我现在正在使用 Fedora 36 构建我的第一个 Linux 服务器。我激活了 ssh 并意识到机器人正在尝试连接到我的服务器。经过一番研究,我找到了fail2ban并安装了它。它工作得很好,所以我认为问题已经解决了,但即使经过几次尝试并且在fail2ban阻止它们之后,它们仍然在攻击。我读到他们正在使用持久连接?有没有办法解决这个问题,或者我有其他问题吗?
这是我的设置:
/etc/fail2ban/jail.local
[DEFAULT]
banaction = iptables-allports
[sshd]
enabled = true
port = all
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1
/var/log/auth.log 实际上不存在,所以我不知道它从哪里获取数据,但它读取了一些内容并禁止了人们
/var/log/fail2ban.log 某人在 3 次尝试后仍然能够攻击并且没有被禁止
2022-08-19 23:40:18,366 fail2ban.server [2588]: INFO Reload jail 'sshd'
2022-08-19 23:40:18,367 fail2ban.filter [2588]: INFO maxLines: 1
2022-08-19 23:40:18,369 fail2ban.filtersystemd [2588]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-08-19 23:40:18,369 fail2ban.filter [2588]: INFO maxRetry: 3
2022-08-19 23:40:18,369 fail2ban.filter [2588]: INFO findtime: 600
2022-08-19 23:40:18,369 fail2ban.actions [2588]: INFO banTime: -1
2022-08-19 23:40:18,369 fail2ban.filter [2588]: INFO encoding: UTF-8
2022-08-19 23:40:18,370 fail2ban.server [2588]: INFO Jail 'sshd' reloaded
2022-08-19 23:40:18,371 fail2ban.server [2588]: INFO Reload finished.
2022-08-19 23:43:07,478 fail2ban.filter [2588]: INFO [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:07,480 fail2ban.filter [2588]: INFO [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:09,228 fail2ban.filter [2588]: INFO [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,229 fail2ban.filter [2588]: INFO [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,350 fail2ban.actions [2588]: NOTICE [sshd] Ban 79.232.107.204
2022-08-19 23:49:04,030 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,030 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,033 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,353 fail2ban.actions [2588]: NOTICE [sshd] Ban 1.117.78.189
2022-08-19 23:49:06,478 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
2022-08-19 23:49:06,479 fail2ban.filter [2588]: INFO [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
...
iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13336 897K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
12829 859K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
13026 874K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
13170 888K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
16162 1358K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-sshd (5 references)
pkts bytes target prot opt in out source destination
507 38384 REJECT all -- * * 1.117.78.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 79.232.107.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 94.131.132.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 82.65.33.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 82.157.143.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 76.186.2.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 61.177.173.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
...
我还设置了一些东西
/etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
我还设置它们使用 /24 禁止整个网络,但我不记得我把它放在哪里了。
如果有人知道我的问题是什么或者您需要更多信息,请告诉我
谢谢
答案1
看看这个:https://www.linuxcapable.com/how-to-install-fail2ban-with-firewalld-on-fedora-35/
Fedora 不使用firewalld 而不是iptables 吗?您应该使用其中之一,不要混合使用这两者。
为了确保这一点,请检查:
systemctl status firewalld和systemctl is-enabled firewalld。如果是,请重新配置fail2ban以使用firewalld。
答案2
启用recidive中的部分jail.local。这可以处理更长的扫描时间(在我的例子中为五天),并且似乎捕获了我以前看到的缓慢但稳定的尝试。
这是我的设置;请注意,它会扫描fail2ban.log文件,因此只考虑已被禁止的主机。
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 432000 ; 5 day
bantime = 2419200 ; 4 week