Fail2ban
Fail2ban - 阻止來自遠端主機的 DOS 攻擊 - 不會啟動
解決方案
##阻止來自遠端主機的 DOS 攻擊。
[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 127.0.0.1 action = iptables[name=HTTP, port=http, protocol=tcp]
作業系統: Ubuntu 伺服器 20.10
**Http伺服器:**阿帕奇
當我將規則(阻止來自遠端主機的 DOS 攻擊)添加到 jail.conf 時,fail2ban 停止工作。我在一些教程中得到了這樣的配置,但它們是 Ubuntu 16 和 18。
enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 127.0.0.1 action = iptables[name=HTTP, port=http, protocol=tcp]
/etc/fail2ban/filter.d
http-get-dos.conf
# Fail2Ban configuration file [Definition] failregex = ^<HOST> -.*"(GET|POST).* ignoreregex =
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2021-01-07 09:05:29 UTC; 1h 23min ago Docs: man:fail2ban(1) Process: 82878 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Process: 82879 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION) Main PID: 82879 (code=exited, status=255/EXCEPTION) Jan 07 09:05:29 urial systemd[1]: Starting Fail2Ban Service... Jan 07 09:05:29 urial systemd[1]: Started Fail2Ban Service. Jan 07 09:05:29 urial fail2ban-server[82879]: 2021-01-07 09:05:29,370 fail2ban [82879]: ERROR Failed during configuration: While reading from '/etc/fail2ban/jail.local' [l> Jan 07 09:05:29 urial fail2ban-server[82879]: 2021-01-07 09:05:29,372 fail2ban [82879]: ERROR Async configuration of server failed Jan 07 09:05:29 urial systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION Jan 07 09:05:29 urial systemd[1]: fail2ban.service: Failed with result 'exit-code'.
/etc/fail2ban$ cat jail.local
wlodek@urial:/etc/fail2ban$ cat jail.local ##To block failed login attempts use the below jail. [sshd] enable = true port = ssh filter = sshd logpath = /var/log/auth.log maxretray = 3 findtime = 300 bandtime = 86400 ignoreip = 127.0.0.1 ##To block failed login attempts use the below jail. [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 127.0.0.1 ##To block the remote host that is trying to request suspicious URLs, use the below jail. [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 127.0.0.1 ##To block the remote host that is trying to search for scripts on the website to execute, use the below jail. [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 127.0.0.1 ##To block the remote host that is trying to request malicious bot, use below jail. [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 127.0.0.1 ##To stop DOS attack from remote host. [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 127.0.0.1 action = iptables[name=HTTP, port=http, protocol=tcp]
在
jail.local
文件中,jail 部分的標題與註釋位於同一行:##To stop DOS attack from remote host. [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 127.0.0.1 action = iptables[name=HTTP, port=http, protocol=tcp]
這意味著節標題被忽略。它應該像這樣放在單獨的行上:
##To stop DOS attack from remote host. [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 127.0.0.1 action = iptables[name=HTTP, port=http, protocol=tcp]