Fail2Ban 未添加 iptables 规则

tag-icon tag-icon ssh fail2ban
Fail2Ban 未添加 iptables 规则

Fail2Ban 没有添加 iptables 规则来阻止攻击者。我正在运行 CentOS 6.5(32 位)

这是我所做的:

  • fail2ban 是通过 yum 使用 EPEL repo 安装的。
  • 我复制jail.conf到了jail.local

  • 我将 jail.local 的禁令时间改为 3600

    bantime  = 3600

对于 iptables,我定义了有关 SSH 的规则

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
3    fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

我的jail.localSSH 配置:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5

最新日志条目:

2014-08-13 10:11:04,481 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-08-13 10:11:04,482 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2014-08-13 10:11:04,514 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses pyinotify
2014-08-13 10:11:04,533 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-08-13 10:11:04,536 fail2ban.filter : INFO   Added logfile = /var/log/secure
2014-08-13 10:11:04,537 fail2ban.filter : INFO   Set maxRetry = 5
2014-08-13 10:11:04,540 fail2ban.filter : INFO   Set findtime = 600
2014-08-13 10:11:04,540 fail2ban.actions: INFO   Set banTime = 3600
2014-08-13 10:11:04,727 fail2ban.jail   : INFO   Jail 'ssh-iptables' started

然后我启动 fail2ban,但过了一会儿(大约一个小时)我检查/var/log/secure,发现仍然受到暴力攻击:

Aug 13 10:31:35 webhost sshd[15619]: Invalid user china from 128.199.147.79
Aug 13 10:31:35 webhost sshd[15620]: input_userauth_request: invalid user china
Aug 13 10:31:36 webhost sshd[15620]: Connection closed by 128.199.147.79
Aug 13 10:35:04 webhost sshd[15661]: Invalid user klaudia from 106.187.90.33
Aug 13 10:35:04 webhost sshd[15662]: input_userauth_request: invalid user klaudia
Aug 13 10:35:05 webhost sshd[15662]: Connection closed by 106.187.90.33
Aug 13 10:41:56 webhost sshd[15772]: Invalid user cassandra from 106.187.90.33
Aug 13 10:41:56 webhost sshd[15773]: input_userauth_request: invalid user cassandra
Aug 13 10:41:57 webhost sshd[15773]: Connection closed by 106.187.90.33
Aug 13 10:44:10 webhost sshd[15807]: Invalid user knight from 106.187.90.33
Aug 13 10:44:10 webhost sshd[15808]: input_userauth_request: invalid user knight
Aug 13 10:44:12 webhost sshd[15808]: Connection closed by 106.187.90.33

没有向 iptables 添加任何新规则...

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

如果我尝试使用以下命令调试该问题fail2ban-regex

fail2ban-regex  /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Running tests

Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
Use         log file : /var/log/secure

Results

Failregex: 1374 total
|-  #) [# of hits] regular expression
|   5) [1374] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [4615] MONTH Day Hour:Minute:Second
`-

Lines: 4615 lines, 0 ignored, 1374 matched, 3241 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 3241 lines
</code>

The missed lines are:

Lines: 4621 lines, 0 ignored, 1376 matched, 3245 missed
|- Missed line(s):
|  Aug 10 03:46:30 webhost sshd[12340]: input_userauth_request: invalid user simulator
|  Aug 10 03:46:30 webhost sshd[12340]: Connection closed by 106.187.90.33
|  Aug 10 03:55:01 webhost sshd[12430]: input_userauth_request: invalid user simulation
|  Aug 10 03:55:02 webhost sshd[12430]: Connection closed by 106.187.90.33
|  Aug 10 04:01:33 webhost sshd[12505]: Connection closed by 128.199.147.79
|  Aug 10 04:02:46 webhost sshd[12539]: reverse mapping checking getaddrinfo for new.jerl.im [128.199.254.179] failed - POSSIBLE BREAK-IN ATTEMPT!

我对 fail2ban 了解不够,不知道我的 sshd 过滤器出了什么问题。我以为默认配置就足够了?我该如何解决这个问题?

答案1

我遇到这个问题是因为“iptables”命令不起作用。我相信我可以通过更改以下行来解决这个问题

iptables = iptables <lockingopt>


iptables = /sbin/iptables <lockingopt>

但是,为了安全起见,而且因为我只使用 iptables-allports.conf,所以我只是用 /sbin/iptables 替换了该文件中的所有出现的内容。

答案2

检查您是否启用了 IPTABLES jail 和 SSH 过滤器。还要检查 f2b 日志 - f2b 是否试图禁止某人?

答案3

我不知道您使用的是 /var/log/secure 还是 /var/log/auth.log,但无论使用哪个日志,您都需要告诉 fail2ban 应该从哪个日志中读取,另外,如前所述,如果您更改了 ssh(22) 的默认端口,则需要再次告诉 fail2ban 并在防火墙(iptables 等)中打开它。正则表达式按预期工作,它匹配日志中的重要行,即

Aug 13 10:31:35 webhost sshd[15619]: Invalid user china from 128.199.147.79

它列出的其他缺失内容对 fail2ban 来说并不重要,因为它们没有提供<HOST><IP>fail2ban 需要启用客户端的禁止功能。因此,fail2ban 已正确设置 ssh,因此如果您的所有定义都符合您的系统设置,那么它应该被禁止,请记住,您必须触发“findtime”和“maxretry”值才能被禁止。不要忘记“$ fail2ban-client 重新加载' 在任何更改之后。

答案4

我注意到,如果您的监狱名称太长,它将不会被添加到 iptables。

您可以检查 /var/log/fail2ban.log 是否包含有关名称太长的警告,从而在创建 iptables 规则期间产生错误。

这将允许 fail2ban 检测并禁止,但实际上不会禁止,因为该规则在 iptables 配置中不存在(iptables -v -x -n -L )

相关内容