我們想要封殺的主動探測行為:
0000-00-00 00:00:00 WARNING common.py:238 unsupported addrtype 69, maybe wrong password or encryption method
0000-00-00 00:00:00 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data ... from ::ffff:119.96.105.1:50522 via port 443 by UID 443
0000-00-00 00:00:00 ERROR tcprelay.py:1097 can not parse header when handling connection from ::ffff:119.96.105.1:50522
安裝 Fail2ban:
yum -y install epel-release yum -y install fail2ban
添加 Filter:(e.g. /etc/fail2ban/filter.d/ssr.conf)
[INCLUDES] before = common.conf [Definition] failregex = ^.+ERROR.+can not parse header when handling connection from +<HOST> ignoreregex =
添加 Jail:(e.g. /etc/fail2ban/jail.d/01-ssr.conf)
[ssr] enabled = true port = 0:65535 logpath = (Log to watch) maxretry = 1 bantime = 86400 findtime = 300
(可選)禁用 FirewallD,使用 iptables 進行封禁:(個人覺得 f2b 跟 iptables 更合得來)
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled
啟動 Fail2ban:
systemctl enable fail2ban systemctl start fail2ban
查看 Jail 規則狀態:
fail2ban-client status ssr