我們想要封殺的主動探測行為:
0000-00-00 00:00:00 WARNING common.py:238 unsupported addrtype 69, maybe wrong password or encryption method
0000-00-00 00:00:00 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data ... from ::ffff:119.96.105.1:50522 via port 443 by UID 443
0000-00-00 00:00:00 ERROR tcprelay.py:1097 can not parse header when handling connection from ::ffff:119.96.105.1:50522
安裝 Fail2ban:
yum -y install epel-release
yum -y install fail2ban
添加 Filter:(e.g. /etc/fail2ban/filter.d/ssr.conf)
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.+ERROR.+can not parse header when handling connection from +<HOST>
ignoreregex =
添加 Jail:(e.g. /etc/fail2ban/jail.d/01-ssr.conf)
[ssr]
enabled = true
port = 0:65535
logpath = (Log to watch)
maxretry = 1
bantime = 86400
findtime = 300
(可選)禁用 FirewallD,使用 iptables 進行封禁:(個人覺得 f2b 跟 iptables 更合得來)
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled
啟動 Fail2ban:
systemctl enable fail2ban
systemctl start fail2ban
查看 Jail 規則狀態:
fail2ban-client status ssr