Linux ssh 服务器 - fail2ban 不会禁止 IP 地址

Linux ssh 服务器 - fail2ban 不会禁止 IP 地址

我的 v-Server 上的 fail2ban 出现了问题。我按照教程中的说明安装了所有内容,但 fail2ban 不会阻止 ip 地址。

/etc/init.d/fail2ban 状态显示:

* Status of authentication failure monitor     
*  fail2ban is running

如果我测试我的过滤器:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

有一些匹配项,但我的 iptables 中没有条目

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:ssh
fail2ban-default  tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-default (1 references)
target     prot opt source               destination

这是我的jail.conf:

[ssh]

enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 60
action   = iptables[name=SSH, port=22, protocol=tcp]

这是我的 /filter.d/sshd.conf

[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
        ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
        ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
        ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
        ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
        ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
        ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
        ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

我的操作:/action.d/iptables.conf

[Definition]
actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
         iptables -F fail2ban-<name>
         iptables -X fail2ban-<name>
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT

我已经尝试了所有方法,并搜索了许多论坛,但我找不到错误。如果我尝试使用错误的密码登录,fail2ban 不会禁止我,我可以继续登录。是不是因为 fail2ban 没有权限在 iptables 中写入某些内容?

也许有人知道该怎么办?谢谢

这是 auth.log 中的内容

Jul 24 18:04:13 sshd[12438]: Invalid user sfdsdf from 79.224.101.224
Jul 24 18:04:13 sshd[12438]: input_userauth_request: invalid user sfdsdf [preauth]
Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net
Jul 24 18:04:19 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2
Jul 24 18:04:20 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:22 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2
Jul 24 18:04:24 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:26 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2
Jul 24 18:04:28 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:30 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2
Jul 24 18:04:34 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:36 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2
Jul 24 18:04:37 sshd[12438]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jul 24 18:04:37 sshd[12438]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net
Jul 24 18:04:37 sshd[12438]: PAM service(sshd) ignoring max retries; 5 > 3
Jul 24 18:04:53 sshd[12440]: Invalid user blabla from 79.224.101.224
Jul 24 18:04:53 sshd[12440]: input_userauth_request: invalid user blabla [preauth]
Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net
Jul 24 18:04:58 sshd[12440]: Failed password for invalid user blabla from 79.224.101.224 port 51194 ssh2
Jul 24 18:05:00 sshd[12440]: Connection closed by 79.224.101.224 [preauth]
Jul 24 18:05:10 sshd[12442]: Invalid user hihi from 79.224.101.224
Jul 24 18:05:10 sshd[12442]: input_userauth_request: invalid user hihi [preauth]
Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net
Jul 24 18:05:15 sshd[12442]: Failed password for invalid user hihi from 79.224.101.224 port 51195 ssh2
Jul 24 18:05:16 sshd[12442]: Connection closed by 79.224.101.224 [preauth]
Jul 24 18:05:22 sshd[12444]: Connection closed by 79.224.101.224 [preauth]
Jul 24 18:05:30 sshd[12446]: Invalid user hoho from 79.224.101.224
Jul 24 18:05:30 sshd[12446]: input_userauth_request: invalid user hoho [preauth]
Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net
Jul 24 18:05:34 sshd[12446]: Failed password for invalid user hoho from 79.224.101.224 port 51198 ssh2

答案1

您可以使用命令 fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf 来验证这些正则表达式是否匹配。对我来说,它们不匹配,原因是 syslog 格式与 filters.d/common.conf 中定义为 __prefix_line 的格式不匹配。

我的正则表达式技能很差,但你可以修复这个问题。

答案2

要使用 -L 以外的任何命令运行 iptables,都需要 root 权限;因此,守护进程必须以 root 身份运行。

确认情况确实如此。

相关内容