出错时要屏蔽的IP
, 日志是自定义的。
验证效果
- 查看
/var/log/fail2ban.log
日志:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
2025-07-04 17:13:15,070 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,071 fail2ban.filter [3256715]: INFO [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,072 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,073 fail2ban.filter [3256715]: INFO [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,075 fail2ban.filter [3256715]: INFO [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,076 fail2ban.filter [3256715]: INFO [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,077 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,078 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,079 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,080 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,082 fail2ban.actions [3256715]: NOTICE [sbc] 108.181.9.67 already banned
2025-07-04 17:13:15,083 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,084 fail2ban.actions [3256715]: NOTICE [sbc] 108.181.9.67 already banned
2025-07-04 17:13:15,086 fail2ban.filter [3256715]: INFO [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,086 fail2ban.actions [3256715]: NOTICE [sbc] 108.181.9.67 already banned
|
fail2ban-client status sbc
:
1
2
3
4
5
6
7
8
9
10
|
fail2ban-client status sbc
Status for the jail: sbc
|- Filter
| |- Currently failed: 2
| |- Total failed: 566
| `- File list: /data/opensips/log/opensips.log
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 108.181.9.67 198.204.234.202 108.181.6.47
|
可以看到108.181.9.67
已经被屏蔽了,并且opensips.log
也没有记录108.181.9.67
的错误日志。
不过,如果使用sngrep
还是可以看到来源是108.181.9.67
的大量sip
请求。
其他用法
fail2ban-regex
这个功能是对sbc.conf
过滤规则进行测试。 比如: fail2ban-regex /data/opensips/log/opensips.log /etc/fail2ban/filter.d/sbc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Running tests
=============
Use filter file : sbc, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /data/opensips/log/opensips.log
Use encoding : UTF-8
Results
=======
Failregex: 8044 total
|- #) [# of hits] regular expression
| 1) [8044] user:\d+,ip:<HOST> not match white list
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [156150] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 156150 lines, 0 ignored, 8044 matched, 148106 missed
[processed in 10.70 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 148106 lines
|
- 更改底层屏蔽组件
jail.local
1
2
|
anaction = iptables-multiport
banaction_allports = iptables-allports
|
默认使用的是nftables
, 如果想要改成其他的,参考action.d/xxx
,可以选择firewallcmd
,iptables
,nftables
改完要systemctl restart fail2ban
,使用fail2ban-client reload
不行。
总结
通过fail2ban
可以根据服务日志来设置需要屏蔽的IP
, 可以设置屏蔽时间以及白名单ip等。