返回博客
五月 23, 2026指南

在 Linux 上安装并配置 Fail2ban

安装 Fail2ban 并通过 SSH 与 Nginx 监狱保护 VPS 免受暴力破解。

在 Linux 上安装并配置 Fail2ban

Fail2ban 监控日志并临时封禁表现出恶意行为的 IP,例如反复 SSH 登录失败。这是新 Hiddence VPS 上应优先安装的安全工具之一。

安装 Fail2ban

bash
# Ubuntu / Debian
sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# CentOS / RHEL / Alma / Rocky
sudo yum install epel-release -y
sudo yum install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

保护 SSH

创建本地配置文件(切勿直接编辑 jail.conf):

bash
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

sudo systemctl restart fail2ban

保护 Nginx(可选)

封禁触发过多 404 或认证错误的 IP:

bash
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5

[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/access.log
maxretry = 6

查看已封禁 IP

bash
sudo fail2ban-client status
sudo fail2ban-client status sshd

# Unban an IP if needed:
sudo fail2ban-client set sshd unbanip 1.2.3.4

最佳实践

  • 使用 SSH 密钥而非密码以缩小攻击面
  • 更改默认 SSH 端口时需配合防火墙规则
  • 必要时将办公室 IP 加入 fail2ban ignoreip
  • 定期检查 /var/log/fail2ban.log
  • 与 UFW 或 Firewalld 配合使用