激进向Fail2ban SSH配置记录

适用于同时开启了密钥和密码认证的SSH，如果仅开启了密钥认证， jail.local 中的 [sshd] 部分可以删除。此时仍然可以防止其他恶意服务器的探测，弥补了 [sshd] 只能作用于密码登录的不足

1. 安装必要组件

sudo apt update && sudo apt install fail2ban nftables -y

2. 检查动作（Action）定义文件

ls -l /etc/fail2ban/action.d/nftables-allports.conf

观察必要动作nftables-allports.conf是否存在

3. 新建jail.conf

sudo nano /etc/fail2ban/jail.local

[sshd]
enabled  = true
backend   = systemd
chain     = input
ignoreip  = 127.0.0.1/8 ::1

filter   = sshd
port     = ssh
maxretry = 3
findtime = 1h
bantime  = 1w

banaction = nftables-allports
action    = %(banaction)s[name=%(__name__)s, protocol="tcp,udp", chain="input"]

mode = aggressive
bantime.increment = true
bantime.factor    = 2
bantime.maxtime   = 64w

[sshd-malicious]
enabled  = true
backend   = systemd
chain     = input
ignoreip  = 127.0.0.1/8 ::1

filter   = sshd-malicious
port     = ssh
maxretry = 5
findtime = 1d
bantime  = 1w

banaction = nftables-allports
action    = %(banaction)s[name=%(__name__)s, protocol="tcp,udp", chain="input"]

bantime.increment = true
bantime.factor    = 2
bantime.maxtime   = 64w

4. 新建过滤器（Filter）定义文件

sudo nano /etc/fail2ban/filter.d/sshd-malicious.conf

[INCLUDES]
before = common.conf

[Definition]

_daemon = (?:sshd|sshd-session)
# 混合匹配主进程 sshd 和会话进程 sshd-session

failregex = #^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]\s*$
            #用于防护攻击者扫描 SSH 服务 复现方式 ssh-keyscan 此规则很激进，谨慎使用 
            ^%(__prefix_line)sReceived disconnect from <HOST> port \d+:11: Bye Bye \[preauth\]\s*$
            #客户端主动断开 (SSH协议层 Bye Bye) 
            ^%(__prefix_line)sDisconnected from authenticating user \S+ <HOST> port \d+ \[preauth\]\s*$
            ^%(__prefix_line)sConnection closed by authenticating user \S+ <HOST> port \d+ \[preauth\]\s*$
            #用于防护攻击者尝试使用存在的用户名进行暴力尝试
            ^%(__prefix_line)sDisconnected from invalid user \S+ <HOST> port \d+ \[preauth\]\s*$
            ^%(__prefix_line)sInvalid user \S+ from <HOST> port \d+\s*$
            ^%(__prefix_line)sConnection closed by invalid user \S+ <HOST> port \d+ \[preauth\]\s*$
            #用于防护攻击者尝试使用不存在的用户名进行暴力尝试
            ^%(__prefix_line)sTimeout before authentication for connection from <HOST> to \S+, pid = \d+\s*$
            #用于防护攻击者连接后不进行任何操作，导致连接资源被占用 复现方式：nc HOST-IP SHH-PORT
            ^%(__prefix_line)sUnable to negotiate with <HOST> port \d+: no matching \S+ found\. Their offer: .*\s*$
            #用于防护攻击者使用不支持的加密算法连接 SSH 服务 复现方式 ssh-keyscan
            ^%(__prefix_line)sbanner exchange: Connection from <HOST> port \d+: invalid format\s*$
            #用于防护攻击者发送非法格式数据连接 SSH 服务 复现方式 echo "GET / HTTP/1.1" | nc <目标IP> <目标端口>
            ^%(__prefix_line)sbanner exchange: Connection from <HOST> port \d+: could not read protocol version\s*$
            #用于防护攻击者使用错误的协议版本连接 SSH 服务 复现方式 nmap -Pn -sV --script ssh* <目标IP> -p <目标端口>

5. 启用并检查 Fail2ban

sudo systemctl enable fail2ban

sudo systemctl restart fail2ban

sudo systemctl status fail2ban

6. 查看封禁列表：

sudo fail2ban-client status sshd

sudo fail2ban-client status sshd-malicious