我在 docker 主机上运行 fail2ban。我希望 fail2ban 能够识别某些 apache 调用,并通过将有问题的 IP 添加到 DOCKER-USER iptables 链来禁止它们,以缓解正在进行的 DDoS。
我创建了所有标准配置文件,并重新加载了 fail2ban。在 fail2ban.log 中,我可以看到它找到了这些行(所以我的正则表达式和日志文件没有问题),并且它说它正在禁止不良 IP,但 DOCKER-USER iptables 链没有获得 DROP 规则。fail2ban.log 中没有错误。
我的fail2ban/filter.d/apache-useredit-save.conf
:
[Definition]
failregex = ^<HOST> - - .* "POST /api/useredit-save
ignoreregex =
我的/etc/fail2ban/jail.d/apache-useredit-save.conf
:
[apache-useredit-save]
enabled = true
port = http,https
filter = apache-useredit-save
logpath = /mnt/distreplic/logs/theapp/apache2/default-access.log
maxretry = 50
findtime = 60
bantime = 600
action = iptables-docker-user[name=NoAuthFailures, port="http,https", protocol=tcp]
我的/etc/fail2ban/action.d/iptables-docker-user.conf
:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP
[Init]
日志档案:
2023-06-21 14:03:56,643 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,718 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,724 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,758 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,779 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,820 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,827 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,839 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,881 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,884 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,898 fail2ban.actions [563]: NOTICE [apache-useredit-save] Ban 217.195.153.92
...
2023-06-21 14:11:33,293 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,301 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,336 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,365 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,396 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,434 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,458 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,488 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,504 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,554 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,725 fail2ban.actions [563]: WARNING [apache-useredit-save] 217.195.153.92 already banned
和iptables -nL
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 XXX.YYY.ZZZ.WWW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 XXX.YYY.ZZZ.WWW tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
关于如何调试这个问题的任何想法都会有帮助!