一:简单介绍

fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作

在企业中,有些很多人会开放root登录,这样就有机会给黑客造成暴力破解的机会,root用户是众所周知的超级管理员,

即使是黑客来暴力破解没有成功,但是也可以造成你的Linux主机一直回应,这样一来你的主机负载就会很高,我们有什么

办法来控制呢,下面实验简单说明使用fail2ban工具的使用,如果深究的同学请登录fail2ban的官方文档熟悉详细操作。

二:实验环境

系统:CentOS6.4_x64

版本:fail2ban-0.8.14.tar.gz

IP:192.168.182.128

三:开始安装

首先安装依赖包

yum install vim gcc gcc-c++ wget -y
yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes -y

下载fail2ban包,官网为http://www.fail2ban.org/wiki/index.php/Main_Page

tar zxvf fail2ban-0.8.14.tar.gz
cd fail2ban-0.8.14
python setup.py install

默认安装路径在/etc/fail2ban,jail.conf为主配置文件。

vim /etc/fail2ban/jail.conf

####修改######
32 ignoreip = 127.0.0.1
94 [ssh-iptables]
95
96 enabled = ture
97 filter = sshd
98 action = iptables[name=SSH, port=ssh, protocol=tcp]
99 sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
100 logpath = /var/log/sshd.log
101 maxretry = 3

40 # "bantime" is the number of seconds that a host is banned.
41 bantime = 300
42
43 # A host is banned if it has generated "maxretry" during the last "findtime"
44 # seconds.
45 findtime = 600
46
47 # "maxretry" is the number of failures before a host get banned.
48 maxretry = 3
49

vim /etc/fail2ban/jail.conf

####修改######
32 ignoreip = 127.0.0.1
94 [ssh-iptables]
95
96 enabled = ture ###开启ssh-iptables
97 filter = sshd
98 action = iptables[name=SSH, port=ssh, protocol=tcp]
99 sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
100 logpath = /var/log/secure ##ssh默认登录的日志存放信息
101 maxretry = 3

40 # "bantime" is the number of seconds that a host is banned.
41 bantime = 300 #####锁定300秒/5分钟
42
43 # A host is banned if it has generated "maxretry" during the last "findtime"
44 # seconds.
45 findtime = 600 ####发现时间10分钟
46
47 # "maxretry" is the number of failures before a host get banned.
48 maxretry = 3 ###三次错误
49

在10分钟内发现有三次ssh链接错误则锁定5分钟

配置好了我们要怎么启动源码安装的程序呢,首先先把这个程序加到程序启动里面。

[root@129-Slave fail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:# chkconfig: - 92 08
[root@129-Slave fail2ban-0.8.14]# cp ./files/redhat-initd /etc/init.d/fail2ban
[root@129-Slave fail2ban-0.8.14]# /etc/init.d/fail2ban start
Starting fail2ban: WARNING Wrong value for 'enabled' in 'ssh-iptables'. Using default one: ''false''

                                                       [  OK  ]

[root@129-Slave fail2ban-0.8.14]# ps -aux | grep fail2ban
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root 1533 0.4 1.6 342148 8404 ? Sl 06:37 0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
root 1558 0.0 0.1 103248 868 pts/0 S+ 06:37 0:00 grep fail2ban

接下来可以看到是有fail2ban的进程,我们进行测试。

[root@129-Slave fail2ban-0.8.14]# ssh 192.168.182.129
The authenticity of host '192.168.182.129 (192.168.182.129)' can't be established.
RSA key fingerprint is 29:90:34:7b:a0:05:99:af:79:91:0e:ed:86:ad:cf:75.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.182.129' (RSA) to the list of known hosts.
root@192.168.182.129's password:
Permission denied, please try again.
root@192.168.182.129's password:
Permission denied, please try again.
root@192.168.182.129's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@129-Slave fail2ban-0.8.14]# ssh 192.168.182.129
ssh: connect to host 192.168.182.129 port 22: Connection refused

########这里我故意输错3次密码,可以见到我第二次链接的时候直接被锁定了。#########

deepin默认sshd服务是没有开启22端口的,我们需要手动开启,开启的方法如下:

输入命令查看22端口是否开放

sudo lsof -i:22

查看22端口是否开放,无返回信息,则表示没有开放;

使用vim命令编辑配置文件

sudo vim /etc/ssh/sshd_config

将内容中的如下两行的注释去掉

#Port 22

#ListenAddress 0.0.0.0

保存退出

重启ssh

sudo /etc/init.d/ssh restart

再次使用命令查看端口是否开发

sudo lsof -i:22,

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    34720 root    3u  IPv4 182647      0t0  TCP *:ssh (LISTEN)

显示上面的信息说明以开放,试试是否可以远程登录

Matplotlib 是 Python 中类似 MATLAB 的绘图工具,但在python3中引入Matplotlib ,我遇到几次报错,在此记录一下。
源码如下:

import pandas as pd
import matplotlib.pyplot as plt

air_quality = pd.read_csv("air_quality_no2.csv", index_col=0, parse_dates=True)
print(f'打印空气质量表:\n {air_quality}')

plt.plot(air_quality)
plt.show()

报错一:Matplotlib is currently using agg, which is a non-GUI backend, so cannot show the figure.

解决方案:在引入Matplotlib后加入语句matplotlib.use('TkAgg'),注意要在末尾加,代码如下。

import pandas as pd
import matplotlib
import matplotlib.pyplot as plt
matplotlib.use('TkAgg')  # 加在末尾

air_quality = pd.read_csv("air_quality_no2.csv", index_col=0, parse_dates=True)
print(f'打印空气质量表:\n {air_quality}')

plt.plot(air_quality)
plt.show()

报错二:如上加上matplotlib.use('TkAgg'),不在报之前的错误了
而是报了另一个错误ModuleNotFoundError: No module named 'tkinter''

解决方案:通常这种报错,只要安装并引入相应的包就能解决问题,但是在PyCharm添加软件包中并没有搜索到tkinter包,在终端使用命令pip3 install tkinter来安装,也提示没有这个软件包。

网络搜索了下发现,可以使用如下方法安装:sudo apt install python3-tk,安装之前可以通过命令sudo apt search python3-tk 进行查询是否已经安装过。

安装完成后,重新执行代码,就能正常生成图形了。

在IP后面直接加上 .nip.io 就可以指向该IP访问了,比如 15.165.175.249.nip.io 就会指向这个IP,绑定域名到网站就可以访问

nip.io
Dead simple wildcard DNS for any IP Address
Stop editing your etc/hosts file with custom hostname and IP address mappings.

nip.io allows you to do that by mapping any IP Address to a hostname using the following formats:

Without a name:

10.0.0.1.nip.io maps to 10.0.0.1
192-168-1-250.nip.io maps to 192.168.1.250
0a000803.nip.io maps to 10.0.8.3
With a name:

app.10.8.0.1.nip.io maps to 10.8.0.1
app-116-203-255-68.nip.io maps to 116.203.255.68
app-c0a801fc.nip.io maps to 192.168.1.252
customer1.app.10.0.0.1.nip.io maps to 10.0.0.1
customer2-app-127-0-0-1.nip.io maps to 127.0.0.1
customer3-app-7f000101.nip.io maps to 127.0.1.1
nip.io maps <anything>[.-]<IP Address>.nip.io in "dot", "dash" or "hexadecimal" notation to the corresponding <IP Address>:

dot notation: magic.127.0.0.1.nip.io
dash notation: magic-127-0-0-1.nip.io
hexadecimal notation: magic-7f000001.nip.io
The "dash" and "hexadecimal" notation is especially useful when using services like LetsEncrypt as it's just a regular sub-domain of nip.io

About this service
nip.io is powered by PowerDNS with a simple, custom PipeBackend written in Python: backend.py

It's open source, licensed under Apache 2.0: https://github.com/exentriquesolutions/nip.io — pull requests are welcome.

This is a free service provided by Exentrique Solutions (the same people who run XP-Dev.com which offer Git, Mercurial and Subversion hosting).

Feedback is appreciated, just raise an issue in GitHub .

Troubleshooting
DNS Rebinding Protection
Some DNS resolvers, forwarders and routers have DNS rebinding protection which may result in failure to resolve local and private IP addresses. This service won't work in those situations.

Related Services
localtls: A DNS server in Python3 to provide TLS to webservices on local addresses. It resolves addresses such as '192-168-0-1.yourdomain.net' to 192.168.0.1 and has a valid TLS certificate for them.
sslip.io: Alternative to this service, supports IPv6 and custom domains.
local.gd: Alternative to this service, where everything is mapped to localhost/127.0.0.1.