fail2ban
我正在尝试在 Ubuntu 12.04 x64 服务器上实现。我已完成以下操作:
apt-get install fail2ban
复制了一份,jail.conf
以下/etc/fail2ban/jail.conf.local
是摘录:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
然后我运行service fail2ban restart
它,确实看到它在运行。现在我尝试连续多次以用户身份(root、随机用户等)登录,但它并没有阻止我的 IP 地址。我已经安装它,它按照我设置的规则运行,当然,iptables
我已经设置了链。INPUT
当我抓猫时/var/log/auth.log
我看到的就是这个
Oct 26 08:55:21 prod sshd[10935]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 08:55:23 prod sshd[10935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:55:25 prod sshd[10935]: Failed password for root from 75.89.97.25 port 61449 ssh2
Oct 26 08:55:32 sshd[10935]: last message repeated 2 times
Oct 26 08:55:32 prod sshd[10935]: Connection closed by 75.89.97.25 [preauth]
Oct 26 08:55:32 prod sshd[10935]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:55:34 prod sshd[10944]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 08:55:35 prod sshd[10944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:55:37 prod sshd[10944]: Failed password for root from 75.89.97.25 port 61452 ssh2
Oct 26 08:55:44 sshd[10944]: last message repeated 2 times
Oct 26 08:55:44 prod sshd[10944]: Connection closed by 75.89.97.25 [preauth]
Oct 26 08:55:44 prod sshd[10944]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:55:47 prod sshd[10951]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 08:55:51 prod sshd[10951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:55:52 prod sshd[10951]: Failed password for root from 75.89.97.25 port 61455 ssh2
Oct 26 08:56:00 sshd[10951]: last message repeated 2 times
Oct 26 08:56:00 prod sshd[10951]: Connection closed by 75.89.97.25 [preauth]
Oct 26 08:56:00 prod sshd[10951]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:56:13 prod sshd[10971]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 08:56:15 prod sshd[10971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:56:16 prod sshd[10971]: Failed password for root from 75.89.97.25 port 61459 ssh2
Oct 26 08:56:22 sshd[10971]: last message repeated 2 times
Oct 26 08:56:22 prod sshd[10971]: Connection closed by 75.89.97.25 [preauth]
Oct 26 08:56:22 prod sshd[10971]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root
Oct 26 08:57:18 prod sshd[11002]: Connection closed by 50.116.16.93 [preauth]
Oct 26 09:00:01 prod CRON[11099]: pam_unix(cron:session): session opened for user deploy by (uid=0)
Oct 26 09:00:02 prod CRON[11099]: pam_unix(cron:session): session closed for user deploy
Oct 26 09:02:18 prod sshd[11186]: Connection closed by 50.116.16.93 [preauth]
root@prod:/etc/fail2ban#
因此看起来我正在PAM
通过身份验证sshd
但并fail2ban
没有阻止我的 IP 地址,并且我仍然可以在提供正确的凭据时尝试登录。
我很想让它工作,因为我最近发现我的服务器遭受了很多暴力攻击。任何帮助都将不胜感激。
答案1
看来我需要指定后端才能使其正常工作。默认为,gamin
但不起作用。我更改了配置,并使backend = polling
fail2ban 正常工作。没有收到任何阻止的电子邮件通知,但我也快要弄清楚了。