雖然伺服器的資料庫 docker 化了,因為一些因素,還是得把 3306 連接埠開放出來供存取。
如此一來,被知道ip跟port就容易被暴力破解,因此使用fail2ban來解決。
[CentOS 7]
1、安裝fail2ban的docker-compose.yaml
version: "3"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
restart: unless-stopped
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
# mysql 日志映射
- /var/log:/var/logs/mysql:ro
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"2 、編輯配置
vi /etc/fail2ban/jail.conf[DEFAULT]
#(永不阻擋的白名單,可接受IP、網段、DNS名稱)
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = false
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
#(mariadb 預設的登入錯誤訊息)
logpath = /var/log/mysql/error.log
#(計算 10 分鐘內的錯誤次數)
findtime = 10m
#(最大錯誤次數為 5 次)
maxretry = 5
#(阻擋 1 天)
bantime = 1d
#(阻擋行為,因使用docker需要chain是"DOCKER-USER")
#action = iptables-allports[chain="DOCKER-USER"]
action = iptables[name=mysql, port=3306, protocol=tcp,chain="DOCKER-USER"]3、Docker host生效設置
# 清除所有規則
iptables -F
# 清除所有自訂的鏈
iptables -X
# add chain DOCKER-USER
iptables -N DOCKER-USER
iptables -I FORWARD -j DOCKER-USER重開容器,生效
捉住一個!
chttl-xxxxxxx:/#fail2ban-client status mysqld-auth
Status for the jail: mysqld-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/mysql/error.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: xxx.xxx.xxx.xxx查詢iptables狀態,有一個ip被擋下來
chttl-xxxxxxx:/#iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 f2b-mysql tcp -- anywhere anywhere tcp dpt:mysql
2 DOCKER-USER all -- anywhere anywhere
3 REJECT all -- xxx.xxx.xxx.xxx anywhere reject-with icmp-port-unreachable
4 RETURN all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain DOCKER-USER (ERROR obtaining refs)
num target prot opt source destination
1 f2b-mysql tcp -- anywhere anywhere tcp dpt:mysql
2 DOCKER-USER all -- anywhere anywhere
3 REJECT all -- xxx.xxx.xxx.xxx anywhere reject-with icmp-port-unreachable
4 RETURN all -- anywhere anywhere
Chain f2b-mysql (ERROR obtaining refs)
num target prot opt source destination
1 f2b-mysql tcp -- anywhere anywhere tcp dpt:mysql
2 DOCKER-USER all -- anywhere anywhere
3 REJECT all -- xxx.xxx.xxx.xxx reject-with icmp-port-unreachable
4 RETURN all -- anywhere anywhere附加:iptables相關指令檢查
#查rule
iptables -L --line-numbers
#在chain DOCKER-USER新增擋住ip port為3306
iptables -I DOCKER-USER -s xxx.xxx.xxx.xxx -p tcp --dport 3306 -j DROP
#刪除chain DOCKER-USER數字1的rule
iptables -D DOCKER-USER 1附加:fail2ban-client相關指令檢查
#阻擋ip
fail2ban-client set mysqld-auth banip xxx.xxx.xxx.xxx
#解除ip
fail2ban-client set mysqld-auth unbanip xxx.xxx.xxx.xxx
#阻擋狀態
fail2ban-client status mysqld-auth
#重開
fail2ban-client reload
#全部解除ip
for ip in $(fail2ban-client status mysqld-auth | grep 'Banned IP list:' | awk 'BEGIN {FS="\t"} {print $2}' | sed 's/ /\n/g'); do fail2ban-client set mysqld-auth unbanip $ip; done[Rocky 8]
1、安裝fail2ban的docker-compose.yaml
version: "3"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
restart: unless-stopped
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
# mysql 日志映射
- /var/log:/var/logs/mysql:ro
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"2 、編輯配置
vi /etc/fail2ban/jail.conf[DEFAULT]
#(永不阻擋的白名單,可接受IP、網段、DNS名稱)
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = false
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
#(mariadb 預設的登入錯誤訊息)
logpath = /var/log/mysql/error.log
#(計算 10 分鐘內的錯誤次數)
findtime = 10m
#(最大錯誤次數為 5 次)
maxretry = 5
#(阻擋 1 天)
bantime = 1d
#(阻擋行為,因使用docker需要chain是"DOCKER-USER")
#action = iptables-allports[chain="DOCKER-USER"]
action = iptables[name=mysql, port=3306, protocol=tcp,chain="DOCKER-USER"]重開容器,生效
因iptables在docker裡跟os層是沒隔離,因此直接生效,這樣跟CentOS 7不同
查看補捉ip可參考上方CentOS 7