使用 Fail2ban 封殺主動探測 IP

我們想要封殺的主動探測行為:

0000-00-00 00:00:00 WARNING common.py:238 unsupported addrtype 69, maybe wrong password or encryption method
0000-00-00 00:00:00 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 160301008b0100008703037b1d113cae353743a96141532263f238e4fef85f16f4280234332b7662a5f40300001ac02fc02bc011c007c013c009c014c00a0005002f0035c012000a0100004400000012001000000d34372e35322e3235322e313030000500050100000000000a00080006001700180019000b00020100000d000a00080401040302010203ff01000100 from ::ffff:119.96.105.1:50522 via port 443 by UID 443
0000-00-00 00:00:00 ERROR tcprelay.py:1097 can not parse header when handling connection from ::ffff:119.96.105.1:50522

安裝 Fail2ban:

yum -y install epel-release
yum -y install fail2ban

添加 Filter:(e.g. /etc/fail2ban/filter.d/ssr.conf

[INCLUDES]
before = common.conf

[Definition]

failregex = ^.+ERROR.+can not parse header when handling connection from +<HOST>

ignoreregex =

添加 Jail:(e.g. /etc/fail2ban/jail.d/01-ssr.conf

[ssr]
enabled = true
port = 0:65535
logpath = (Log to watch)
maxretry = 1
bantime = 86400
findtime = 300

(可選)禁用 FirewallD,使用 iptables 進行封禁:(個人覺得 f2b 跟 iptables 更合得來)

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled

啟動 Fail2ban:

systemctl enable fail2ban
systemctl start fail2ban

查看 Jail 規則狀態:

fail2ban-client status ssr

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据