使用fail2ban来屏蔽掉刺探shadowsocks libev服务的ip

安装fail2ban
apt-get install fail2ban -y

创建屏蔽规则/etc/fail2ban/filter.d/shadowsocks.conf

[INCLUDES]

before = common.conf

[Definition]

_daemon = ss-server

failregex = ^%(__prefix_line)s.*ERROR: failed to handshake with <HOST>: (:?authentication error$|malicious fragmentation$)

ignoreregex =

datepattern = %%Y-%%m-%%d %%H:%%M:%%S

failregex表示要匹配的规则,shadowsocks libev没有单独的log文件,在/var/log/syslog能找到它的日志,一般认证失败的日志为2021-05-02 14:17:35 ERROR: failed to handshake with 1.2.3.4: authentication error,也就是把日志中的ip1.2.3.4 能match到就行了。

https://github.com/fail2ban/fail2ban/issues/2375 提到直接使用fail2ban-regex测试规则有点问题,最好使用fail2ban-regex 'line or file to check' '/path/to/your-filter.conf'的形式,即:

fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/shadowsocks.conf --print-all-matched

即可查看匹配到的信息

创建服务规则/etc/fail2ban/jail.d/01-jails.conf

[shadowsocks]
enabled = true
port    = Your Port
logpath  = /var/log/syslog

创建默认规则/etc/fail2ban/jail.local

[DEFAULT]
ignoreip = #忽略的IP
maxretry = 1 #这里填入IP尝试连接的次数,这里我只让它尝试一次。
bantime = 31536000 #这是ban的时间,我给他1年!!!
findtime = 31536000 #尝试次数的时间CD,也给他1年!!!

启动服务

systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban

参考资料:
用fail2ban保护shadowsocks-libev
failregex bug?

标签: none

评论已关闭