这是我在 AWS EC2 planform 上的 Ubuntu Linux 20.04 上设置的 fail2ban 版本 v0.11.1。监狱.local文件具有监狱.conf中的标准默认值,但我只在监狱.local中激活这2个监狱:
# Stop the 404 attacks
[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/access.log
maxretry = 5
findtime = 60
bantime = 300
action = iptables-multiport[name=HTTPS, port=https, protocol=tcp]
[recidive]
enabled =true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 5m
findtime = 1d
recidive 的定义文件是fail2ban 软件包附带的文件。 apache-404.conf 定义文件如下:
# Fail2Ban configuration file
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =
当同一用户重复点击我们网站上的无效文件进行测试时,我们会在fail2ban.log文件中看到以下内容,这对我们来说没有意义为什么它不禁止该用户,除非我们在我们的配置或者我们的期望太高了。
2023-03-07 12:09:56,316 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:09:56
2023-03-07 12:10:05,513 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:05
2023-03-07 12:10:08,218 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:07
2023-03-07 12:10:13,025 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:12
2023-03-07 12:10:14,629 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:14
2023-03-07 12:10:15,213 fail2ban.actions [173661]: NOTICE [apache-404] Ban 71.29.12.245
2023-03-07 12:10:15,331 fail2ban.filter [173661]: INFO [recidive] Found 71.29.12.245 - 2023-03-07 12:10:15
2023-03-07 12:10:16,233 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:16
2023-03-07 12:10:22,142 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:21
2023-03-07 12:10:24,907 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:24
2023-03-07 12:10:34,019 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:33
2023-03-07 12:10:35,622 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:35
2023-03-07 12:10:35,854 fail2ban.actions [173661]: NOTICE [apache-404] 71.29.12.245 already banned
2023-03-07 12:10:37,521 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:37
2023-03-07 12:11:25,901 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:25
2023-03-07 12:11:33,912 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:33
2023-03-07 12:11:35,630 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:35
2023-03-07 12:11:37,245 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:37
2023-03-07 12:11:37,343 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:38,914 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:38
2023-03-07 12:11:40,546 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:40
2023-03-07 12:11:42,149 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:42
2023-03-07 12:11:43,928 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:43
2023-03-07 12:11:45,531 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:45
2023-03-07 12:11:45,563 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:47,140 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:46
2023-03-07 12:11:48,126 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:48
2023-03-07 12:11:51,324 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:51
2023-03-07 12:11:53,258 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:53
2023-03-07 12:11:54,337 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:54
2023-03-07 12:11:54,585 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:55,940 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:55
2023-03-07 12:11:57,734 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:57
2023-03-07 12:11:59,337 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:59
2023-03-07 12:12:00,940 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:00
2023-03-07 12:12:06,848 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:06
2023-03-07 12:12:07,414 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:14:08,567 fail2ban.filter [173661]: INFO [apache-404] Found 198.199.97.240 - 2023-03-07 12:14:08
2023-03-07 12:17:07,790 fail2ban.actions [173661]: NOTICE [apache-404] Unban 71.29.12.245
当我向 iptables 发出以下命令时,我得到:
sudo iptables-save
# Generated by iptables-save v1.8.4 on Tue Mar 7 12:19:33 2023
*filter
:INPUT ACCEPT [92:8233]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:90339]
:f2b-HTTPS - [0:0]
-A INPUT -p tcp -m multiport --dports 443 -j f2b-HTTPS
-A f2b-HTTPS -j RETURN
-A f2b-HTTPS -j RETURN
-A f2b-HTTPS -j RETURN
COMMIT
答案1
经过研究和测试,我能够确定是什么问题导致在fail2ban
IP 地址被禁止时错误地将其识别为已被禁止。
事实证明,该 IP 地址根本没有被禁止,因为该apache-404.conf
文件设置不正确。操作中定义的端口仅设置为 HTTPS,但触发所有这些混乱的用户并未使用 HTTPS。
这是正确的设置(请注意,它不再显示操作 - 仅采用默认值并且端口均为 HTTP 和 HTTPS):
# Stop the 404 attacks
[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/access.log
maxretry = 5
findtime = 60
bantime = 300