一键Fail2ban

项目https://github.com/FunctionClub/Fail2ban

安装

wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/fail2ban.sh && bash fail2ban.sh

卸载

wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/uninstall.sh && bash uninstall.sh

clear
#CheckIfRoot
[ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; }


#ReadSSHPort
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`

#CheckOS
if [ -n "$(grep 'Aliyun Linux release' /etc/issue)" -o -e /etc/redhat-release ]; then
  OS=CentOS
  [ -n "$(grep ' 7\.' /etc/redhat-release)" ] && CentOS_RHEL_version=7
  [ -n "$(grep ' 6\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release6 15' /etc/issue)" ] && CentOS_RHEL_version=6
  [ -n "$(grep ' 5\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release5' /etc/issue)" ] && CentOS_RHEL_version=5
elif [ -n "$(grep 'Amazon Linux AMI release' /etc/issue)" -o -e /etc/system-release ]; then
  OS=CentOS
  CentOS_RHEL_version=6
elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'Deepin' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Deepin" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
# kali rolling
elif [ -n "$(grep 'Kali GNU/Linux Rolling' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Kali" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  if [ -n "$(grep 'VERSION="2016.*"' /etc/os-release)" ]; then
    Debian_version=8
  else
    echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
    kill -9 $$
  fi
elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then
  OS=Ubuntu
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Ubuntu_version=$(lsb_release -sr | awk -F. '{print $1}')
  [ -n "$(grep 'Linux Mint 18' /etc/issue)" ] && Ubuntu_version=16
elif [ -n "$(grep 'elementary' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == 'elementary' ]; then
  OS=Ubuntu
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Ubuntu_version=16
else
  echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
  kill -9 $$
fi
#Read Imformation From The User
echo "Welcome to Fail2ban!"
echo "--------------------"
echo "This Shell Script can protect your server from SSH attacks with the help of Fail2ban and iptables"
echo ""

while :; do echo
  read -p "Do you want to change your SSH Port? [y/n]: " IfChangeSSHPort
  if [ ${IfChangeSSHPort} == 'y' ]; then
    if [ -e "/etc/ssh/sshd_config" ];then
    [ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`
    while :; do echo
        read -p "Please input SSH port(Default: $ssh_port): " SSH_PORT
        [ -z "$SSH_PORT" ] && SSH_PORT=$ssh_port
        if [ $SSH_PORT -eq 22 >/dev/null 2>&1 -o $SSH_PORT -gt 1024 >/dev/null 2>&1 -a $SSH_PORT -lt 65535 >/dev/null 2>&1 ];then
            break
        else
            echo "${CWARNING}input error! Input range: 22,1025~65534${CEND}"
        fi
    done
    if [ -z "`grep ^Port /etc/ssh/sshd_config`" -a "$SSH_PORT" != '22' ];then
        sed -i "s@^#Port.*@&\nPort $SSH_PORT@" /etc/ssh/sshd_config
    elif [ -n "`grep ^Port /etc/ssh/sshd_config`" ];then
        sed -i "s@^Port.*@Port $SSH_PORT@" /etc/ssh/sshd_config
    fi
    fi
    break
  elif [ ${IfChangeSSHPort} == 'n' ]; then
    break
  else
    echo "${CWARNING}Input error! Please only input y or n!${CEND}"
  fi
done
ssh_port=$SSH_PORT
echo ""
	read -p "Input the maximun times for trying [2-10]:  " maxretry
echo ""
read -p "Input the lasting time for blocking a IP [hours]:  " bantime
if [ ${maxretry} == '' ]; then
	maxretry=3
fi
if [ ${bantime} == '' ];then
	bantime=24
fi
((bantime=$bantime*60*60))
#Install
if [ ${OS} == CentOS ]; then
  yum -y install epel-release
  yum -y install fail2ban
fi

if [ ${OS} == Ubuntu ] || [ ${OS} == Debian ];then
  apt-get -y update
  apt-get -y install fail2ban
fi

#Configure
rm -rf /etc/fail2ban/jail.local
touch /etc/fail2ban/jail.local
if [ ${OS} == CentOS ]; then
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
else
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = $maxretry
findtime = 1800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
fi

#Start
if [ ${OS} == CentOS ]; then
  if [ ${CentOS_RHEL_version} == 7 ]; then
    systemctl restart fail2ban
    systemctl enable fail2ban
  else
    service fail2ban restart
    chkconfig fail2ban on
  fi
fi

if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
  service fail2ban restart
fi

#Finish
echo "Finish Installing ! Reboot the sshd now !"

if [ ${OS} == CentOS ]; then
  if [ ${CentOS_RHEL_version} == 7 ]; then
    systemctl restart sshd
  else
    service ssh restart
  fi
fi

if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
  service ssh restart
fi
echo ""
echo 'Telegram Group: https://t.me/functionclub'
echo 'Google Puls: https://plus.google.com/communities/113154644036958487268'
echo 'Github: https://github.com/FunctionClub'
echo 'QQ Group:277717865'

echo "Fail2ban is now runing on this server now!"

clear
#CheckIfRoot
[ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; }


#ReadSSHPort
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`

#CheckOS
if [ -n "$(grep 'Aliyun Linux release' /etc/issue)" -o -e /etc/redhat-release ]; then
  OS=CentOS
  [ -n "$(grep ' 7\.' /etc/redhat-release)" ] && CentOS_RHEL_version=7
  [ -n "$(grep ' 6\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release6 15' /etc/issue)" ] && CentOS_RHEL_version=6
  [ -n "$(grep ' 5\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release5' /etc/issue)" ] && CentOS_RHEL_version=5
elif [ -n "$(grep 'Amazon Linux AMI release' /etc/issue)" -o -e /etc/system-release ]; then
  OS=CentOS
  CentOS_RHEL_version=6
elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'Deepin' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Deepin" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
# kali rolling
elif [ -n "$(grep 'Kali GNU/Linux Rolling' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Kali" ]; then
  OS=Debian
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  if [ -n "$(grep 'VERSION="2016.*"' /etc/os-release)" ]; then
    Debian_version=8
  else
    echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
    kill -9 $$
  fi
elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then
  OS=Ubuntu
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Ubuntu_version=$(lsb_release -sr | awk -F. '{print $1}')
  [ -n "$(grep 'Linux Mint 18' /etc/issue)" ] && Ubuntu_version=16
elif [ -n "$(grep 'elementary' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == 'elementary' ]; then
  OS=Ubuntu
  [ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
  Ubuntu_version=16
else
  echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
  kill -9 $$
fi



if [ ${OS} == CentOS ]; then
  yum -y remove fail2ban
fi

if [ ${OS} == Ubuntu ] || [ ${OS} == Debian ];then
  apt-get -y remove fail2ban
fi

rm -rf /etc/fail2ban

方案2

wget "https://raw.githubusercontent.com/qinghuas/fail2ban/master/fail2ban.sh" && bash fail2ban.sh install
#from https://github.com/qinghuas/fail2ban
#!/bin/bash

CHECK_OS(){
	if [[ -f /etc/redhat-release ]];then
		release="centos"
	elif cat /etc/issue | grep -q -E -i "debian";then
		release="debian"
	elif cat /etc/issue | grep -q -E -i "ubuntu";then
		release="ubuntu"
	elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat";then
		release="centos"
	elif cat /proc/version | grep -q -E -i "debian";then
		release="debian"
	elif cat /proc/version | grep -q -E -i "ubuntu";then
		release="ubuntu"
	elif cat /proc/version | grep -q -E -i "centos|red hat|redhat";then
		release="centos"
	fi
}

GET_SETTING_FAIL2BAN_INFO(){
	read -p "允许SSH登陆失败次数,默认10:" BLOCKING_THRESHOLD
	if [[ ${BLOCKING_THRESHOLD} = "" ]];then
		BLOCKING_THRESHOLD='10'
	fi
	
	read -p "SSH登陆失败次数超过${BLOCKING_THRESHOLD}次时,封禁时长(h),默认8760:" BLOCKING_TIME_H
	if [[ ${BLOCKING_TIME_H} = "" ]];then
		BLOCKING_TIME_H='8760'
	fi

	BLOCKING_TIME_S=$(expr ${BLOCKING_TIME_H} \* 3600)
}

INSTALL_FAIL2BAN(){
	if [ ! -e /etc/fail2ban/jail.local ];then
		CHECK_OS
		case "${release}" in
			centos)
				GET_SETTING_FAIL2BAN_INFO
				yum -y install epel-release
				yum -y install fail2ban;;
			debian|ubuntu)
				GET_SETTING_FAIL2BAN_INFO
				apt-get -y install fail2ban;;
			*)
				echo "请使用CentOS,Debian,Ubuntu系统.";;
		esac
	else
		echo "fail2ban已经安装了.";exit
	fi
}

REMOVE_FAIL2BAN(){
	if [ -e /etc/fail2ban/jail.local ];then
		CHECK_OS
		case "${release}" in
			centos)
				service fail2ban stop
				yum -y remove fail2ban
				rm -rf /etc/fail2ban/jail.local;;
			debian|ubuntu)
				service fail2ban stop
				apt-get -y remove fail2ban
				rm -rf /etc/fail2ban/jail.local;;
		esac
	else
		echo "fail2ban尚未安装.";exit
	fi
}

SETTING_FAIL2BAN(){
	CHECK_OS
	case "${release}" in
		centos)
			echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
			if [ -e /usr/bin/systemctl ];then
				systemctl restart fail2ban
				systemctl enable fail2ban
				systemctl restart sshd
			else
				service fail2ban restart
				chkconfig fail2ban on
				service ssh restart
			fi;;
		debian|ubuntu)
			echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = ${BLOCKING_THRESHOLD}
findtime = 1800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
			service fail2ban restart
			service ssh restart;;
	esac
}

VIEW_RUN_LOG(){
	CHECK_OS
	case "${release}" in
		centos)
			tail -f /var/log/secure;;
		debian|ubuntu)
			tail -f /var/log/auth.log;;
	esac
}

case "${1}" in
	install)
		INSTALL_FAIL2BAN
		SETTING_FAIL2BAN;;
	uninstall)
		REMOVE_FAIL2BAN;;
	status)
		echo -e "\033[41;37m【进程】\033[0m";ps aux | grep fail2ban
		echo;echo -e "\033[41;37m【状态】\033[0m";fail2ban-client ping
		echo;echo -e "\033[41;37m【Service】\033[0m";service fail2ban status;;
	blocklist|bl)
		if [ -e /etc/fail2ban/jail.local ];then
			fail2ban-client status ssh-iptables
		else
			echo "fail2ban尚未安装.";exit
		fi;;
	unlock|ul)
		if [ -e /etc/fail2ban/jail.local ];then
			if [[ "${2}" = "" ]];then
				read -p "请输入需要解封的IP:" UNLOCK_IP
				if [[ ${UNLOCK_IP} = "" ]];then
					echo "不允许空值,请重试.";exit
				else
					fail2ban-client set ssh-iptables unbanip ${UNLOCK_IP}
				fi
			else
				fail2ban-client set ssh-iptables unbanip ${2}
			fi
		else
			echo "fail2ban尚未安装.";exit
		fi;;
	more)
		echo "【参考文章】
https://www.fail2ban.org
https://linux.cn/article-5067-1.html

【更多命令】
fail2ban-client -h";;
	runlog)
		VIEW_RUN_LOG;;
	start)
		service fail2ban start;;
	stop)
		service fail2ban stop;;
	restart)
		service fail2ban restart;;
	*)
		echo "bash fail2ban.sh {install|uninstall|runlog|more}"
		echo "bash fail2ban.sh {start|stop|restart|status}"
		echo "bash fail2ban.sh {blocklist|unlock}";;
esac

#END

发表评论

邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据