Linux on Fernweh的个人博客https://blog.codeglimpse.top/tags/linux/Recent content in Linux on Fernweh的个人博客Hugo -- gohugo.iozh-cnWed, 01 Apr 2026 15:00:00 +0800保护 Linux 服务器的一大利器:Fail2banhttps://blog.codeglimpse.top/p/%E4%BF%9D%E6%8A%A4-linux-%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A%84%E4%B8%80%E5%A4%A7%E5%88%A9%E5%99%A8fail2ban/Wed, 01 Apr 2026 15:00:00 +0800https://blog.codeglimpse.top/p/%E4%BF%9D%E6%8A%A4-linux-%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A%84%E4%B8%80%E5%A4%A7%E5%88%A9%E5%99%A8fail2ban/<h2 id="什么是-fail2ban">什么是 Fail2ban? </h2><p>Fail2ban 是一个入侵防御软件框架,可以保护计算机服务器免受暴力破解攻击。它通过扫描日志文件(例如 <code>/var/log/auth.log</code>)并禁止显示恶意迹象的 IP 地址——如密码失败次数过多,寻找漏洞等。</p> <h2 id="安装-fail2ban">安装 Fail2ban </h2><p>根据你使用的 Linux 发行版,选择相应的安装方式。</p> <h3 id="1-使用包管理器安装">1. 使用包管理器安装 </h3><h4 id="debian--ubuntu">Debian / Ubuntu </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h4 id="centos--rhel-使用-yum-或-dnf">CentOS / RHEL (使用 yum 或 dnf) </h4><p>在 CentOS/RHEL 上,你通常需要先安装 EPEL 仓库:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CentOS 7</span> </span></span><span class="line"><span class="cl">sudo yum install epel-release </span></span><span class="line"><span class="cl">sudo yum install fail2ban </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># CentOS 8 / RHEL 8 / Fedora (使用 dnf)</span> </span></span><span class="line"><span class="cl">sudo dnf install epel-release </span></span><span class="line"><span class="cl">sudo dnf install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-通过源码安装-targz">2. 通过源码安装 (tar.gz) </h3><p>如果你需要安装特定版本或者你的发行版没有提供包,可以从源码安装:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 下载源码(请替换为最新版本链接)</span> </span></span><span class="line"><span class="cl">wget https://github.com/fail2ban/fail2ban/archive/refs/tags/1.0.2.tar.gz </span></span><span class="line"><span class="cl">tar -xvzf 1.0.2.tar.gz </span></span><span class="line"><span class="cl"><span class="nb">cd</span> fail2ban-1.0.2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 安装</span> </span></span><span class="line"><span class="cl">sudo python3 setup.py install </span></span></code></pre></td></tr></table> </div> </div><p><em>注意:源码安装通常需要手动配置 systemd 服务文件和日志路径。</em></p> <p>安装后,建议将 Fail2ban 设置为开机自启:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> fail2ban </span></span><span class="line"><span class="cl">sudo systemctl start fail2ban </span></span></code></pre></td></tr></table> </div> </div><h2 id="配置-fail2ban">配置 Fail2ban </h2><p>Fail2ban 的默认配置文件是 <code>/etc/fail2ban/jail.conf</code>。但是,不建议直接修改此文件,因为软件包更新时可能会覆盖它。相反,你应该创建一个本地配置文件 <code>/etc/fail2ban/jail.local</code> 或在 <code>/etc/fail2ban/jail.d/</code> 目录下创建新的 <code>.conf</code> 文件来覆盖默认设置。</p> <h3 id="创建本地配置文件">创建本地配置文件 </h3><p>首先,将 <code>jail.conf</code> 复制到 <code>jail.local</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local </span></span></code></pre></td></tr></table> </div> </div><p>现在,你可以安全地编辑 <code>jail.local</code> 文件。</p> <h3 id="配置-ssh-防护">配置 SSH 防护 </h3><p>打开 <code>/etc/fail2ban/jail.local</code> 文件,找到 <code>[sshd]</code> 部分。你可以根据需要自定义以下参数:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[sshd]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">ssh</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">%(sshd_log)s</span> </span></span><span class="line"><span class="cl"><span class="na">backend</span> <span class="o">=</span> <span class="s">%(sshd_backend)s</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">10m</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1d</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>enabled</code>: <code>true</code> 表示启用此监狱(jail)。</li> <li><code>port</code>: SSH 服务的端口。</li> <li><code>logpath</code>: SSH 认证日志文件的路径。</li> <li><code>maxretry</code>: 在 <code>findtime</code> 时间内允许的最大失败尝试次数。</li> <li><code>findtime</code>: 监控失败尝试的时间窗口。</li> <li><code>bantime</code>: 禁止 IP 地址的时间长度。<code>1d</code> 表示一天。</li> </ul> <h3 id="重启-fail2ban">重启 Fail2ban </h3><p>修改配置后,你需要重启 Fail2ban 服务以使更改生效:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl restart fail2ban </span></span></code></pre></td></tr></table> </div> </div><h3 id="更多实用场景配置">更多实用场景配置 </h3><p>除了 SSH,Fail2ban 还可以保护许多其他服务。在 <code>jail.local</code> 中添加以下内容:</p> <h4 id="nginx-防止恶意扫描-404-错误过多">Nginx 防止恶意扫描 (404 错误过多) </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[nginx-404]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">http,https</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">nginx-404</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/nginx/access.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">600</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1h</span> </span></span></code></pre></td></tr></table> </div> </div><p><em>注意:这需要你在 <code>/etc/fail2ban/filter.d/</code> 下定义 <code>nginx-404.conf</code> 过滤器。</em></p> <h4 id="mysqlmariadb-防护">MySQL/MariaDB 防护 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[mariadb-jail]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">3306</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">mysqld-auth</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/mysql/error.log</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">3</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="fail2ban-常用管理命令">Fail2ban 常用管理命令 </h2><p><code>fail2ban-client</code> 是管理 Fail2ban 的主要工具。</p> <h3 id="1-查看状态">1. 查看状态 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查看服务整体运行状态</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client ping </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看已启用的监狱列表</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看特定监狱的详细状态(如 sshd)</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client status sshd </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-管理被禁-ip">2. 管理被禁 IP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 手动禁止一个 IP (在 sshd 监狱中)</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd banip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 手动解禁一个 IP</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd unbanip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 解禁所有监狱中的某个 IP</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client unban 1.2.3.4 </span></span></code></pre></td></tr></table> </div> </div><h3 id="3-重新加载配置">3. 重新加载配置 </h3><p>当你修改了 <code>.local</code> 文件或过滤器后,无需重启整个服务即可生效:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo fail2ban-client reload </span></span></code></pre></td></tr></table> </div> </div><h2 id="常见问题与小贴士">常见问题与小贴士 </h2><ul> <li><strong>白名单</strong>:在 <code>[DEFAULT]</code> 部分设置 <code>ignoreip = 127.0.0.1/8 ::1 &lt;你的固定IP&gt;</code>,防止把自己关在外面。</li> <li><strong>持久化</strong>:默认情况下,重启服务后之前的禁令会失效。如果需要持久化,可以配置数据库存储。</li> <li><strong>邮件通知</strong>:Fail2ban 支持在封禁 IP 时向管理员发送邮件提醒。</li> </ul> <h2 id="总结">总结 </h2><p>Fail2ban 是一个简单而有效的工具,可以为你的服务器增加一层重要的安全保护。通过正确配置,你可以大大减少受到暴力破解攻击的风险。</p>