Fail2ban 正在完成它的工作,fail2ban-client status并向我展示它们都工作正常,并且违规地址被阻止。
当地址被阻止时,我喜欢收到邮件。这适用于除一所监狱之外的所有监狱。为什么?
以下是/etc/fail2ban/jail.local的相关部分:
# My own domain is here, not example.com, obviously.
sender = [email protected]
banaction = iptables-multiport
mta = sendmail
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_mwl)s
# This one is working. Others are as well.
[postfix]
enabled = true
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
# This one is not working.
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
fail2ban-client status recidive这是(有点匿名)的输出:
Status for the jail: recidive
|- filter
| |- File list: /var/log/fail2ban.log
| |- Currently failed: 34
| `- Total failed: 270
`- action
|- Currently banned: 9
| `- IP list: 195.154.237.*** 91.200.12.*** 195.154.255.***
`- Total banned: 12
后缀:
Status for the jail: postfix
|- filter
| |- File list: /var/log/mail.log
| |- Currently failed: 0
| `- Total failed: 1058
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 162
后缀.conf:
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
^%(__prefix_line)sNOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.*
ignoreregex =
recidive.conf:
[INCLUDES]
before = common.conf
[Definition]
_daemon = fail2ban\.actions
_jailname = recidive
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions%(__pid_re)s?:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
来自/var/log/fail2ban.log:
2016-12-15 08:01:52,620 fail2ban.actions[18430]: WARNING [wordpress-soft] Unban 160.202.163.***
2016-12-15 08:01:59,649 fail2ban.actions[18430]: WARNING [wordpress-soft] Ban 160.202.163.***
2016-12-15 08:02:00,610 fail2ban.actions[18430]: WARNING [recidive] Ban 160.202.163.***
2016-12-15 08:12:00,587 fail2ban.actions[18430]: WARNING [wordpress-soft] Unban 160.202.163.***
所以我确信 Fail2ban 的邮件功能可以正常工作。所有监狱都在运作。累犯监狱和其他监狱似乎没有什么区别。我缺少什么?
答案1
我有同样的问题。我有两个监狱,ssh 和累犯。 ssh 监狱完美地向我发送了电子邮件,但没有任何重复的情况。我在跑步:
Fail2Ban v0.8.13
我的相关全局配置与您发布的相同:
banaction = iptables-multiport
mta = sendmail
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_mwl)s
我最初的惯犯监狱配置(没有发送电子邮件):
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
#action = iptables-allports[name=recidive]
# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 604800
#findtime = 86400 ; 1 day
maxretry = 3
请注意,我已注释掉默认的累犯操作。至少对我来说,这是默认的。我这样做是因为我希望重复电子邮件像 ssh 一样工作,它也使用默认操作。有了这个配置...我什么也没得到。蟋蟀。但累犯监狱确实发挥了作用。我不知道到底是什么问题,但我知道我必须解决它。因此,我首先尝试取消对该操作的注释。然后,它仍然有效,但没有电子邮件。或者,我是这么想的。原来这些电子邮件将发送到本地 root 帐户。我在 /var/mail/[user] 邮箱中找到了它们,我已将 root 邮件转发到该邮箱。所以,然后我意识到这是因为在这个默认操作中没有使用 destemail。所以,我最终所做的只是复制全局默认的 action_mwl 并对其进行调整以取出端口。
所以我最终的累犯监狱配置有效:
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
#action = iptables-allports[name=recidive]
# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
action = %(banaction)s[name=%(__name__)s, protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
也许这都是设计使然,或者是一个老错误——我不知道。但这就是我让它发挥作用的方式。这可能为时已晚,无法帮助您,但也许它会帮助下一个同样的人......