我已设置 fail2ban 来监控我在路由器外公开的服务。文件已正确记录,并且 fail2ban 已获取事件。
2013-11-21 01:05:24,573 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:24,576 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:34,636 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:34,639 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:36,667 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:36,671 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:39,700 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:39,703 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:41,732 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:41,736 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:48,770 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:48,773 fail2ban.filter : DEBUG File changed: /path/to/log.log
jail.conf:
[service-name]
enabled = true
port = 1234
filter = service-name
action = iptables[name=service-name, port=1234, protocol=tcp]
sendmail-whois[name=service-name, [email protected]]
logpath = /path/to/log.log
maxretry = 5
fail2ban/filter.d/服务名称:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = service-name
failregex = .* Login failed from <HOST>
示例日志文件:
[11-21-2013 00:12:00] Login failed from 192.168.1.2
[11-21-2013 01:01:23] Login failed from 192.168.1.2
[11-21-2013 01:01:33] Login failed from 192.168.1.2
[11-21-2013 01:01:35] Login failed from 192.168.1.2
[11-21-2013 01:01:38] Login failed from 192.168.1.2
[11-21-2013 01:01:39] Login failed from 192.168.1.2
[11-21-2013 01:01:47] Login failed from 192.168.1.2
有什么想法从哪里开始吗?
编辑:我在 jail.conf 中启用了 SSH,并且它运行正常,因此 fail2ban 和 iptables 似乎运行正常,但服务却不正常。
答案1
我遇到了同样的情况,并发现 fail2ban 服务器的时间不正确。