安装并配置 fail2ban 后,我尝试使用错误的密码通过 ssh 登录我的服务器。几次尝试后,我成功尝试使用正确的密码。因此,fail2ban 并未禁止用户 IP,允许他登录。无论我设置了什么规则,maxretry = 1 等。
我的 iptables -L 输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
这是调试日志,非完整版本如下:
root@host:~# fail2ban-client -v -v -v start
DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/filter.d/sshd under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/sshd.conf
DEBUG Reading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/common.local', '/etc/fail2ban/filter.d/sshd.conf']
DEBUG Reading configs for /etc/fail2ban/action.d/iptables under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/action.d/iptables.conf
DEBUG Reading files: ['/etc/fail2ban/action.d/iptables-blocktype.conf', '/etc/fail2ban/action.d/iptables-blocktype.local', '/etc/fail2ban/action.d/iptables.conf']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
[...] SKIPPED SOME READING CONFIG FILES here
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
INFO [# ] Waiting on the server...DEBUG Starting '/usr/bin/fail2ban-server' with args ['fail2ban-server', '-b', '-s', '/var/run/fail2ban/fail2ban.sock', '-p', '/var/run/fail2ban/fail2ban.pid']
2014-05-22 15:29:14,376 fail2ban.server : INFO Starting Fail2ban v0.8.11
2014-05-22 15:29:14,376 fail2ban.server : INFO Starting in daemon mode
DEBUG OK : 'pong'
DEBUG OK : 3
DEBUG OK : '/var/log/fail2ban.log'
DEBUG OK : 'ssh'
DEBUG OK : 'warn'
DEBUG OK : ['/var/log/auth.log']
DEBUG OK : 1
DEBUG OK : ['127.0.0.1/8']
DEBUG OK : 600
DEBUG OK : 600
DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$']
DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)\\s*$']
[...] SKIPPED SOME REGEX HERE
DEBUG OK : 'iptables'
DEBUG OK : 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>'
DEBUG OK : 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>'
DEBUG OK : 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>'
DEBUG OK : 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>'
DEBUG OK : "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"
DEBUG OK : 'REJECT --reject-with icmp-port-unreachable'
DEBUG OK : 'tcp'
DEBUG OK : 'SSH'
DEBUG OK : 'INPUT'
DEBUG OK : 'ssh'
DEBUG OK : None
我的fail2ban.log,jail.local:
tail /var/log/fail2ban.log
2014-05-22 15:30:27,729 fail2ban.server : INFO Exiting Fail2ban
2014-05-22 15:30:32,668 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-05-22 15:30:32,668 fail2ban.jail : INFO Creating new jail 'ssh'
2014-05-22 15:30:32,668 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-05-22 15:30:32,679 fail2ban.jail : INFO Initiated 'polling' backend
2014-05-22 15:30:32,680 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-05-22 15:30:32,681 fail2ban.filter : INFO Set maxRetry = 1
2014-05-22 15:30:32,681 fail2ban.filter : INFO Set findtime = 600
2014-05-22 15:30:32,682 fail2ban.actions: INFO Set banTime = 600
2014-05-22 15:30:32,716 fail2ban.jail : INFO Jail 'ssh' started
尾部/etc/fail2ban/jail.local
[ssh]
enabled = true
logpath = /var/log/auth.log
filter = sshd
maxretry = 1
action = iptables[name=SSH, port=ssh, protocol=tcp]
port = ssh
tail /var/log/auth.log
tail /var/log/auth.log 是空的!
root@host:~# fail2ban-client -d
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh', 'polling']
['set', 'ssh', 'usedns', 'warn']
['set', 'ssh', 'addlogpath', '/var/log/auth.log']
['set', 'ssh', 'maxretry', 1]
['set', 'ssh', 'addignoreip', '127.0.0.1/8']
['set', 'ssh', 'findtime', 600]
['set', 'ssh', 'bantime', 600]
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \\S+)?\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Failed \\S+ for .*? from <HOST>(?: port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:[\\da-f]{2}:){15}[\\da-f]{2}(, client user ".*", client host ".*")?))?\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because listed in DenyUsers\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not in any group\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$']
['set', 'ssh', 'addfailregex', "^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
['set', 'ssh', 'addaction', 'iptables']
['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'ssh', 'actionstop', 'iptables', 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'ssh', 'actioncheck', 'iptables', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"]
['set', 'ssh', 'setcinfo', 'iptables', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh', 'setcinfo', 'iptables', 'chain', 'INPUT']
['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh']
['start', 'ssh']
其他信息:
dpkg -l |grep fail
ii fail2ban 0.8.11-1 all ban hosts that cause multiple authentication errors
/etc/init.d/fail2ban status
* Status of authentication failure monitor * fail2ban is running
fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
有什么提示吗?谢谢观看!
答案1
不确定是否相关,但我删除并重新创建了 /var/log/auth.log,因为我需要清空它来调试情况
这很可能就是问题所在。很可能是 syslog 守护进程仍在向原始 fd 写入数据。您应该尝试重新启动 syslog 守护进程,看看它是否开始记录到正确的文件。
service rsyslog restart
一旦有消息发送到 auth.log,它就应该开始工作。
答案2
有时这是因为是__bsd_syslog_verbose
错误的。fail2ban 期望 /var/log/auth.log 以(即:2014.10.15)开始YYYY.MM.DD
,但日志读取MMM DD
(即:10 月 15 日)
要解决此问题,您需要执行以下操作:
cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local
编辑common.local
并设置:
__bsd_syslog_verbose = (<[^.]+ [^.]+>)
重新启动 fail2ban:
Ubuntu(不使用重启):
sudo service fail2ban stop
sudo service fail2ban start
答案3
pyinotify 中的问题:
https://github.com/fail2ban/fail2ban/issues/878
in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local
我改成"backend = auto"
了"backend = polling"
,一切都按预期工作;)
service fail2ban stop
service fail2ban start
答案4
/var/log/auth.log 很长时间都是空的,所以运行命令后:service rsyslog restart
现在,ssh 错误登录尝试后,IP 被禁止了!