Fail2ban 防火墙-cmd ipset 不阻止

Fail2ban 防火墙-cmd ipset 不阻止

Fail2ban 已经积累了相当多的要阻止的 ip 列表:

# fail2ban-client banned
[{'sshd': ['101.126.34.231', '106.58.179.182', '117.50.187.153', '119.91.54.127', '121.250.190.129', '124.220.15.172', '124.230.124.250', '141.98.11.169', '143.42.206.215', '178.128.176.210', '178.242.168.227', '178.79.139.171', '180.101.88.197', '180.101.88.236', '182.155.240.180', '185.196.10.93', '185.196.9.45', '188.126.89.85', '218.92.0.112', '218.92.0.113', '218.92.0.118', '218.92.0.22', '218.92.0.27', '218.92.0.29', '218.92.0.33', '218.92.0.34', '218.92.0.40', '218.92.0.43', '218.92.0.52', '218.92.0.53', '218.92.0.55', '218.92.0.56', '218.92.0.76', '220.119.65.20', '27.150.190.3', '35.175.150.123', '36.88.46.154', '37.201.181.129', '43.136.107.134', '47.107.35.168', '47.242.46.55', '61.177.172.179', '68.183.207.53', '70.44.38.158', '78.159.117.241', '79.124.62.59', '79.27.58.101', '82.64.25.86', '85.209.11.254', '85.209.11.27', '87.92.88.193', '88.153.31.218', '170.64.189.121', '170.64.202.148', '170.64.150.4', '101.43.214.76', '79.95.123.68', '116.110.12.221', '61.177.203.30', '61.177.172.160', '159.89.108.180', '218.92.0.107', '218.92.0.28', '180.101.88.196', '218.92.0.45', '211.252.161.44', '201.17.133.138', '218.92.0.51', '51.12.86.255', '218.92.0.24']}]

但我在 firewalld 中看到它创建了丰富的规则,专门仅阻止端口 22 - 我更愿意完全阻止 ip。

我发现听起来很有希望 - 也就是说firewallcmd-ipset- 但当我将其设置为banaction完全阻塞停止时。

# cat /etc/fail2ban/jail.d/local.conf 
[DEFAULT]
bantime = 48h
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/24
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset

[sshd]
enabled = true
mode = aggressive

# systemctl reload-or-restart fail2ban
# firewall-cmd --get-ipsets

A. 因为fail2ban-client banned仍然有 ips 列表 - 重新加载fail2ban 时不应该重新应用它吗?

恢复配置似乎并没有重新创建丰富的规则。

B. 我应该如何配置fail2ban 以完全阻止 ip - 不仅仅是当它们连接到端口 22 时?

像我这样设置禁令似乎不起作用。

版本信息:

# dnf info fail2ban
Last metadata expiration check: 1:32:01 ago on Wed 14 Feb 2024 02:16:34 PM CET.
Installed Packages
Name         : fail2ban
Version      : 1.0.2
Release      : 7.el9
Architecture : noarch
Size         : 0.0  
Source       : fail2ban-1.0.2-7.el9.src.rpm
Repository   : @System
From repo    : epel
Summary      : Daemon to ban hosts that cause multiple authentication errors
URL          : http://fail2ban.sourceforge.net/
License      : GPLv2+
Description  : Fail2Ban scans log files and bans IP addresses that makes too many password
             : failures. It updates firewall rules to reject the IP address. These rules can
             : be defined by the user. Fail2Ban can read multiple log files such as sshd or
             : Apache web server ones.
             : 
             : Fail2Ban is able to reduce the rate of incorrect authentications attempts
             : however it cannot eliminate the risk that weak authentication presents.
             : Configure services to use only two factor or public/private authentication
             : mechanisms if you really want to protect services.
             : 
             : This is a meta-package that will install the default configuration.  Other
             : sub-packages are available to install support for other actions and
             : configurations.

使用 rich_rules 手动禁止似乎有效:

# fail2ban-client -vvv set sshd banip 1.2.3.4
 +  128 7FA2A3E7F740 fail2ban.configreader     INFO  Loading configs for fail2ban under /etc/fail2ban 
 +  129 7FA2A3E7F740 fail2ban.configreader     DEBUG Reading configs for fail2ban under /etc/fail2ban 
 +  130 7FA2A3E7F740 fail2ban.configreader     DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
 +  130 7FA2A3E7F740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  131 7FA2A3E7F740 fail2ban.configparserinc  TRACE     Reading file: /etc/fail2ban/fail2ban.conf
 +  132 7FA2A3E7F740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  132 7FA2A3E7F740 fail2ban.configparserinc  TRACE     Shared file: /etc/fail2ban/fail2ban.conf
 +  132 7FA2A3E7F740 fail2ban                  INFO  Using socket file /var/run/fail2ban/fail2ban.sock
 +  132 7FA2A3E7F740 fail2ban                  INFO  Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
 +  133 7FA2A3E7F740 fail2ban                  HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
 + 5092 7FA2A3E7F740 fail2ban                  HEAVY OK : 1
 + 5092 7FA2A3E7F740 fail2ban.beautifier       HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
 + 5093 7FA2A3E7F740 fail2ban                  DEBUG Exit with code 0
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions        [1023]: NOTICE  [sshd] Ban 1.2.3.4
# firewall-cmd --list-all | tail -2
  rich rules: 
    rule family="ipv4" source address="1.2.3.4" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

但是当我设置banactionbanaction_allportsfirewallcmd-ipset,我在防火墙中看不到禁令的痕迹:

# grep banaction /etc/fail2ban/jail.d/local.conf 
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset
# systemctl reload-or-restart fail2ban
# fail2ban-client -vvv set sshd unbanip 1.2.3.4
 +   99 7F648518C740 fail2ban.configreader     INFO  Loading configs for fail2ban under /etc/fail2ban 
 +   99 7F648518C740 fail2ban.configreader     DEBUG Reading configs for fail2ban under /etc/fail2ban 
 +  100 7F648518C740 fail2ban.configreader     DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
 +  100 7F648518C740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  100 7F648518C740 fail2ban.configparserinc  TRACE     Reading file: /etc/fail2ban/fail2ban.conf
 +  101 7F648518C740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  101 7F648518C740 fail2ban.configparserinc  TRACE     Shared file: /etc/fail2ban/fail2ban.conf
 +  101 7F648518C740 fail2ban                  INFO  Using socket file /var/run/fail2ban/fail2ban.sock
 +  101 7F648518C740 fail2ban                  INFO  Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
 +  101 7F648518C740 fail2ban                  HEAVY CMD: ['set', 'sshd', 'unbanip', '1.2.3.4']
 +  114 7F648518C740 fail2ban                  HEAVY OK : 1
 +  114 7F648518C740 fail2ban.beautifier       HEAVY Beautify 1 with ['set', 'sshd', 'unbanip', '1.2.3.4']
1
 +  115 7F648518C740 fail2ban                  DEBUG Exit with code 0
# fail2ban-client -vvv set sshd banip 1.2.3.4
 +  119 7F848CB9C740 fail2ban.configreader     INFO  Loading configs for fail2ban under /etc/fail2ban 
 +  119 7F848CB9C740 fail2ban.configreader     DEBUG Reading configs for fail2ban under /etc/fail2ban 
 +  120 7F848CB9C740 fail2ban.configreader     DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
 +  121 7F848CB9C740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  121 7F848CB9C740 fail2ban.configparserinc  TRACE     Reading file: /etc/fail2ban/fail2ban.conf
 +  122 7F848CB9C740 fail2ban.configparserinc  INFO    Loading files: ['/etc/fail2ban/fail2ban.conf']
 +  122 7F848CB9C740 fail2ban.configparserinc  TRACE     Shared file: /etc/fail2ban/fail2ban.conf
 +  123 7F848CB9C740 fail2ban                  INFO  Using socket file /var/run/fail2ban/fail2ban.sock
 +  123 7F848CB9C740 fail2ban                  INFO  Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
 +  124 7F848CB9C740 fail2ban                  HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
 +  125 7F848CB9C740 fail2ban                  HEAVY OK : 1
 +  126 7F848CB9C740 fail2ban.beautifier       HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
 +  126 7F848CB9C740 fail2ban                  DEBUG Exit with code 0
# firewall-cmd --get-ipsets

# firewall-cmd --list-all | tail -2
  icmp-blocks: 
  rich rules: 
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions        [1023]: NOTICE  [sshd] Ban 1.2.3.4
2024-02-22 10:22:54,923 fail2ban.actions        [1023]: NOTICE  [sshd] Unban 1.2.3.4
2024-02-22 10:23:13,954 fail2ban.actions        [1023]: NOTICE  [sshd] Ban 1.2.3.4

我感觉不舒服,因为这按预期工作——我做错了什么?

相关内容