Featured image of post fail2ban 使用

fail2ban 使用

背景

fail2ban 是用来通过服务日志,监控异常IP, 并根据配置,自动封禁这些IP

最近在把opensips部署到外网之后,发现外网有很多攻击IP, 于是想通过fail2ban来监控攻击IPfail2ban的官方地址:fail2ban

当然前提是opensips要把日志输出LOG_LOCAL0, 然后使用rsyslog来收集日志。

本次测试的fail2ban的版本为:

1.1.1.1

测试

安装准备

  1. Python3.7
  2. nftables

本次采用手动安装, 先安装Python3.7, fail2ban默认使用的是nftables来拦截IP, 再安装nftables:yum install -y nftables

安装fail2ban

  1. 安装fail2ban:
1
2
3
git clone  https://github.com/fail2ban/fail2ban.git
cd fail2ban
python3.7 setup.py install 
  1. 运行fail2ban:
1
2
3
4
cp fail2ban/build/fail2ban.service /etc/systemd/system/
systemctl daemon-reload
systemctl start fail2ban
systemctl enable fail2ban

如果systemctl start fail2ban运行失败,日志也没什么报错,但是手动运行/usr/local/bin/fail2ban-server -xf start成功, 那么就是python环境问题,请在fail2ban.service里添加:Environment="PYTHONPATH=/usr/local/lib/python3.7/site-packages"

配置fail2ban

fail2ban的配置文件在/etc/fail2ban/下,

1
2
cp jail.conf jail.local
cp fail2ban.conf fail2ban.local 

由于没使用数据库,所以需要设置dbfile = None

  1. fail2ban.local里:
1
dbfile = None
  1. jail.lcal新增:
1
2
3
4
5
6
7
8
[sbc]
enabled = true
port = 5060,5080,5088
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /data/opensips/log/opensips.log
maxretry = 5
bantime  = 3600
  1. 新增filter/sbc.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
[INCLUDES]

before = common.conf

[Definition]

_daemon = sbc

mode = normal

failregex= user:\d+,ip:<HOST> not match white list

主要是failregex的配置,这个是opensips的日志中出错时要屏蔽的IP, 日志是自定义的。

验证效果

  1. 查看/var/log/fail2ban.log日志:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
2025-07-04 17:13:15,070 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,071 fail2ban.filter         [3256715]: INFO    [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,072 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,073 fail2ban.filter         [3256715]: INFO    [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,075 fail2ban.filter         [3256715]: INFO    [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,076 fail2ban.filter         [3256715]: INFO    [sbc] Found 198.204.234.202 - 2025-07-04 17:13:04
2025-07-04 17:13:15,077 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,078 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,079 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,080 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,082 fail2ban.actions        [3256715]: NOTICE  [sbc] 108.181.9.67 already banned
2025-07-04 17:13:15,083 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,084 fail2ban.actions        [3256715]: NOTICE  [sbc] 108.181.9.67 already banned
2025-07-04 17:13:15,086 fail2ban.filter         [3256715]: INFO    [sbc] Found 108.181.9.67 - 2025-07-04 17:13:04
2025-07-04 17:13:15,086 fail2ban.actions        [3256715]: NOTICE  [sbc] 108.181.9.67 already banned
  1. fail2ban-client status sbc:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
fail2ban-client status sbc 
Status for the jail: sbc
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     566
|  `- File list:       /data/opensips/log/opensips.log
`- Actions
   |- Currently banned: 3
   |- Total banned:     3
   `- Banned IP list:   108.181.9.67 198.204.234.202 108.181.6.47

可以看到108.181.9.67已经被屏蔽了,并且opensips.log也没有记录108.181.9.67的错误日志。

不过,如果使用sngrep还是可以看到来源是108.181.9.67的大量sip请求。

其他用法

  1. fail2ban-regex

这个功能是对sbc.conf过滤规则进行测试。 比如: fail2ban-regex /data/opensips/log/opensips.log /etc/fail2ban/filter.d/sbc.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Running tests
=============

Use      filter file : sbc, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /data/opensips/log/opensips.log
Use         encoding : UTF-8


Results
=======

Failregex: 8044 total
|-  #) [# of hits] regular expression
|   1) [8044] user:\d+,ip:<HOST> not match white list
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [156150] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 156150 lines, 0 ignored, 8044 matched, 148106 missed
[processed in 10.70 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 148106 lines
  1. 更改底层屏蔽组件jail.local
1
2
anaction = iptables-multiport
banaction_allports = iptables-allports

默认使用的是nftables, 如果想要改成其他的,参考action.d/xxx,可以选择firewallcmd,iptables,nftables

改完要systemctl restart fail2ban,使用fail2ban-client reload不行。

总结

通过fail2ban可以根据服务日志来设置需要屏蔽的IP, 可以设置屏蔽时间以及白名单ip等。

本博客已稳定运行
发表了49篇文章 · 总计83.39k字
本站总访问量 次 · 您是本站第 位访问者
粤ICP备2025368587号-1| 使用 Hugo 构建
主题 StackJimmy 设计