Ubuntu 10.04 上的 Fail2Ban
配置文件
/etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 10 # made for test purposes
maxretry = 3
backend = polling
destemail = [email protected]
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action = %(action_mw)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[pam-generic]
enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
fail2ban 的其余配置只是默认配置。
默认 /etc/pam.d/common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
session required pam_loginuid.so
更改了 /etc/pam.d/common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so
session optional pam_winbind.so
session required pam_loginuid.so
请注意,唯一的区别是添加会话 [成功 = 1 默认 = 忽略] pam_succeed_if.so 服务在 cron 中安静 use_uid。
日志
使用默认的 /etc/pam.d/common-session-noninteractive 从 /var/log/auth.log 中提取
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root
概括
- 如果我
fail2ban-client set ssh banip 1.2.3.4在 15:26 执行,IP 将在 15:30 被禁止。这就是我将其与上面列出的 cron 作业关联的原因。 - 如果我修改
/etc/pam.d/common-session-noninteractive并重复 fail2ban-client 命令,则没有任何进入/var/log/auth.log,也没有被禁止。
更多信息:
默认
/etc/pam.d/common-session-noninteractive:fail2ban-client set ssh banip 1.2.3.4-> 该 IP 被禁止无形的cron 任务,每 5 分钟运行一次。我检查了每一个文件并且没有这样的工作。底线:手动禁令最多有 5 分钟的延迟/etc/cron*。/var/spool/cron/*session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid按/etc/pam.d/common-session-noninteractive建议添加这里:fail2ban-client set ssh banip 1.2.3.4->无形的计划任务不运行并且没有发生任何禁令。
我的问题:
更改如何/etc/pam.d/common-session-noninteractive防止 fail2ban-client 禁止 IP?为什么?
编辑
- 调试中运行:
root@node1:~# fail2ban-client set loglevel 4 Current logging level is DEBUG root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4 DEBUG Reading /etc/fail2ban/fail2ban DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG OK : '1.2.3.4' DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4'] 1.2.3.4 root@zap:~# tail -f /var/log/fail2ban.log 2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
结果:未遭禁止。
quiet从session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid中删除/etc/pam.d/common-session-noninteractive:
结果:禁令成功。
/var/log/auth.log:
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
/var/log/fail2ban.log:
2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully
...
Fail2Ban 版本
fail2ban 0.8.7.1-2~ppa7~lucid 来自这里。库存版本(版本 0.8.4)一直出现以下错误:
"global name 'time' is not defined"
这促使我寻找更新的版本。
答案1
我认为(但未经证实)fail2ban 只是在应用 fail2ban-client 命令之前等待 auth.log 中的新行,因此禁止不是通过“每 5 分钟运行一次的隐形 cron 作业”完成的,而是通过“读取‘logpath’的无限循环”完成的,特定情况下是 auth.log。如果这是真的,您在 /etc/pam.d/common-session-noninteractive 中所做的更改不会阻止 fail2ban-client 禁止 IP,但会将其推迟到 auth.log 中出现任何新行。新日志行出现的频率较低,因为您禁用了 cron 消息,并且需要等待更长时间才能禁止 IP。