Iptables on Liangweidong's bloghttps://liangweidonggood.github.io/tags/iptables/Recent content in Iptables on Liangweidong's blogHugo -- gohugo.iozh-cnSun, 15 Mar 2015 00:00:00 +0800fail2ban 防 SSH/FRP/Nginx 爆破实战:日志正则匹配 + iptables 拉黑https://liangweidonggood.github.io/p/fail2ban-fang-ssh-frp-nginx-bopu/Sun, 15 Mar 2015 00:00:00 +0800https://liangweidonggood.github.io/p/fail2ban-fang-ssh-frp-nginx-bopu/<img src="https://liangweidonggood.github.io/p/fail2ban-fang-ssh-frp-nginx-bopu/image/cover.jpg" alt="Featured image of post fail2ban 防 SSH/FRP/Nginx 爆破实战:日志正则匹配 + iptables 拉黑" /><h2 id="背景">背景 </h2><p>公网上的 SSH 22 端口,每天被全球扫描器爆破几千次。改端口可以挡一部分,但治标不治本。<strong>fail2ban</strong> 通过扫描日志匹配失败登录,自动调用 iptables/nftables 拉黑攻击 IP——简单粗暴有效,是 Linux 服务器&quot;装了不亏&quot;的标配。</p> <p><strong>适用场景</strong>:</p> <ul> <li>SSH/RDP/FTP 暴破防御</li> <li>FRP 反向代理的&quot;真实攻击者 IP&quot;拉黑(frpc 只看到 127.0.0.1,必须在 frps 端 ban)</li> <li>Nginx 反代日志里的恶意访问拦截</li> <li>自定义服务日志的异常行为检测</li> </ul> <p><strong>前置知识</strong>:</p> <ul> <li>Linux 基础(systemd、iptables)</li> <li>正则表达式基础(fail2ban filter 用的就是正则)</li> </ul> <hr> <h2 id="一fail2ban-工作原理">一、fail2ban 工作原理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">服务日志(sshd/auth.log/secure) </span></span><span class="line"><span class="cl"> ↓ </span></span><span class="line"><span class="cl">[filter.d/*.conf 正则匹配] → 失败次数超阈值 </span></span><span class="line"><span class="cl"> ↓ </span></span><span class="line"><span class="cl">[jail.local 触发动作] → iptables/nftables DROP </span></span><span class="line"><span class="cl"> ↓ </span></span><span class="line"><span class="cl">[封禁时间到] → 自动解封 </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键组件</strong>:</p> <ul> <li><strong>filter</strong>:正则规则(<code>/etc/fail2ban/filter.d/</code>)</li> <li><strong>jail</strong>:封禁策略(<code>/etc/fail2ban/jail.local</code>)</li> <li><strong>action</strong>:触发动作(iptables、route、cloudflare API 等)</li> <li><strong>bantime / findtime / maxretry</strong>:封禁时长 / 检测窗口 / 失败次数阈值</li> </ul> <hr> <h2 id="二安装">二、安装 </h2><h3 id="21-centos">2.1 CentOS </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">yum -y install epel-release </span></span><span class="line"><span class="cl">yum -y install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-ubuntu--debian">2.2 Ubuntu / Debian </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">apt install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h3 id="23-启动--开机自启">2.3 启动 + 开机自启 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl <span class="nb">enable</span> --now fail2ban </span></span><span class="line"><span class="cl">systemctl status fail2ban </span></span></code></pre></td></tr></table> </div> </div><p>验证 iptables 规则已加载:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">iptables -L -n </span></span><span class="line"><span class="cl"><span class="c1"># 应看到 f2b-sshd 等 chain</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="三配置-ssh-防护默认即开">三、配置 SSH 防护(默认即开) </h2><p><code>/etc/fail2ban/jail.local</code>(<strong>注意是 <code>.local</code> 不是 <code>.conf</code></strong>,<code>.local</code> 优先级高):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[DEFAULT]</span> </span></span><span class="line"><span class="cl"><span class="c1"># 忽略的 IP(公司出口、内网)</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreip</span> <span class="o">=</span> <span class="s">127.0.0.1/8 10.0.0.0/8 192.168.0.0/16</span> </span></span><span class="line"><span class="cl"><span class="c1"># 默认参数(每个 jail 可单独覆盖)</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">24h</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">10m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[sshd]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="c1"># filter 内置 sshd.conf(Debian/Ubuntu) / sshd.conf(CentOS 在 filter.d/ 选)</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">sshd</span> </span></span><span class="line"><span class="cl"><span class="na">backend</span> <span class="o">=</span> <span class="s">systemd</span> </span></span><span class="line"><span class="cl"><span class="c1"># 日志路径(按发行版二选一)</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">%(sshd_log)s</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>%(sshd_log)s</code> 是 fail2ban 内置变量,CentOS 是 <code>/var/log/secure</code>,Ubuntu 是 <code>/var/log/auth.log</code>,不用手填。</p> <p><strong>reload 生效</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">fail2ban-client reload </span></span><span class="line"><span class="cl"><span class="c1"># 或</span> </span></span><span class="line"><span class="cl">systemctl restart fail2ban </span></span></code></pre></td></tr></table> </div> </div><p><strong>验证</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">fail2ban-client ping <span class="c1"># 返回 Server replied: pong</span> </span></span><span class="line"><span class="cl">fail2ban-client status sshd <span class="c1"># 看当前被 ban 的 IP</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="四frp-反代场景的关键配置">四、FRP 反代场景的关键配置 </h2> <blockquote> <p><strong>核心痛点</strong>:frpc 看到的访问者 IP 永远是 <code>127.0.0.1</code>(因为 frps 是 localhost 转发的),<strong>必须在 frps 所在的 VPS 上</strong>配 fail2ban,按 frps 日志里的真实 IP 拉黑。</p> </blockquote> <h3 id="41-启用-frp-日志">4.1 启用 FRP 日志 </h3><p><code>/usr/local/games/rp/frps.ini</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[common]</span> </span></span><span class="line"><span class="cl"><span class="na">bind_port</span> <span class="o">=</span> <span class="s">7000</span> </span></span><span class="line"><span class="cl"><span class="na">log_file</span> <span class="o">=</span> <span class="s">/var/log/frps.log</span> </span></span><span class="line"><span class="cl"><span class="na">log_level</span> <span class="o">=</span> <span class="s">info</span> </span></span><span class="line"><span class="cl"><span class="na">log_max_days</span> <span class="o">=</span> <span class="s">7</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="42-编写-filter">4.2 编写 filter </h3><p><code>/etc/fail2ban/filter.d/frps.conf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="c1"># frps 日志格式: get a user connection [1.2.3.4:5678]</span> </span></span><span class="line"><span class="cl"><span class="na">failregex</span> <span class="o">=</span> <span class="s">^.*get a user connection \[&lt;HOST&gt;:[0-9]*\]</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreregex</span> <span class="o">=</span> <span class="s">^.*\[.*gateway.*</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>&lt;HOST&gt;</code> 是 fail2ban 的内置占位符,匹配 IP 段。</p> <h3 id="43-编写-jail">4.3 编写 jail </h3><p><code>/etc/fail2ban/jail.local</code> 追加:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[frps]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">frps</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/frps.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">3m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">3</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">120m</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">iptables-allports[name=frps, protocol=all]</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>多个协议分离 jail</strong>(更精细):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[frps-ssh-ban]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">frps-ssh-ban</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/frps.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">3m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">3</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">120m</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">iptables-allports[name=frps-ssh-ban, protocol=tcp]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[frps-rdp-ban]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">frps-rdp-ban</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/frps.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">3m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">6</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">30m</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">iptables-allports[name=frps, protocol=tcp]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[frps-ftp-ban]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">frps-ftp-ban</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/frps.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">5m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">30</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">60m</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">iptables-allports[name=frps, protocol=tcp]</span> </span></span></code></pre></td></tr></table> </div> </div><p>filter 内容(按代理名分组):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/filter.d/frps-ssh-ban.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">failregex</span> <span class="o">=</span> <span class="s">^.*\[.*ssh.*\] get a user connection \[&lt;HOST&gt;:[0-9]*\]</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreregex</span> <span class="o">=</span> <span class="s">^.*\[.*gateway.*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/filter.d/frps-rdp-ban.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">failregex</span> <span class="o">=</span> <span class="s">^.*\[.*RDP.*\] get a user connection \[&lt;HOST&gt;:[0-9]*\]</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreregex</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/filter.d/frps-ftp-ban.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">failregex</span> <span class="o">=</span> <span class="s">^.*\[.*FTP_21.*\] get a user connection \[&lt;HOST&gt;:[0-9]*\]</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreregex</span> <span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>测试正则匹配</strong>(上线前必做):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">fail2ban-regex /var/log/frps.log /etc/fail2ban/filter.d/frps.conf </span></span><span class="line"><span class="cl"><span class="c1"># 末尾会输出匹配行数</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="五nginx-日志防护">五、Nginx 日志防护 </h2><p>如果用 Nginx 反代 RDP/SSH(stream 四层 + 自定义 log_format):</p> <h3 id="51-自定义日志格式">5.1 自定义日志格式 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">log_format</span> <span class="s">proxy</span> <span class="s">&#39;[</span><span class="nv">$time_local]</span> <span class="nv">$protocol</span> <span class="s">status:</span><span class="nv">$status,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">client:</span><span class="nv">$bytes_sent/$bytes_received</span> <span class="nv">$session_time,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;client:</span> <span class="nv">$remote_addr,</span> <span class="s">upstream:&#34;</span><span class="nv">$upstream_addr&#34;,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">upstream:</span><span class="nv">$upstream_bytes_sent</span> <span class="nv">$upstream_bytes_received&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">access_log</span> <span class="s">/var/log/nginx/proxy.log</span> <span class="s">proxy</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="52-写-filter">5.2 写 filter </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/filter.d/nginx-3399.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">failregex</span> <span class="o">=</span> <span class="s">^.*client: &lt;HOST&gt;, upstream:&#34;10\..*:3389&#34;</span> </span></span><span class="line"><span class="cl"><span class="na">ignoreregex</span> <span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="53-写-jail">5.3 写 jail </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[nginx-3399]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">nginx-3399</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/nginx/proxy.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">5m</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">10</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">60m</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">iptables-multiport[name=nginx-3399, port=&#34;3399&#34;, protocol=tcp]</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="六多日志文件支持">六、多日志文件支持 </h2><p>轮转日志场景(按天/按大小切割):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># 通配符</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/vpn_*.log</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 多个文件</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/vpn_20191007.log </span></span></span><span class="line"><span class="cl"><span class="s"> /var/log/vpn_20191008.log </span></span></span><span class="line"><span class="cl"><span class="s"> /var/log/vpn_20191009.log</span> </span></span></code></pre></td></tr></table> </div> </div><p>⚠️ <strong>等号要对齐</strong>(fail2ban INI parser 严格)。</p> <hr> <h2 id="七日常管理命令">七、日常管理命令 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 服务状态</span> </span></span><span class="line"><span class="cl">fail2ban-client ping </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 列出所有 jail</span> </span></span><span class="line"><span class="cl">fail2ban-client status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看指定 jail</span> </span></span><span class="line"><span class="cl">fail2ban-client status sshd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 手动封 IP</span> </span></span><span class="line"><span class="cl">fail2ban-client <span class="nb">set</span> sshd banip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 手动解封</span> </span></span><span class="line"><span class="cl">fail2ban-client <span class="nb">set</span> sshd unbanip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 解封所有</span> </span></span><span class="line"><span class="cl">fail2ban-client unban --all </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重载配置(不重启服务)</span> </span></span><span class="line"><span class="cl">fail2ban-client reload </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 看日志</span> </span></span><span class="line"><span class="cl">tail -f /var/log/fail2ban.log </span></span></code></pre></td></tr></table> </div> </div><p><strong>直接操作 iptables</strong>(不进 fail2ban 的快封):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 手动封</span> </span></span><span class="line"><span class="cl">iptables -A INPUT -s 1.2.3.4 -j DROP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查询</span> </span></span><span class="line"><span class="cl">iptables -L -n --line-number </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 删除 INPUT 第 3 条规则</span> </span></span><span class="line"><span class="cl">iptables -D INPUT <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="八常见坑">八、常见坑 </h2><h3 id="81-封了之后-ssh-自己进不去">8.1 封了之后 SSH 自己进不去 </h3><p><strong>症状</strong>:把整个机房 IP 段封了。</p> <p><strong>对策</strong>:</p> <ul> <li><code>ignoreip</code> 把内网/常用出口 IP 段加白名单</li> <li>至少留一个&quot;急救&quot;通道(如 IPMI、Console、备用跳板)</li> </ul> <h3 id="82-重启服务后封禁丢失">8.2 重启服务后封禁丢失 </h3><p>iptables 规则在重启后清空。<strong>对策</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CentOS</span> </span></span><span class="line"><span class="cl">yum install iptables-services </span></span><span class="line"><span class="cl">systemctl <span class="nb">enable</span> iptables </span></span><span class="line"><span class="cl">service iptables save </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Ubuntu</span> </span></span><span class="line"><span class="cl">apt install iptables-persistent </span></span><span class="line"><span class="cl">netfilter-persistent save </span></span></code></pre></td></tr></table> </div> </div><h3 id="83-多网卡机器">8.3 多网卡机器 </h3><p><code>chain = INPUT</code> 即可默认全局生效。如果要区分内/外网卡,用 <code>chain = FORWARD</code> 配合路由。</p> <h3 id="84-日志被-logrotate-改名后-fail2ban-跟丢">8.4 日志被 logrotate 改名后 fail2ban 跟丢 </h3><p><code>backend = polling</code> 改 <code>backend = systemd</code>(systemd 日志自动跟踪),或者在 <code>/etc/logrotate.d/</code> 加 <code>postrotate</code> 通知 fail2ban。</p> <hr> <h2 id="九卸载">九、卸载 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 清掉所有 fail2ban iptables 规则</span> </span></span><span class="line"><span class="cl">iptables -L <span class="p">|</span> grep f2b <span class="p">|</span> awk <span class="s1">&#39;{print $NF}&#39;</span> <span class="p">|</span> xargs -I<span class="o">{}</span> iptables -F <span class="o">{}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/etc/init.d/fail2ban stop <span class="c1"># 或 systemctl stop fail2ban</span> </span></span><span class="line"><span class="cl">apt remove fail2ban -y </span></span><span class="line"><span class="cl">apt purge fail2ban -y <span class="c1"># 删配置</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="小结">小结 </h2><p>fail2ban 0.10+ 的核心是 <strong>filter 正则 + jail 策略</strong>:</p> <ol> <li><strong>SSH 默认就开</strong>(<code>apt install</code> 装完自带)</li> <li><strong>FRP 场景最关键</strong>——必须在 frps 端按 frps.log 真实 IP 拉黑</li> <li><strong>jail.local 永远比 jail.conf 优先</strong>(升级不会覆盖)</li> <li><strong>测试正则</strong>:<code>fail2ban-regex</code> 上线前必跑</li> <li><strong>iptables 持久化</strong> 否则重启失效</li> </ol> <p><strong>下一步</strong>:</p> <ul> <li>配合 <code>cloudflare</code> action 封 CDN 后面的恶意 IP</li> <li>用 <code>recidive</code> jail 二次封禁&quot;被解封又来&quot;的攻击者</li> <li>集中化管理:多台机器用 <a class="link" href="https://github.com/cdrrazan/fail2ban-web" target="_blank" rel="noopener" >fail2ban-web</a> 或自建 dashboard</li> </ul> <hr> <h2 id="2024-视角fail2ban-仍是经典但-nftables-时代来了">2024 视角:fail2ban 仍是经典,但 nftables 时代来了 </h2><p>2015 那篇基于 <strong>iptables</strong>。<strong>2024 视角下 nftables 已成事实标准</strong>——fail2ban 1.0+(2022-10 发布)已支持 nftables。</p> <h3 id="一nftables-替代-iptables-是大势所趋">一、nftables 替代 iptables 是大势所趋 </h3><ul> <li><strong>RHEL 8/9 / Fedora / Ubuntu 22.04+ / Debian 12+</strong> 默认都是 <strong>nftables</strong>(<code>iptables</code> 命令其实是 <code>nftables</code> 的兼容层)。</li> <li><strong>fail2ban 1.0.x</strong>(2022-10 起)支持 <strong><code>banaction = nftables-multiport</code></strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/jail.local</span> </span></span><span class="line"><span class="cl"><span class="k">[DEFAULT]</span> </span></span><span class="line"><span class="cl"><span class="na">banaction</span> <span class="o">=</span> <span class="s">nftables-multiport</span> </span></span><span class="line"><span class="cl"><span class="na">banaction_allports</span> <span class="o">=</span> <span class="s">nftables-allports</span> </span></span><span class="line"><span class="cl"><span class="na">chain</span> <span class="o">=</span> <span class="s">input</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>nftables 优势</strong>: <ul> <li><strong>原子化更新</strong>(nft 是事务性的,iptables 改一条规则要逐条 add/delete)</li> <li><strong>规则集更紧凑</strong>(nft 的语法比 iptables 短 30-50%)</li> <li><strong>内建 set / map</strong>(无需 ipset 单独装)</li> </ul> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># nftables 查 fail2ban 规则</span> </span></span><span class="line"><span class="cl">nft list chain inet filter f2b-sshd </span></span></code></pre></td></tr></table> </div> </div><h3 id="二recidive-监狱二次封禁防反复">二、<code>recidive</code> 监狱——&ldquo;二次封禁&quot;防反复 </h3><p>2015 那篇提到 recidive。<strong>2024 实际配置</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/jail.local</span> </span></span><span class="line"><span class="cl"><span class="k">[recidive]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">recidive</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/fail2ban.log</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1w</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">1d</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">banaction</span> <span class="o">=</span> <span class="s">%(banaction)s</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>效果</strong>:被解封后又来攻击的 IP,<strong>封一周</strong>。</p> <h3 id="三cloudflare-action封-cdn-后面的-ip">三、Cloudflare Action——封 CDN 后面的 IP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/action.d/cloudflare.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">actionban</span> <span class="o">=</span> <span class="s">curl -s -X POST &#34;https://api.cloudflare.com/client/v4/zones/&lt;ZONE_ID&gt;/firewall/access_rules/rules&#34; \ </span></span></span><span class="line"><span class="cl"><span class="s"> -H &#34;Authorization: Bearer &lt;API_TOKEN&gt;&#34; \ </span></span></span><span class="line"><span class="cl"><span class="s"> -H &#34;Content-Type: application/json&#34; \ </span></span></span><span class="line"><span class="cl"><span class="s"> --data &#39;{&#34;mode&#34;:&#34;block&#34;,&#34;configuration&#34;:{&#34;target&#34;:&#34;ip&#34;,&#34;value&#34;:&#34;&lt;ip&gt;&#34;},&#34;notes&#34;:&#34;Fail2ban&#34;}&#39;</span> </span></span><span class="line"><span class="cl"><span class="na">actionunban</span> <span class="o">=</span> <span class="s">curl -s -X DELETE &#34;https://api.cloudflare.com/client/v4/zones/&lt;ZONE_ID&gt;/firewall/access_rules/rules/&lt;RULE_ID&gt;&#34; \ </span></span></span><span class="line"><span class="cl"><span class="s"> -H &#34;Authorization: Bearer &lt;API_TOKEN&gt;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Init]</span> </span></span><span class="line"><span class="cl"><span class="na">RULE_ID</span> <span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[sshd-cloudflare]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">sshd</span> </span></span><span class="line"><span class="cl"><span class="na">action</span> <span class="o">=</span> <span class="s">cloudflare</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="四fail2ban--telegram-告警">四、fail2ban + Telegram 告警 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/action.d/telegram.conf</span> </span></span><span class="line"><span class="cl"><span class="k">[Definition]</span> </span></span><span class="line"><span class="cl"><span class="na">actionban</span> <span class="o">=</span> <span class="s">curl -s -X POST &#34;https://api.telegram.org/bot&lt;TOKEN&gt;/sendMessage&#34; \ </span></span></span><span class="line"><span class="cl"><span class="s"> -d chat_id=&lt;CHAT_ID&gt; \ </span></span></span><span class="line"><span class="cl"><span class="s"> -d text=&#34;Fail2ban: &lt;ip&gt; banned (&lt;failures&gt; failures)&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="五fail2ban-11-的新特性2023-10">五、fail2ban 1.1 的新特性(2023-10) </h3><ul> <li><strong>持久化 SQLite 数据库</strong>(<code>dbfile = /var/lib/fail2ban/fail2ban.sqlite3</code>)——重启后封禁不丢。</li> <li><strong><code>database</code> 升级</strong>:以前是 BerkeleyDB(要装 <code>python3-pyasn1</code>),现在用 SQLite。</li> <li><strong>正则引擎优化</strong>:Python 3.11+ 提速 20%。</li> </ul> <h3 id="六crowdsecfail2ban-的现代继任者">六、CrowdSec:fail2ban 的&quot;现代继任者&rdquo; </h3><ul> <li><strong>CrowdSec</strong>(Go 写的现代版 fail2ban)<strong>2024 已成为更激进的选择</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 装</span> </span></span><span class="line"><span class="cl">curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh <span class="p">|</span> sudo bash </span></span><span class="line"><span class="cl">sudo apt install crowdsec </span></span><span class="line"><span class="cl">sudo apt install crowdsec-firewall-bouncer-iptables </span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p><strong>核心优势</strong>:</p> <ul> <li><strong>社区共享黑名单</strong>(CrowdSec 中心服务器聚合)</li> <li><strong>Go 写</strong>(性能比 Python fail2ban 高 10 倍)</li> <li><strong>bouncer 架构</strong>(解析 + 拉黑分离)</li> <li><strong>PostgreSQL 存储</strong>(可查询历史)</li> </ul> </li> <li> <p><strong>2024 实践</strong>:fail2ban + CrowdSec <strong>可以共存</strong>——fail2ban 处理本地 log,CrowdSec 接收社区信号。</p> </li> </ul> <h3 id="七fail2ban-在-docker-时代的困境">七、fail2ban 在 Docker 时代的&quot;困境&quot; </h3><ul> <li><strong>fail2ban 装在 host</strong> 上时,<strong>它看不到容器里的日志</strong>(除非 mount log 目录到 host)。</li> <li><strong>fail2ban 装在容器里</strong>时,它<strong>改不了 iptables/nftables</strong>(容器网络是隔离的)。</li> <li><strong>2024 推荐方案</strong>: <ul> <li><strong>方案 A</strong>:fail2ban 装 host,把容器日志 mount 出来(适合简单场景)</li> <li><strong>方案 B</strong>:用 <strong>CrowdSec</strong> + <strong>bouncer in container</strong>(更适合 K8s)</li> <li><strong>方案 C</strong>:直接上 <strong>WAF</strong>(Cloudflare / ModSecurity)—— 应用层防护</li> </ul> </li> </ul> <p><strong>源文档</strong>:<code>os/linux/第三方tools/safe/fail2ban/fail2ban.md</code>(filter 模板、jail.local 多协议、FRP 集成)</p>