使用Fail2ban来保护SSH服务,减轻暴力攻击对安全性的影响.

1.Fail2ban with FirewallD

1.从EPEL库内安装Fail2ban

yum install -y epel-release
yum install -y fail2ban fail2ban-systemd

2.关闭SeLinux(如果开启)

setenforce 0
sed -i "s/SELINUX=.*/SELINUX=disabled/" /etc/selinux/config

3.配置Fail2ban, 我们选择使用Centos 7默认防火墙 FirewallD.

创建 /etc/fail2ban/jail.d/sshd.local 文件,并写入

[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

4.启用Fail2ban

systemctl enable fail2ban
systemctl start fail2ban

2.Fail2ban with iptables-services

1.从EPEL库内安装Fail2ban

yum install -y epel-release
yum install -y fail2ban fail2ban-systemd

2.关闭SeLinux(如果开启)

setenforce 0
sed -i "s/SELINUX=.*/SELINUX=disabled/" /etc/selinux/config

3.设置Fail2ban, 在这里我们使用 iptables-services

yum -y install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service

4.创建 /etc/fail2ban/jail.d/sshd.local 文件,并写入

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = %(sshd_log)s
maxretry = 5
bantime = 86400

5.启用Fail2ban

systemctl enable fail2ban
systemctl start fail2ban