Fail2Ban 因流量阻塞而阻止了我的 IP 地址,我该如何阻止它禁止我?

Fail2Ban 因流量阻塞而阻止了我的 IP 地址,我该如何阻止它禁止我?

我需要知道是什么程序或什么特定规则禁止了我的 IP,因为在我编程时经常发生这种情况。由于我通过 LAN 连接,它将禁止我的路由器内部 IP。然后在大约 10 分钟后,它会解除对 IP 的禁止。我需要知道是什么在做这件事。

这是内核日志,

Jul 24 12:40:35 buntubox-001 kernel: [68405.371388] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:42:40 buntubox-001 kernel: [68530.812091] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:44:46 buntubox-001 kernel: [68656.252761] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:46:51 buntubox-001 kernel: [68781.693450] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:48:56 buntubox-001 kernel: [68907.134130] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:51:02 buntubox-001 kernel: [69032.574810] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:53:07 buntubox-001 kernel: [69158.015484] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:55:13 buntubox-001 kernel: [69283.456341] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:57:18 buntubox-001 kernel: [69408.896851] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:59:24 buntubox-001 kernel: [69534.337509] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:01:29 buntubox-001 kernel: [69659.778153] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:03:35 buntubox-001 kernel: [69785.218879] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:05:40 buntubox-001 kernel: [69910.659585] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:07:45 buntubox-001 kernel: [70036.100269] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:09:51 buntubox-001 kernel: [70161.540931] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:11:56 buntubox-001 kernel: [70286.981572] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:14:02 buntubox-001 kernel: [70412.422228] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:16:07 buntubox-001 kernel: [70537.862891] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:18:13 buntubox-001 kernel: [70663.303475] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:20:18 buntubox-001 kernel: [70788.744104] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

以下是 fail2ban 日志:

2017-07-24 06:25:17,215 fail2ban.server [1219]: INFO rollover performed on /var/log/fail2ban.log

2017-07-24 06:25:50,566 fail2ban.filter [1219]: INFO Log rotation detected for /var/log/auth.log

2017-07-24 06:27:31,632 fail2ban.filter [1219]: INFO [sshd] Found 177.129.242.80

2017-07-24 07:42:37,836 fail2ban.filter [1219]: INFO [sshd] Found 171.25.193.131

2017-07-24 07:44:27,693 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 07:44:27,760 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 08:17:01,802 fail2ban.filter [1219]: INFO [sshd] Found 119.193.140.164

2017-07-24 09:44:05,257 fail2ban.filter [1219]: INFO [sshd] Found 91.197.232.103

2017-07-24 13:09:25,355 fail2ban.filter [1219]: INFO [sshd] Found 218.68.140.168

最后这是我的 iptables -L

root@buntubox-001:/var/www/html# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

f2b-sshd tcp -- anywhere anywhere multiport dports ssh

ufw-before-logging-input all -- anywhere anywhere

ufw-before-input all -- anywhere anywhere

ufw-after-input all -- anywhere anywhere

ufw-after-logging-input all -- anywhere anywhere

ufw-reject-input all -- anywhere anywhere

ufw-track-input all -- anywhere anywhere

 

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

ufw-before-logging-forward all -- anywhere anywhere

ufw-before-forward all -- anywhere anywhere

ufw-after-forward all -- anywhere anywhere

ufw-after-logging-forward all -- anywhere anywhere

ufw-reject-forward all -- anywhere anywhere

ufw-track-forward all -- anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ufw-before-logging-output all -- anywhere anywhere

ufw-before-output all -- anywhere anywhere

ufw-after-output all -- anywhere anywhere

ufw-after-logging-output all -- anywhere anywhere

ufw-reject-output all -- anywhere anywhere

ufw-track-output all -- anywhere anywhere

 

Chain f2b-sshd (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere

 

Chain ufw-after-forward (1 references)

target prot opt source destination

 

Chain ufw-after-input (1 references)

target prot opt source destination

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc

ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

 

Chain ufw-after-logging-forward (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-input (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-output (1 references)

target prot opt source destination

 

Chain ufw-after-output (1 references)

target prot opt source destination

 

Chain ufw-before-forward (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ufw-user-forward all -- anywhere anywhere

 

Chain ufw-before-input (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-logging-deny all -- anywhere anywhere ctstate INVALID

DROP all -- anywhere anywhere ctstate INVALID

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

ufw-not-local all -- anywhere anywhere

ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns

ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900

ufw-user-input all -- anywhere anywhere

 

Chain ufw-before-logging-forward (1 references)

target prot opt source destination

 

Chain ufw-before-logging-input (1 references)

target prot opt source destination

 

Chain ufw-before-logging-output (1 references)

target prot opt source destination

 

Chain ufw-before-output (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-user-output all -- anywhere anywhere

 

Chain ufw-logging-allow (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

 

Chain ufw-logging-deny (2 references)

target prot opt source destination

RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-not-local (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST

RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10

DROP all -- anywhere anywhere

 

Chain ufw-reject-forward (1 references)

target prot opt source destination

 

Chain ufw-reject-input (1 references)

target prot opt source destination

 

Chain ufw-reject-output (1 references)

target prot opt source destination

 

Chain ufw-skip-to-policy-forward (0 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-input (7 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-output (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-track-forward (1 references)

target prot opt source destination

 

Chain ufw-track-input (1 references)

target prot opt source destination

 

Chain ufw-track-output (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere ctstate NEW

ACCEPT udp -- anywhere anywhere ctstate NEW

 

Chain ufw-user-forward (1 references)

target prot opt source destination

 

Chain ufw-user-input (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT udp -- anywhere anywhere udp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

ACCEPT udp -- anywhere anywhere udp dpt:ssh

ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */

ACCEPT all -- 192.168.1.1 anywhere

ACCEPT all -- 192.168.1.0/24 anywhere

 

Chain ufw-user-limit (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

 

Chain ufw-user-limit-accept (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-user-logging-forward (0 references)

target prot opt source destination

 

Chain ufw-user-logging-input (0 references)

target prot opt source destination

 

Chain ufw-user-logging-output (0 references)

target prot opt source destination

 

Chain ufw-user-output (1 references)

target prot opt source destination

提前致谢

答案1

这里的核心问题是多播(根据您的日志)。IGMP 代表“Internet 组管理协议”,是 IPv4 网络上的主机和相邻路由器用来建立多播组成员资格的通信协议。在大多数网络中,这不是必需的,可以安全地忽略。

您在“目的地”上看到的 IP 地址是标准多播地址 - 224.0.0.1。您的系统很可能正在尝试使用 IGMP,为了避免这种情况,请设置规则较早而不是只对多播数据包执行 DROP 的 LOG 规则。例如:

sudo iptables -I INPUT 1 -m pkttype --pkt-type multicast -j DROP

这将减少流量,并且不是触发日志条目 - 这意味着 Fail2Ban 看不到有关它的日志消息,因此您可以“丢弃”流量,而 F2B 将忽略它,因为它从日志中不知道它。

(请注意,如果您使用 UFW,添加此类规则可能会更加困难 - UFW 不像直线那样通用iptables- )

请注意,在 Ubuntu 上,我们在一个客户端的网络上有一个 PSAD 盒,我们只是默默地丢弃多播流量,因为我们并不真正关心我们正在监控的网络上 IGMP/多播流量 - 我们只触发我们不期望的其他流量(例如,我们用于确定不是我们的恶意系统的常规网络扫描仪在规则集中被列入白名单并被“DROP”,因此 PSAD 和 F2B 看不到它)。

相关外部资源:https://ubuntuforums.org/archive/index.php/t-2231716.html

相关内容