我需要知道是什么程序或什么特定规则禁止了我的 IP,因为在我编程时经常发生这种情况。由于我通过 LAN 连接,它将禁止我的路由器内部 IP。然后在大约 10 分钟后,它会解除对 IP 的禁止。我需要知道是什么在做这件事。
这是内核日志,
Jul 24 12:40:35 buntubox-001 kernel: [68405.371388] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:42:40 buntubox-001 kernel: [68530.812091] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:44:46 buntubox-001 kernel: [68656.252761] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:46:51 buntubox-001 kernel: [68781.693450] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:48:56 buntubox-001 kernel: [68907.134130] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:51:02 buntubox-001 kernel: [69032.574810] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:53:07 buntubox-001 kernel: [69158.015484] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:55:13 buntubox-001 kernel: [69283.456341] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:57:18 buntubox-001 kernel: [69408.896851] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 12:59:24 buntubox-001 kernel: [69534.337509] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:01:29 buntubox-001 kernel: [69659.778153] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:03:35 buntubox-001 kernel: [69785.218879] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:05:40 buntubox-001 kernel: [69910.659585] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:07:45 buntubox-001 kernel: [70036.100269] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:09:51 buntubox-001 kernel: [70161.540931] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:11:56 buntubox-001 kernel: [70286.981572] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:14:02 buntubox-001 kernel: [70412.422228] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:16:07 buntubox-001 kernel: [70537.862891] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:18:13 buntubox-001 kernel: [70663.303475] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
Jul 24 13:20:18 buntubox-001 kernel: [70788.744104] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$
以下是 fail2ban 日志:
2017-07-24 06:25:17,215 fail2ban.server [1219]: INFO rollover performed on /var/log/fail2ban.log
2017-07-24 06:25:50,566 fail2ban.filter [1219]: INFO Log rotation detected for /var/log/auth.log
2017-07-24 06:27:31,632 fail2ban.filter [1219]: INFO [sshd] Found 177.129.242.80
2017-07-24 07:42:37,836 fail2ban.filter [1219]: INFO [sshd] Found 171.25.193.131
2017-07-24 07:44:27,693 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202
2017-07-24 07:44:27,760 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202
2017-07-24 08:17:01,802 fail2ban.filter [1219]: INFO [sshd] Found 119.193.140.164
2017-07-24 09:44:05,257 fail2ban.filter [1219]: INFO [sshd] Found 91.197.232.103
2017-07-24 13:09:25,355 fail2ban.filter [1219]: INFO [sshd] Found 218.68.140.168
最后这是我的 iptables -L
root@buntubox-001:/var/www/html# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 192.168.1.1 anywhere
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 192.168.1.1 anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
提前致谢
答案1
这里的核心问题是多播(根据您的日志)。IGMP 代表“Internet 组管理协议”,是 IPv4 网络上的主机和相邻路由器用来建立多播组成员资格的通信协议。在大多数网络中,这不是必需的,可以安全地忽略。
您在“目的地”上看到的 IP 地址是标准多播地址 - 224.0.0.1
。您的系统很可能正在尝试使用 IGMP,为了避免这种情况,请设置规则较早而不是只对多播数据包执行 DROP 的 LOG 规则。例如:
sudo iptables -I INPUT 1 -m pkttype --pkt-type multicast -j DROP
这将减少流量,并且不是触发日志条目 - 这意味着 Fail2Ban 看不到有关它的日志消息,因此您可以“丢弃”流量,而 F2B 将忽略它,因为它从日志中不知道它。
(请注意,如果您使用 UFW,添加此类规则可能会更加困难 - UFW 不像直线那样通用iptables
- )
请注意,在 Ubuntu 上,我们在一个客户端的网络上有一个 PSAD 盒,我们只是默默地丢弃多播流量,因为我们并不真正关心我们正在监控的网络上 IGMP/多播流量 - 我们只触发我们不期望的其他流量(例如,我们用于确定不是我们的恶意系统的常规网络扫描仪在规则集中被列入白名单并被“DROP”,因此 PSAD 和 F2B 看不到它)。
相关外部资源:https://ubuntuforums.org/archive/index.php/t-2231716.html