Ubuntu 10.04 上的 Fail2Ban

Ubuntu 10.04 上的 Fail2Ban

Ubuntu 10.04 上的 Fail2Ban

配置文件

/etc/fail2ban/jail.local

[DEFAULT]

ignoreip = 127.0.0.1
bantime  = 10 # made for test purposes
maxretry = 3

backend = polling

destemail = [email protected]


banaction = iptables-multiport

mta = sendmail

protocol = tcp

action = %(action_mw)s

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[pam-generic]

enabled = true
filter  = pam-generic
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

fail2ban 的其余配置只是默认配置。

默认 /etc/pam.d/common-session-noninteractive

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so 
session optional                        pam_winbind.so 
session required        pam_loginuid.so 

更改了 /etc/pam.d/common-session-noninteractive

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required        pam_unix.so 
session optional                        pam_winbind.so 
session required        pam_loginuid.so 

请注意,唯一的区别是添加会话 [成功 = 1 默认 = 忽略] pam_succeed_if.so 服务在 cron 中安静 use_uid

日志

使用默认的 /etc/pam.d/common-session-noninteractive 从 /var/log/auth.log 中提取

May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root

概括

  1. 如果我fail2ban-client set ssh banip 1.2.3.4在 15:26 执行,IP 将在 15:30 被禁止。这就是我将其与上面列出的 cron 作业关联的原因。
  2. 如果我修改/etc/pam.d/common-session-noninteractive并重复 fail2ban-client 命令,则没有任何进入/var/log/auth.log,也没有被禁止。

更多信息:

  1. 默认/etc/pam.d/common-session-noninteractive

    fail2ban-client set ssh banip 1.2.3.4-> 该 IP 被禁止无形的cron 任务,每 5 分钟运行一次。我检查了每一个文件并且没有这样的工作。底线:手动禁令最多有 5 分钟的延迟/etc/cron*/var/spool/cron/*

  2. session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid/etc/pam.d/common-session-noninteractive建议添加这里

    fail2ban-client set ssh banip 1.2.3.4->无形的计划任务不运行并且没有发生任何禁令。

我的问题:

更改如何/etc/pam.d/common-session-noninteractive防止 fail2ban-client 禁止 IP?为什么?


编辑

  • 调试中运行:
root@node1:~# fail2ban-client set loglevel 4
Current logging level is DEBUG
root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4
DEBUG  Reading /etc/fail2ban/fail2ban
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  OK : '1.2.3.4'
DEBUG  Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4']
1.2.3.4
root@zap:~# tail -f /var/log/fail2ban.log
2013-05-24 21:32:07,695 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']

结果:未遭禁止。

  • quietsession [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid中删除/etc/pam.d/common-session-noninteractive

结果:禁令成功。

/var/log/auth.log

May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"

/var/log/fail2ban.log

2013-05-24 21:56:07,955 fail2ban.comm   : DEBUG  Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG  iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG  iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG  
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG   returned successfully
...

Fail2Ban 版本

fail2ban 0.8.7.1-2~ppa7~lucid 来自这里。库存版本(版本 0.8.4)一直出现以下错误:

"global name 'time' is not defined"

这促使我寻找更新的版本。

答案1

我认为(但未经证实)fail2ban 只是在应用 fail2ban-client 命令之前等待 auth.log 中的新行,因此禁止不是通过“每 5 分钟运行一次的隐形 cron 作业”完成的,而是通过“读取‘logpath’的无限循环”完成的,特定情况下是 auth.log。如果这是真的,您在 /etc/pam.d/common-session-noninteractive 中所做的更改不会阻止 fail2ban-client 禁止 IP,但会将其推迟到 auth.log 中出现任何新行。新日志行出现的频率较低,因为您禁用了 cron 消息,并且需要等待更长时间才能禁止 IP。

相关内容