我正在运行 Ubuntu 16.04,通过 ufw 启用了 ssh,并已配置 fail2ban 以启用 [sshd] 和 [sshd-ddos] jails,最大重试次数为 3(即,我想禁止任何 3 次验证失败的 IP)。当我查看身份验证日志时,我看到几个不同的 IP 验证失败了 5 次,因此由于太多次身份验证失败而断开连接。为什么这些 IP 没有被禁止?我完全预料到我要么错误配置了 fail2ban,要么我误解了它的预期行为,但从我读过的教程(digitalocean,其他搜索结果)来看,此配置应该可以达到我的预期。另请注意,fail2ban 成功禁止了一些 IP,因为我可以在 fail2ban 日志中看到禁止(和取消禁止)。
以下是出现问题的 IP 地址之一的相关日志行(IP 和主机已删除):
“/var/log/fail2ban.log” 复制代码
2017-02-17 13:23:36,148 fail2ban.filter [24793]: INFO [sshd] Found [ip address]
2017-02-17 13:23:38,153 fail2ban.filter [24793]: INFO [sshd] Found [ip address]
“/var/log/auth.log”
Feb 17 13:23:36 [host] sshd[15498]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[ip address] us
er=root
Feb 17 13:23:38 [host] sshd[15498]: Failed password for root from [ip address] port 9498 ssh2
Feb 17 13:23:49 [host] sshd[15498]: message repeated 5 times: [ Failed password for root from [ip address] port 9498 ssh2]
Feb 17 13:23:49 [host] sshd[15498]: error: maximum authentication attempts exceeded for root from [ip address] port 9498 ssh2 [preauth]
Feb 17 13:23:49 [host] sshd[15498]: Disconnecting: Too many authentication failures [preauth]
Feb 17 13:23:49 [host] sshd[15498]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[ip address] user=root
Feb 17 13:23:49 [host] sshd[15498]: PAM service(sshd) ignoring max retries; 6 > 3
下面是我的 fail2ban 配置中的相关 (非注释) 行,它主要是从 jail.conf 直接复制而来,其中 bantime、findtime 和 maxretry 默认值已更改,并且启用了 [sshd]、[sshd-ddos] 和 [recidive] jails:
“/etc/fail2ban/jail.local” 复制代码
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 21600
findtime = 3600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
enabled = true
port = ssh
logpath = %(sshd_log)s
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = iptables-allports
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
进一步的调查:
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d
日志文件正确为 /var/log/auth.log 行:1127 行,0 行被忽略,125 行匹配,1002 行遗漏 [处理时间为 1.77 秒]
sudo iptables -L -n | less
我可以在“Chain f2b-sshd (1 references)”下看到一些被禁止的 IP(带有 REJECT)
答案1
Fail2ban 仅查看标准格式的日志,并计算某个时间段内出现的日志数量。此外,您的系统日志会将相同的日志合并为聚合形式,从而阻止此解析:
Feb 17 13:23:49 [host] sshd[15498]: message repeated 5 times: [ Failed password for root from [ip address] port 9498 ssh2]
NumberOfPasswordPrompts
一般情况下,认证失败被认为是一次认证失败的连接。但是这个单一连接可能由多次“密码认证尝试”组成(具体次数取决于客户端和服务器的配置MaxAuthTries
)。
设置 时fail2ban
,最好了解其工作原理,并在其中设置策略时了解其含义。在这种情况下,这是预期行为,如果您想进一步限制身份验证尝试,则需要调整 的配置sshd
。