インストール

  • epel リポジトリ
    # yum install -y fail2ban

設定

  • /etc/fail2ban/fail2ban.local

    [Definition]
    loglevel = NOTICE
  • /etc/fail2ban/jail.local

    [DEFAULT]
    bantime  = 86400
    findtime  = 86400
    maxretry = 3
    
    destemail = root
    sender = fail2ban
    mta = postfix
    
    banaction = firewallcmd-ipset
    banaction_allports = firewallcmd-multiport
    
    [apache-auth]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    
    [apache-badbots]
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    enabled = true
    port     = http,https
    logpath  = %(apache_access_log)s
    bantime  = 172800
    maxretry = 1
    
    [apache-overflows]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    [apache-modsecurity]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    [apache-shellshock]
    enabled = true
    port    = http,https
    logpath = %(apache_error_log)s
    maxretry = 1
    
    [postfix]
    enabled = true
    port     = smtp,465,submission
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    
    [postfix-rbl]
    enabled = true
    port     = smtp,465,submission
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    maxretry = 1
    
    [postfix-sasl]
    enabled = true
    port     = smtp,465,submission,imap3,imaps,pop3,pop3s
    # You might consider monitoring /var/log/mail.warn instead if you are
    # running postfix since it would provide the same log lines at the
    # "warn" level but overall at the smaller filesize.
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s

サービス設定

# systemctl start fail2ban
# systemctl enable fail2ban
# systemctl status -l fail2ban

alias

  • /root/.bashrc
    alias fail2ban-status-all="fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status"

ブロックしている IP アドレスの確認

# ipset --list

リンク