fail2ban 一直说该IP被禁止,然后又说已经被禁止了

fail2ban 一直说该IP被禁止,然后又说已经被禁止了

这是我在 AWS EC2 planform 上的 Ubuntu Linux 20.04 上设置的 fail2ban 版本 v0.11.1。监狱.local文件具有监狱.conf中的标准默认值,但我只在监狱.local中激活这2个监狱:

    # Stop the 404 attacks
    [apache-404]
    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/apache*/access.log
    maxretry = 5
    findtime = 60
    bantime = 300
    action = iptables-multiport[name=HTTPS, port=https, protocol=tcp]


    [recidive]
    enabled =true
    logpath  = /var/log/fail2ban.log
    banaction = %(banaction_allports)s
    bantime  = 5m
    findtime = 1d

recidive 的定义文件是fail2ban 软件包附带的文件。 apache-404.conf 定义文件如下:

    # Fail2Ban configuration file 
    [Definition]
    failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ 
    ignoreregex =

当同一用户重复点击我们网站上的无效文件进行测试时,我们会在fail2ban.log文件中看到以下内容,这对我们来说没有意义为什么它不禁止该用户,除非我们在我们的配置或者我们的期望太高了。

    2023-03-07 12:09:56,316 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:09:56
    2023-03-07 12:10:05,513 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:05
    2023-03-07 12:10:08,218 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:07
    2023-03-07 12:10:13,025 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:12
    2023-03-07 12:10:14,629 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:14
    2023-03-07 12:10:15,213 fail2ban.actions        [173661]: NOTICE  [apache-404] Ban 71.29.12.245
    2023-03-07 12:10:15,331 fail2ban.filter         [173661]: INFO    [recidive] Found 71.29.12.245 - 2023-03-07 12:10:15
    2023-03-07 12:10:16,233 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:16
    2023-03-07 12:10:22,142 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:21
    2023-03-07 12:10:24,907 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:24
    2023-03-07 12:10:34,019 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:33
    2023-03-07 12:10:35,622 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:35
    2023-03-07 12:10:35,854 fail2ban.actions        [173661]: NOTICE  [apache-404] 71.29.12.245 already banned
    2023-03-07 12:10:37,521 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:37
    2023-03-07 12:11:25,901 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:25
    2023-03-07 12:11:33,912 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:33
    2023-03-07 12:11:35,630 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:35
    2023-03-07 12:11:37,245 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:37
    2023-03-07 12:11:37,343 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:38,914 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:38
    2023-03-07 12:11:40,546 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:40
    2023-03-07 12:11:42,149 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:42
    2023-03-07 12:11:43,928 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:43
    2023-03-07 12:11:45,531 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:45
    2023-03-07 12:11:45,563 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:47,140 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:46
    2023-03-07 12:11:48,126 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:48
    2023-03-07 12:11:51,324 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:51
    2023-03-07 12:11:53,258 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:53
    2023-03-07 12:11:54,337 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:54
    2023-03-07 12:11:54,585 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:55,940 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:55
    2023-03-07 12:11:57,734 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:57
    2023-03-07 12:11:59,337 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:59
    2023-03-07 12:12:00,940 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:00
    2023-03-07 12:12:06,848 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:06
    2023-03-07 12:12:07,414 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:14:08,567 fail2ban.filter         [173661]: INFO    [apache-404] Found 198.199.97.240 - 2023-03-07 12:14:08
    2023-03-07 12:17:07,790 fail2ban.actions        [173661]: NOTICE  [apache-404] Unban 71.29.12.245

当我向 iptables 发出以下命令时,我得到:

     sudo iptables-save
    # Generated by iptables-save v1.8.4 on Tue Mar  7 12:19:33 2023
    *filter
    :INPUT ACCEPT [92:8233]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [95:90339]
    :f2b-HTTPS - [0:0]
    -A INPUT -p tcp -m multiport --dports 443 -j f2b-HTTPS
    -A f2b-HTTPS -j RETURN
    -A f2b-HTTPS -j RETURN
    -A f2b-HTTPS -j RETURN
    COMMIT

答案1

经过研究和测试,我能够确定是什么问题导致在fail2banIP 地址被禁止时错误地将其识别为已被禁止。

事实证明,该 IP 地址根本没有被禁止,因为该apache-404.conf文件设置不正确。操作中定义的端口仅设置为 HTTPS,但触发所有这些混乱的用户并未使用 HTTPS。

这是正确的设置(请注意,它不再显示操作 - 仅采用默认值并且端口均为 HTTP 和 HTTPS):

    # Stop the 404 attacks
    [apache-404]
    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/apache*/access.log
    maxretry = 5
    findtime = 60
    bantime = 300

相关内容