说明:本篇文章是对《fail2ban阻止SSH暴力破解》的扩展,增加了对FTP暴力破解的防护。
首先是修改pure-ftpd的配置文件,开启日志记录的功能:
vi /usr/local/pureftpd/etc/pure-ftpd.conf
# Create an additional log file with transfers logged in a Apache-like format : # fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338 # This log file can then be processed by www traffic analyzers. AltLog clf:/var/log/pureftpd.log # Create an additional log file with transfers logged in a format optimized # for statistic reports. # AltLog stats:/var/log/pureftpd.log # Create an additional log file with transfers logged in the standard W3C # format (compatible with most commercial log analyzers) # AltLog w3c:/var/log/pureftpd.log
pureftpd 支持3种格式的日志(clf,stats,w3c),具体可以度娘了解一下,这里我选择的第一种,不管哪种格式日志都会记录访问者的IP。
然后创建这个日志文件
touch /var/log/pureftpd.log
接着再修改fail2ban的配置文件:
vi /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 2592000 findtime = 600 maxretry = 3 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=22, protocol=tcp] logpath = /var/log/secure [pure-ftpd] enabled = true filter = pure-ftpd action = iptables[name=pure-ftpd, port=ftp, protocol=tcp] logpath = /var/log/pureftpd.log
最后重启一下pureftp和fail2ban:
service pureftpd restart service fail2ban restart
关于状态检测和IP解封:
#查看SSH被封IP情况 /usr/local/python/bin/fail2ban-client status ssh-iptables #查看FTP被封IP情况 /usr/local/python/bin/fail2ban-client status pure-ftpd #指定解封某个SSH禁封的IP /usr/local/python/bin/fail2ban-client set ssh-iptables unbanip X.X.X.X #指定解封某个FTP禁封的IP /usr/local/python/bin/fail2ban-client set pure-ftpd unbanip X.X.X.X #查看整个被禁止的IP /usr/local/python/bin/fail2ban-client status