1. 使用fail2ban封禁多次登录失败的ip

2. 封禁jumpserver 2222端口暴力破解ip

系统：CentOS Stream

1. 安装

dnf update -y
dnf install epel-release
dnf install fail2ban fail2ban-firewalld
systemctl start fail2ban
systemctl status fail2ban
systemctl enable fail2ban

Ubuntu
apt install fail2ban firewalld

2. 配置

这里[DEFAULT]代表默认配置，针对所有封禁目标生效

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
[DEFAULT]
#IP白名单
ignoreip = 127.0.0.1/8
#封禁时间秒
bantime = 30d
#最大失败次数
maxretry = 3
#封禁10分钟内登录失败{maxretry}次的
findtime = 1d
#屏蔽IP所使用的方法，上面使用firewalld屏蔽端口
banaction = firewallcmd-ipset

2.1. 开启防火墙

systemctl start firewalld

2.1.1. 配置fail2ban使用firewalld

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

重启

systemctl restart fail2ban

2.2. 修改配置

2.2.1. sshd配置£

vim /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = 22
bantime = 100d
maxretry = 2

2.2.2. jumpserver配置

vim /etc/fail2ban/jail.d/koko.conf
[koko]
enabled = true
filter = jms-koko
logpath = /var/log/jumpserver/koko/koko.log
port = 2222
maxretry = 3
bantime = 30m
findtime = 1d
action   = firewallcmd-ipset

2.2.2.1. jms-koko日志解析

koko的日志文件存放在/var/log/jumpserver/koko/koko.log

2024-09-05 17:25:39 [ERRO] User XXXXXXXX Authenticate err: POST http://core:8080/api/v1/authentication/tokens/ failed, get code: 400, {"error":"block_global_ip_login","msg":"The address has been locked (please contact admin to unlock it or try again after 30 minutes)"}
2024-09-05 17:25:39 [INFO] SSH conn[b733ef3fab2680b3b6729f86d6d7d7f9c540295a0a7a949b2b44c2e1f6d64ef1] Failed password for XXXXXXXX from xxx.xxx.xxx.xxx
2024-09-05 17:25:40 [INFO] SSH conn[b733ef3fab2680b3b6729f86d6d7d7f9c540295a0a7a949b2b44c2e1f6d64ef1] authenticating user XXXXXXXX password
2024-09-05 17:25:40 [ERRO] User XXXXXXXX Authenticate err: POST http://core:8080/api/v1/authentication/tokens/ failed, get code: 400, {"error":"block_global_ip_login","msg":"The address has been locked (please contact admin to unlock it or try again after 30 minutes)"}
2024-09-05 17:25:40 [INFO] SSH conn[b733ef3fab2680b3b6729f86d6d7d7f9c540295a0a7a949b2b44c2e1f6d64ef1] Failed password for XXXXXXXX from xxx.xxx.xxx.xxx
2024-09-05 17:25:41 [INFO] SSH conn[b733ef3fab2680b3b6729f86d6d7d7f9c540295a0a7a949b2b44c2e1f6d64ef1] authenticating user XXXXXXXX password
2024-09-05 17:25:41 [ERRO] User XXXXXXXX Authenticate err: POST http://core:8080/api/v1/authentication/tokens/ failed, get code: 400, {"error":"block_global_ip_login","msg":"The address has been locked (please contact admin to unlock it or try again after 30 minutes)"}
2024-09-05 17:25:41 [INFO] SSH conn[b733ef3fab2680b3b6729f86d6d7d7f9c540295a0a7a949b2b44c2e1f6d64ef1] Failed password for XXXXXXXX from xxx.xxx.xxx.xxx

使用命令检测正则是否正确匹配

fail2ban-regex /var/log/jumpserver/koko/koko.log '^.*Failed password for .* from <HOST>'

Running tests
=============

Use   failregex line : ^.*Failed password for .* from <HOST>
Use         log file : /var/log/jumpserver/koko/koko.log
Use         encoding : UTF-8


Results
=======

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] ^.*Failed password for .* from <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [22] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 22 lines, 0 ignored, 6 matched, 16 missed
[processed in 0.00 sec]

Lines: 22 lines, 0 ignored, 6 matched, 16 missed  代表一共有22行日志，匹配到了6行

把这段正则配置到文件里

vi /etc/fail2ban/filter.d/jms-koko.conf
[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Failed password for .* from <HOST>
ignoreregex =

检查配置

fail2ban-client -t

重新加载配置

fail2ban-client reload

2.2.3. 查看日志

fail2ban-client status sshd
fail2ban-client status koko

查看firewalld的封禁的ipset集合

ipset  list
root@dci-82120:/etc/fail2ban/jail.d# ipset  list
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 1640
References: 1
Number of entries: 15
Members:
157.122.183.220 timeout 7065
81.228.27.147 timeout 7065
85.209.11.254 timeout 7065
61.177.172.179 timeout 7065
171.251.30.195 timeout 7065
27.8.112.152 timeout 7065
218.92.0.56 timeout 7065
1.252.63.242 timeout 7065
61.177.172.160 timeout 7065
83.255.12.107 timeout 7065
221.149.233.243 timeout 7065
61.177.172.136 timeout 7065
218.92.0.34 timeout 7065
118.45.255.153 timeout 7065
191.5.98.231 timeout 7065

Name: f2b-koko
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 296
References: 1
Number of entries: 1
Members:
58.246.193.18 timeout 1665

2.2.4. 解除封禁

fail2ban-client set sshd unbanip 192.168.1.1（要解禁的IP）