Ubuntu:使用Fail2ban防止暴力破解SSH等服务

前几天无意之中发现auth.log体积非常大，打开来看才发现我的服务器SSH正在被暴力破解，部分内容如下：

May  8 03:03:32 mysite sshd[10143]: Failed password for root from 182.100.67.113 port 41988 ssh2
May  8 03:03:35 mysite sshd[10143]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 41988 ssh2]
May  8 03:03:35 mysite sshd[10143]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:35 mysite sshd[10143]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:36 mysite sshd[10145]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:37 mysite sshd[10145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:39 mysite sshd[10145]: Failed password for root from 182.100.67.113 port 57935 ssh2
May  8 03:03:43 mysite sshd[10145]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 57935 ssh2]
May  8 03:03:44 mysite sshd[10145]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:44 mysite sshd[10145]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:44 mysite sshd[10147]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:45 mysite sshd[10147]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:47 mysite sshd[10147]: Failed password for root from 182.100.67.113 port 47047 ssh2
May  8 03:03:51 mysite sshd[10147]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 47047 ssh2]
May  8 03:03:52 mysite sshd[10147]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:52 mysite sshd[10147]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:52 mysite sshd[10149]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:53 mysite sshd[10149]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:55 mysite sshd[10149]: Failed password for root from 182.100.67.113 port 35690 ssh2
May  8 03:03:59 mysite sshd[10149]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 35690 ssh2]
May  8 03:03:59 mysite sshd[10149]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:59 mysite sshd[10149]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:59 mysite sshd[10151]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:02 mysite sshd[10151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:04 mysite sshd[10151]: Failed password for root from 182.100.67.113 port 50994 ssh2
May  8 03:04:08 mysite sshd[10151]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 50994 ssh2]
May  8 03:04:08 mysite sshd[10151]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:04:08 mysite sshd[10151]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:08 mysite sshd[10153]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:11 mysite sshd[10153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:12 mysite sshd[10153]: Failed password for root from 182.100.67.113 port 42771 ssh2
May  8 03:04:17 mysite sshd[10153]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 42771 ssh2]
May  8 03:04:17 mysite sshd[10153]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:04:17 mysite sshd[10153]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:17 mysite sshd[10155]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:21 mysite sshd[10155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root

非常明显是用的程序在恶意登录，所以请出Fail2ban，fail2ban会监视系统日志，发现异常情况后就会执行相应的屏蔽动作，还会发送电子邮件通知系统管理员。

一、安装fail2ban

直接使用apt-get：
apt-get install fail2ban

二、配置fail2ban

复制一份本地配置文件：
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

1.初始配置

编辑jail.local文件，作如下修改：

ignoreip = 127.0.0.1/8
bantime = 3600  # 屏蔽时长，可自行调整，单位为秒,-1则为永久屏蔽
findtime = 600  #监测时长，在findtime时间内出现maxretry次尝试即执行屏蔽动作，单位为秒
maxretry = 3  # 最大尝试次数

2.邮件通知配置

编辑jail.local文件，作如下修改：

destemail = xxxx@163.com  # 邮件通知的目的邮箱
mta = sendmail  # 使用哪个发送邮件命令，可以选mail或sendmail
action = %(action_mw)s  # 默认只发送屏蔽IP信息，_mw后缀发送IP信息+whois信息

注意：需要配置好mail或sendmail邮件通知才能正常工作，参考：Ubuntu:使用sendmail配置邮件服务，发送邮件

3.SSH配置

编辑jail.local文件，配置如下：

[ssh]

enabled  = true  # 激活SSH监测
port     = ssh  # 端口
filter   = sshd
logpath  = /var/log/auth.log  # SSH日志路径
maxretry = 3  # 最大尝试次数

三、令Fail2ban生效

只需要重启fail2ban服务：
service fail2ban restart

---

那个丧心病狂的已经开始换IP暴力破解了