我的 Ubuntu 12.04 服务器上运行着多个服务并设置了fail2ban,但它不会阻止攻击 IP。 SSH 在端口 22 上运行。
监狱配置文件
[DEFAULT]
bantime = 600
maxretry = 3
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
正则表达式检查
fail2ban-regex /var/log/auth.log.1 /etc/fail2ban/filter.d/sshd.conf
Failregex
|- Regular expressions:
| [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for
.* from <HOST>\s*$
| [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the unde
rlying authentication module for .* from <HOST>\s*$
| [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <
HOST>(?: port \d*)?(?: ssh\d*)?$
| [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
| [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s
*$
| [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not
listed in AllowUsers$
| [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S*
euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
| [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
| [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT
!*\s*$
| [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because no
ne of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 2810 match(es)
[4] 0 match(es)
[5] 2378 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)
[...]
Date template hits:
380718 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 5188
验证日志
Jul 26 14:17:49 servername sshd[12930]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:51 servername sshd[12930]: Failed password for root from 91.117.124.14 port 37340 ssh2
Jul 26 14:17:51 servername sshd[12930]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:51 servername sshd[12932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:53 servername sshd[12932]: Failed password for root from 91.117.124.14 port 38980 ssh2
Jul 26 14:17:54 servername sshd[12932]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:54 servername sshd[12934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:56 servername sshd[12934]: Failed password for root from 91.117.124.14 port 40576 ssh2
Jul 26 14:17:56 servername sshd[12934]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:57 servername sshd[12936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:58 servername sshd[12936]: Failed password for root from 91.117.124.14 port 42148 ssh2
Jul 26 14:17:58 servername sshd[12936]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:59 servername sshd[12938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 14:18:01 servername sshd[12938]: Failed password for root from 91.117.124.14 port 43589 ssh2
Jul 26 14:18:01 servername sshd[12938]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session closed for user root
Jul 26 14:18:01 servername sshd[12982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:03 servername sshd[12982]: Failed password for root from 91.117.124.14 port 44989 ssh2
Jul 26 14:18:03 servername sshd[12982]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:04 servername sshd[12985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:06 servername sshd[12985]: Failed password for root from 91.117.124.14 port 46546 ssh2
Jul 26 14:18:06 servername sshd[12985]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:06 servername sshd[12987]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:09 servername sshd[12987]: Failed password for root from 91.117.124.14 port 48192 ssh2
Jul 26 14:18:09 servername sshd[12987]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:09 servername sshd[12989]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:11 servername sshd[12989]: Failed password for root from 91.117.124.14 port 49739 ssh2
Jul 26 14:18:11 servername sshd[12989]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:11 servername sshd[12991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:13 servername sshd[12991]: Failed password for root from 91.117.124.14 port 51193 ssh2
登录尝试持续了 20 分钟甚至更长时间,fail2ban 没有任何反应。
答案1
增加调试以帮助找出当您的正则表达式使用配置的日志文件时,fail2ban 不会阻止任何内容的原因。
fail2ban-client set loglevel DEBUG
就我而言,我遇到了与您类似的问题。配置检查正常,监狱正在运行,日志文件正确,并且在使用fail2ban-regex
.打开调试后,重要的线索出现了:
2016-02-17 11:27:57,450 fail2ban.datedetector [30443]: DEBUG Got time 1455722877.000000 for "u'Feb 17 10:27:57'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-02-17 11:27:57,450 fail2ban.filter [30443]: DEBUG Processing line with time:1455722877.0 and ip:8.8.8.8
2016-02-17 11:27:57,450 fail2ban.filter [30443]: DEBUG Ignore line since time 1455722877.0 < 1455726477.45 - 600
请注意,时间差超出了findtime
(600),实际上是 3600 秒,即一小时。此前,系统时区已更改,并且系统未重新启动。系统日志中的时间均与系统时间相差一小时。重新启动 rsyslogd 会导致以正确的时间写入新的日志条目,并且fail2ban 不再忽略这些日志条目。