This repository has been archived by the owner on Nov 19, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 179
/
fail2ban.sh
executable file
·179 lines (165 loc) · 5.69 KB
/
fail2ban.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
clear
#CheckIfRoot
[ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; }
#ReadSSHPort
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`
#CheckOS
if [ -n "$(grep 'Aliyun Linux release' /etc/issue)" -o -e /etc/redhat-release ]; then
OS=CentOS
[ -n "$(grep ' 7\.' /etc/redhat-release)" ] && CentOS_RHEL_version=7
[ -n "$(grep ' 6\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release6 15' /etc/issue)" ] && CentOS_RHEL_version=6
[ -n "$(grep ' 5\.' /etc/redhat-release)" -o -n "$(grep 'Aliyun Linux release5' /etc/issue)" ] && CentOS_RHEL_version=5
elif [ -n "$(grep 'Amazon Linux AMI release' /etc/issue)" -o -e /etc/system-release ]; then
OS=CentOS
CentOS_RHEL_version=6
elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'Deepin' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Deepin" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Debian_version=$(lsb_release -sr | awk -F. '{print $1}')
# kali rolling
elif [ -n "$(grep 'Kali GNU/Linux Rolling' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Kali" ]; then
OS=Debian
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
if [ -n "$(grep 'VERSION="2016.*"' /etc/os-release)" ]; then
Debian_version=8
else
echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
kill -9 $$
fi
elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then
OS=Ubuntu
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Ubuntu_version=$(lsb_release -sr | awk -F. '{print $1}')
[ -n "$(grep 'Linux Mint 18' /etc/issue)" ] && Ubuntu_version=16
elif [ -n "$(grep 'elementary' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == 'elementary' ]; then
OS=Ubuntu
[ ! -e "$(which lsb_release)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
Ubuntu_version=16
else
echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
kill -9 $$
fi
#Read Imformation From The User
echo "Welcome to Fail2ban!"
echo "--------------------"
echo "This Shell Script can protect your server from SSH attacks with the help of Fail2ban and iptables"
echo ""
while :; do echo
read -p "Do you want to change your SSH Port? [y/n]: " IfChangeSSHPort
if [ ${IfChangeSSHPort} == 'y' ]; then
if [ -e "/etc/ssh/sshd_config" ];then
[ -z "`grep ^Port /etc/ssh/sshd_config`" ] && ssh_port=22 || ssh_port=`grep ^Port /etc/ssh/sshd_config | awk '{print $2}'`
while :; do echo
read -p "Please input SSH port(Default: $ssh_port): " SSH_PORT
[ -z "$SSH_PORT" ] && SSH_PORT=$ssh_port
if [ $SSH_PORT -eq 22 >/dev/null 2>&1 -o $SSH_PORT -gt 1024 >/dev/null 2>&1 -a $SSH_PORT -lt 65535 >/dev/null 2>&1 ];then
break
else
echo "${CWARNING}input error! Input range: 22,1025~65534${CEND}"
fi
done
if [ -z "`grep ^Port /etc/ssh/sshd_config`" -a "$SSH_PORT" != '22' ];then
sed -i "s@^#Port.*@&\nPort $SSH_PORT@" /etc/ssh/sshd_config
elif [ -n "`grep ^Port /etc/ssh/sshd_config`" ];then
sed -i "s@^Port.*@Port $SSH_PORT@" /etc/ssh/sshd_config
fi
fi
break
elif [ ${IfChangeSSHPort} == 'n' ]; then
break
else
echo "${CWARNING}Input error! Please only input y or n!${CEND}"
fi
done
ssh_port=$SSH_PORT
echo ""
read -p "Input the maximun times for trying [2-10]: " maxretry
echo ""
read -p "Input the lasting time for blocking a IP [hours]: " bantime
if [ ${maxretry} == '' ]; then
maxretry=3
fi
if [ ${bantime} == '' ];then
bantime=24
fi
((bantime=$bantime*60*60))
#Install
if [ ${OS} == CentOS ]; then
yum -y install epel-release
yum -y install fail2ban
fi
if [ ${OS} == Ubuntu ] || [ ${OS} == Debian ];then
apt-get -y update
apt-get -y install fail2ban
fi
#Configure
rm -rf /etc/fail2ban/jail.local
touch /etc/fail2ban/jail.local
if [ ${OS} == CentOS ]; then
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
else
cat <<EOF >> /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = $maxretry
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = $maxretry
findtime = 3600
bantime = $bantime
EOF
fi
#Start
if [ ${OS} == CentOS ]; then
if [ ${CentOS_RHEL_version} == 7 ]; then
systemctl restart fail2ban
systemctl enable fail2ban
else
service fail2ban restart
chkconfig fail2ban on
fi
fi
if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
service fail2ban restart
fi
#Finish
echo "Finish Installing ! Reboot the sshd now !"
if [ ${OS} == CentOS ]; then
if [ ${CentOS_RHEL_version} == 7 ]; then
systemctl restart sshd
else
service ssh restart
fi
fi
if [[ ${OS} =~ ^Ubuntu$|^Debian$ ]]; then
service ssh restart
fi
echo ""
echo 'Telegram Group: https://t.me/functionclub'
echo 'Google Puls: https://plus.google.com/communities/113154644036958487268'
echo 'Github: https://github.com/FunctionClub'
echo 'QQ Group:277717865'
echo "Fail2ban is now runing on this server now!"