Fail2ban Setup 內建白名單 方法一:修改設定  /etc/fail2an/jail.conf # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 ::1 192.168.9.0/24 192.168.31.0/24 方法二:指令模式   fail2ban-client # set addignoreip # set delignoreip fail2ban-client set sshd addignoreip 123.123.123.123 fail2ban-client set sshd delignoreip 123.123.123.123 驗證結果 fail2ban-client get ignoreip fail2ban-client get asterisk ignoreip fail2ban-client get sshd ignoreip 黑名單功能客製 Persistent Banning of IP Addresses with Fail2Ban Fail2Ban Blacklist JAIL for Repeat Offenders 使用方法: 新增要封鎖的 IP: fail2ban-client set blacklist banip xxx.xxx.xxx.xxx   解除已封鎖的 IP: fail2ban-client set blacklist unbanip xxx.xxx.xxx.xxx 檢視已封鎖 IP: fail2ban-client status blacklist   設定步驟: /etc/fail2ban/filter.d/blacklist.conf : # /etc/fail2ban/filter.d/blacklist.conf # Fail2Ban Blacklist for Repeat Offenders (filter.d) [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'blacklist', or change this line! _jailname = blacklist failregex = ignoreregex = /etc/fail2ban/action.d/blacklist.conf : # /etc/fail2ban/action.d/blacklist.conf # Fail2Ban Blacklist for Repeat Offenders (action.d) [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N f2b- iptables -A f2b- -j RETURN iptables -I -j f2b- # Sort and Check for Duplicate IPs in our text file and Remove Them sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist # Persistent banning of IPs reading from our ip.blacklist text file # and adding them to IPTables on our jail startup command cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b- 1 -s $IP -j DROP; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D -j f2b- iptables -F f2b- iptables -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = iptables -I f2b- 1 -s -j DROP # Add the new IP ban to our ip.blacklist file echo '' >> /etc/fail2ban/ip.blacklist # I don't want reporting on any badboys service # curl http://www.badips.com/add/badbots// # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = iptables -D f2b- -s -j DROP # Remove IP from our ip.blacklist file sed -i -e '//d' /etc/fail2ban/ip.blacklist [Init] # Chain to insert the f2b- jump rule into chain = INPUT /etc/fail2ban/jail.d/blacklist.conf : bantime 與 findtime 可以依需要做調整,單位:秒 # Usage: # Add a bad IP - fail2ban-client set blacklist banip xxx.xxx.xxx.xxx # Remove an IP - fail2ban-client set blacklist unbanip xxx.xxx.xxx.xxx [blacklist] enabled = true banaction = blacklist bantime = 2592000 ; 1 month findtime = 2592000 ; 1 month DROP vs REJECT 參數語法: DROP: -j DROP   REJECT: -j REJECT --reject-with icmp-port-unreachable   用 DROP 的場景: Blacklist / 惡意 IP — 不要讓對方知道這個 IP 有在運作,浪費攻擊者的 timeout 時間 SSH / 敏感服務的暴力攻擊來源 — 讓攻擊者摸不著到底主機在不在 防火牆外網 — 降低 footprint,不暴露主機存在 大量攻擊 (DDoS) — DROP 比 REJECT 省資源(不用產生 ICMP 封包) 用 REJECT 的場景: 內部服務、正常使用者 — 快速讓 client 知道此路不通,避免卡在 timeout 你希望 client 端有良好的 UX — 例如封鎖特定 port 但對方應立即知道被擋而不是等到 timeout Debug — 區分是「防火牆擋了」還是「服務沒開」 合法但未授權的流量 — 例如只允許內網連的服務,外部 IP 連過來給 REJECT 而非 DROP REJECT 的幾種回覆類型 icmp-port-unreachable(預設值)— 最常見,告訴對方「這個 port 沒在聽」 icmp-host-unreachable — 告訴對方「這台主機不存在」 icmp-net-unreachable — 告訴對方「這個網段不存在」 tcp-reset — 直接發 TCP RST,對 TCP 連線來說就像远端關閉連線,比 ICMP 更乾淨