sshd我在 CentOS 上启用了fail2ban 设置。它正在很好地读取日志。使用 SSH 进行一些测试,从远程服务器登录失败:
Nov 23 20:51:52 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:51:55 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:51:58 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:52:07 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.22
Nov 23 20:52:07 new fail2ban.actions[29090]: NOTICE [sshd] 199.180.250.xx already banned
Nov 23 20:52:10 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:52:13 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
即使超过禁令,连接似乎也是被允许的。我查看了 iptables,它看起来是正确的:
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 199.180.250.xx 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
连接不是持久的。远程服务器仍然可以打开与运行fail2ban 的该服务器的 SSH 会话。
我还缺少什么?
完整的 iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:200xyz flags:0x17/0x02
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 199.180.250.xx 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd-ddos (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
答案1
在配置中,port = ssh必须更改为自定义 SSH 端口。
我原以为 Linux 会知道 SSH 端口的定义,并且 failure2ban 会遵循该系统配置,但我错了。