Fail2Ban 禁止 IP,但他们仍然可以攻击我,我做错了什么?

Fail2Ban 禁止 IP,但他们仍然可以攻击我,我做错了什么?

我现在正在使用 Fedora 36 构建我的第一个 Linux 服务器。我激活了 ssh 并意识到机器人正在尝试连接到我的服务器。经过一番研究,我找到了fail2ban并安装了它。它工作得很好,所以我认为问题已经解决了,但即使经过几次尝试并且在fail2ban阻止它们之后,它们仍然在攻击。我读到他们正在使用持久连接?有没有办法解决这个问题,或者我有其他问题吗?

这是我的设置:

/etc/fail2ban/jail.local

[DEFAULT]
banaction = iptables-allports

[sshd]
enabled = true
port = all
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1

/var/log/auth.log 实际上不存在,所以我不知道它从哪里获取数据,但它读取了一些内容并禁止了人们

/var/log/fail2ban.log 某人在 3 次尝试后仍然能够攻击并且没有被禁止

2022-08-19 23:40:18,366 fail2ban.server         [2588]: INFO    Reload jail 'sshd'
2022-08-19 23:40:18,367 fail2ban.filter         [2588]: INFO      maxLines: 1
2022-08-19 23:40:18,369 fail2ban.filtersystemd  [2588]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-08-19 23:40:18,369 fail2ban.filter         [2588]: INFO      maxRetry: 3
2022-08-19 23:40:18,369 fail2ban.filter         [2588]: INFO      findtime: 600
2022-08-19 23:40:18,369 fail2ban.actions        [2588]: INFO      banTime: -1
2022-08-19 23:40:18,369 fail2ban.filter         [2588]: INFO      encoding: UTF-8
2022-08-19 23:40:18,370 fail2ban.server         [2588]: INFO    Jail 'sshd' reloaded
2022-08-19 23:40:18,371 fail2ban.server         [2588]: INFO    Reload finished.
2022-08-19 23:43:07,478 fail2ban.filter         [2588]: INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:07,480 fail2ban.filter         [2588]: INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:09,228 fail2ban.filter         [2588]: INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,229 fail2ban.filter         [2588]: INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,350 fail2ban.actions        [2588]: NOTICE  [sshd] Ban 79.232.107.204
2022-08-19 23:49:04,030 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,030 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,033 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,353 fail2ban.actions        [2588]: NOTICE  [sshd] Ban 1.117.78.189
2022-08-19 23:49:06,478 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
2022-08-19 23:49:06,479 fail2ban.filter         [2588]: INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
...

iptables -L -nv

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
13336  897K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
12829  859K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13026  874K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13170  888K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
16162 1358K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (5 references)
 pkts bytes target     prot opt in     out     source               destination
  507 38384 REJECT     all  --  *      *       1.117.78.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       79.232.107.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       94.131.132.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.65.33.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.157.143.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       76.186.2.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       61.177.173.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
...

我还设置了一些东西

/etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

我还设置它们使用 /24 禁止整个网络,但我不记得我把它放在哪里了。

如果有人知道我的问题是什么或者您需要更多信息,请告诉我

谢谢

答案1

看看这个:https://www.linuxcapable.com/how-to-install-fail2ban-with-firewalld-on-fedora-35/

Fedora 不使用firewalld 而不是iptables 吗?您应该使用其中之一,不要混合使用这两者。

为了确保这一点,请检查: systemctl status firewalldsystemctl is-enabled firewalld。如果是,请重新配置fail2ban以使用firewalld。

答案2

启用recidive中的部分jail.local。这可以处理更长的扫描时间(在我的例子中为五天),并且似乎捕获了我以前看到的缓慢但稳定的尝试。

这是我的设置;请注意,它会扫描fail2ban.log文件,因此只考虑已被禁止的主机。

[recidive]

enabled   = true
logpath   = /var/log/fail2ban.log
maxretry  = 3
findtime  = 432000      ; 5 day
bantime   = 2419200     ; 4 week

相关内容