Fail2ban Setup
內建白名單
方法一:修改設定
/etc/fail2an/jail.conf
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 192.168.9.0/24 192.168.31.0/24
方法二:指令模式
fail2ban-client
# set <JAIL> addignoreip <IP>
# set <JAIL> delignoreip <IP>
fail2ban-client set sshd addignoreip 123.123.123.123
fail2ban-client set sshd delignoreip 123.123.123.123
驗證結果
fail2ban-client get <JAIL> ignoreip
fail2ban-client get asterisk ignoreip
fail2ban-client get sshd ignoreip
黑名單功能客製
使用方法:
- 新增要封鎖的 IP:
fail2ban-client set blacklist banip xxx.xxx.xxx.xxx - 解除已封鎖的 IP:
fail2ban-client set blacklist unbanip xxx.xxx.xxx.xxx
設定步驟:
/etc/fail2ban/filter.d/blacklist.conf :
# /etc/fail2ban/filter.d/blacklist.conf
# Fail2Ban Blacklist for Repeat Offenders (filter.d)
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'blacklist', or change this line!
_jailname = blacklist
failregex =
ignoreregex =
/etc/fail2ban/action.d/blacklist.conf :
# /etc/fail2ban/action.d/blacklist.conf
# Fail2Ban Blacklist for Repeat Offenders (action.d)
[INCLUDES]
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN
iptables -I <chain> -j f2b-<name>
# Sort and Check for Duplicate IPs in our text file and Remove Them
sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist
# Persistent banning of IPs reading from our ip.blacklist text file
# and adding them to IPTables on our jail startup command
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b-<name> 1 -s $IP -j DROP; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -j f2b-<name>
iptables -F f2b-<name>
iptables -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I f2b-<name> 1 -s <ip> -j DROP
# Add the new IP ban to our ip.blacklist file
echo '<ip>' >> /etc/fail2ban/ip.blacklist
# I don't want reporting on any badboys service
# curl http://www.badips.com/add/badbots/<ip>/
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D f2b-<name> -s <ip> -j DROP
# Remove IP from our ip.blacklist file
sed -i -e '/<ip>/d' /etc/fail2ban/ip.blacklist
[Init]
# Chain to insert the f2b-<name> jump rule into
chain = INPUT
/etc/fail2ban/jail.d/blacklist.conf :
- bantime 與 findtime 可以依需要做調整,單位:秒
# Usage:
# Add a bad IP - fail2ban-client set blacklist banip xxx.xxx.xxx.xxx
# Remove an IP - fail2ban-client set blacklist unbanip xxx.xxx.xxx.xxx
[blacklist]
enabled = true
banaction = blacklist
bantime = 2592000 ; 1 month
findtime = 2592000 ; 1 month
DROP vs REJECT
參數語法:
- DROP:
-j DROP - REJECT:
-j REJECT --reject-with icmp-port-unreachable
適用場景:
用 DROP 的場景:
- Blacklist / 惡意 IP — 不要讓對方知道這個 IP 有在運作,浪費攻擊者的 timeout 時間
- SSH / 敏感服務的暴力攻擊來源 — 讓攻擊者摸不著到底主機在不在
- 防火牆外網 — 降低 footprint,不暴露主機存在
- 大量攻擊 (DDoS) — DROP 比 REJECT 省資源(不用產生 ICMP 封包)
用 REJECT 的場景:
- 內部服務、正常使用者 — 快速讓 client 知道此路不通,避免卡在 timeout
- 你希望 client 端有良好的 UX — 例如封鎖特定 port 但對方應立即知道被擋而不是等到 timeout
- Debug — 區分是「防火牆擋了」還是「服務沒開」
- 合法但未授權的流量 — 例如只允許內網連的服務,外部 IP 連過來給 REJECT 而非 DROP
REJECT 的幾種回覆類型
- icmp-port-unreachable(預設值)— 最常見,告訴對方「這個 port 沒在聽」
- icmp-host-unreachable — 告訴對方「這台主機不存在」
- icmp-net-unreachable — 告訴對方「這個網段不存在」
- tcp-reset — 直接發 TCP RST,對 TCP 連線來說就像远端關閉連線,比 ICMP 更乾淨