1 安装部署
# 创建 roles, 为的是一劳永逸,编写一次,到处运行
ansible-galaxy init fail2ban-init
# 然后编写 palybook, 目录结构如下
tree fail2ban
fail2ban
├── README.md
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── tasks
│ ├── install.yml
│ ├── main.yml
│ ├── reboot.yml
│ └── sync-config.yml
├── templates
│ └── config.j2
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
2 安装部署
ansible-playbook -i hlist deploy.yml -uroot -k
[WARNING]: log file at /var/log/ansible.log is not writeable and we cannot create it, aborting
SSH password:
PLAY [hlists] **********************************************************************************************************************
Tuesday 12 May 2020 16:06:40 +0800 (0:00:00.197) 0:00:00.197 ***********
TASK [fail2ban : install fail2ban] *************************************************************************************************
ok: [192.168.1.25]
Tuesday 12 May 2020 16:06:47 +0800 (0:00:06.949) 0:00:07.146 ***********
TASK [fail2ban : sync config to remote machine] ************************************************************************************
ok: [192.168.1.25]
Tuesday 12 May 2020 16:06:49 +0800 (0:00:01.740) 0:00:08.887 ***********
TASK [fail2ban : restart fail2ban service] *****************************************************************************************
changed: [192.168.1.25]
PLAY RECAP *************************************************************************************************************************
192.168.1.25 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Tuesday 12 May 2020 16:06:51 +0800 (0:00:02.310) 0:00:11.198 ***********
===============================================================================
fail2ban : install fail2ban ------------------------------------------------------------------------------------------------- 6.95s
fail2ban : restart fail2ban service ----------------------------------------------------------------------------------------- 2.31s
fail2ban : sync config to remote machine ------------------------------------------------------------------------------------ 1.74s
3 检测服务状态和测试功能
[root@zhuima ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-05-12 16:06:51 CST; 1s ago
Docs: man:fail2ban(1)
Process: 11967 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 11971 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 11973 (f2b/server)
Memory: 9.3M
CGroup: /system.slice/fail2ban.service
└─11973 /usr/bin/python -s /usr/bin/fail2ban-server -xf ...
May 12 16:06:51 zhuima systemd[1]: Starting Fail2Ban Se...
May 12 16:06:51 zhuima systemd[1]: Started Fail2Ban Ser...
May 12 16:06:51 zhuima fail2ban-server[11973]: Server r...
Hint: Some lines were ellipsized, use -l to show in full.
客户端主机
# fail2ban 的设置是 ssh 服务的最大尝试次数 为 5
↵ 2 ssh root@192.168.1.25
root@192.168.1.25's password:
Permission denied, please try again.
root@192.168.1.25'
Permission denied, please try again.
root@192.168.1.25's password:
root@192.168.1.25: Permission denied (publickey,password).
↵ SIG(127) ssh root@192.168.1.25
root@192.168.1.25'
Permission denied, please try again.
root@192.168.1.25's password:
Permission denied, please try again.
root@192.168.1.25'
^C
# 再次访问的时候提示拒绝
↵ SIGINT(2) ssh root@192.168.1.25
ssh: connect to host 192.168.1.25 port 22: Connection refused
↵ SIG(127) ssh root@192.168.1.25
ssh: connect to host 192.168.1.25 port 22: Connection refused
fail2ban 机器
[root@zhuima ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
[root@zhuima ~]#
[root@zhuima ~]#
[root@zhuima ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.153
4 目地
很多时候,常识性的认知会让我们觉得我机器没有公网 IP,只对外映射特定的端口出去,安全等级会上升很高,殊不知很多时候,内部员工的一些操作(在开发机器上下载未知来源的软件,安装一些比较偏门的工具) 很有可能会导致安全问题的发生,而且局域网安全防护相对入口来说还是比较薄弱的,使用fail2ban 加固 ssh 是一个不错的选择,当然 fail2ban 的功能不单单局限于作用于 ssh 服务~