运行全新安装的 OpenSuse 13.2(运行 rsyslog)
我的jail.conf文件包含:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/messages
maxretry = 5
/var/log/消息:
2014-11-21T16:16:17.167566-05:00 suse sshd[31000]: error: PAM: Authentication failure for root from 62-210-172-145.rev.poneytelecom.eu
2014-11-21T16:16:17.232040-05:00 suse sshd[31000]: Received disconnect from 62.210.172.145: 11: [preauth]
2014-11-21T16:16:17.863395-05:00 suse sshd[31007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-172-145.rev.poneytelecom.eu user=root
fail2ban日志文件:
2014-11-21 21:10:06,426 fail2ban.server [30553]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2014-11-21 21:10:06,428 fail2ban.jail [30553]: INFO Creating new jail 'ssh-iptables'
2014-11-21 21:10:06,479 fail2ban.jail [30553]: INFO Jail 'ssh-iptables' uses pyinotify
2014-11-21 21:10:06,526 fail2ban.jail [30553]: INFO Initiated 'pyinotify' backend
2014-11-21 21:10:06,529 fail2ban.filter [30553]: INFO Added logfile = /var/log/messages
2014-11-21 21:10:06,532 fail2ban.filter [30553]: INFO Set maxRetry = 5
2014-11-21 21:10:06,537 fail2ban.filter [30553]: INFO Set findtime = 600
2014-11-21 21:10:06,539 fail2ban.actions[30553]: INFO Set banTime = -1
2014-11-21 21:10:06,639 fail2ban.jail [30553]: INFO Jail 'ssh-iptables' started
2014-11-21 21:10:21,142 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210- 172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,144 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,147 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,149 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,151 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
有什么想法为什么不禁止 IP?
server:/etc/fail2ban # fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/messages
| |- Currently failed: 0
| `- Total failed: 0
来自 fail2ban-regex 的结果
Results
=======
Failregex: 1256 total
|- #) [# of hits] regular expression
| 1) [858] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?: (?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)? \s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
| 2) [30] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
| 3) [141] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
| 5) [227] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [33235] ISO 8601
`-
Lines: 33235 lines, 0 ignored, 1256 matched, 31979 missed
Missed line(s): too many to print. Use --print-all-missed to print all 31979 lines
答案1
您使用的是哪个版本的 fail2ban?我遇到了一些问题,fail2ban 附带默认的 OpenSuse 发行版。即使正则表达式匹配,它也不会禁止。现在我在 OpenSue 13.1 中使用 fail2ban-0.8.14-2.24.1.noarch.rpm,它运行良好。