การติดตั้ง fail2ban
Posted: 27 Feb 2026, 09:23
วิธีดู attempt attack หรือ login เข้า sshd
ใน /etc/fail2ban
แก้ไขfile jail.conf
เพิ่ม file jail.local
ใน /etc/fail2ban/filter.d
เพิ่ม file sshd-invaliduser.conf
เพิ่ม file sshd-root.conf
restart fail2ban
วิธีดู status ของ fail2ban
วิธีดู banned ip
Code: Select all
tail -f /var/log/auth.log | grep 'sshd'
Code: Select all
sudo apt install fail2ban
แก้ไขfile jail.conf
Code: Select all
bantime = 10m
เป็น
bantime = 1h
maxretry = 5
เป็น
maxretry = 3
port = ssh
เป็น
port = #ssh_port_number"
Code: Select all
[sshd]
enabled = true
port = #ssh_port_number"
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
action = iptables-allports
[sshd-invaliduser]
enabled = true
maxretry = 1
port = #ssh_port_number"
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[sshd-root]
enabled = true
maxretry = 1
port = #ssh_port_number"
logpath = %(sshd_log)s
backend = %(sshd_backend)s
เพิ่ม file sshd-invaliduser.conf
Code: Select all
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
Code: Select all
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$
ignoreregex =
Code: Select all
sudo systemctl restart fail2ban
Code: Select all
sudo fail2ban-client status sshd
หรือ แต่ละ filter เช่น
sudo fail2ban-client status ssh-invaliduser
Code: Select all
sudo zgrep 'Ban' /var/log/fail2ban.log