第一个过期后,fail2ban 不会再次禁止

第一个过期后,fail2ban 不会再次禁止

我无法让fail2ban 阻止 Debian 9 上的 postfix 日志中出现的 IP 地址。我将failregex 重写为如下所示:

NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:(.*) 550 5.7.1 Service unavailable; client \[(.*)\] blocked using .* from=<.*>, to=<.*>, proto=ESMTP, helo=<.*>

反而

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

所以现在就禁止就好了。然而,一旦禁令到期,它就不会再次阻止,而是会在fail2ban.log中打印很多“Found”条目,而不禁止它们......

2019-02-13 20:03:50,558 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:50,574 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,625 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,666 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,752 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,770 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,836 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,861 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,132 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,173 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,216 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,315 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,410 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,497 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,560 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:51,581 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,604 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,751 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.148.30
2019-02-13 20:03:51,860 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,961 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,514 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,561 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:52,602 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,689 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,776 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,868 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,952 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,141 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,238 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,317 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,325 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,411 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,490 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,563 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 188.255.152.32 already banned
2019-02-13 20:03:53,577 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,585 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,671 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,707 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,765 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,773 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,854 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,865 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,908 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5

我该如何解决这个问题? :/ 我真的很沮丧。

编辑:在ijil.conf中为postfix和postfix-rbl设置禁令操作,如下所示:

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

正如所提到的,一旦fail2ban启动(或使用systemctl restart failure2ban重新启动),它一开始就会很好地禁止它。但过期后就不能再用了。

答案1

我认为这里发生的情况是您的默认禁止操作仅阻止目标端口。然后,有问题的主机会访问其他端口并触发其他禁令。但由于主机已被禁止(尽管在其他端口上),因此无法再次被禁止。

解决方案是更改禁令操作以阻止所有端口,而不仅仅是有问题的端口。根据记忆,你的行动规则将是这样的

action   = %(banaction_allports)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

相关内容