我正在通过 Parallels Plesk 12.x 在多个 CentOS 6 容器上运行 Fail2Ban,这些容器中有多个活跃的 jail(apache-noscripts,plesk-apache等等)。Fail2Ban.log 提供了被禁止的 IP 地址;但是,我希望看到违规者访问了哪个订阅,以便我可以快速打开该特定订阅error_log
并确定在禁止操作之前与被禁止 IP 地址相关的活动。这是否可行,因为每次我想进一步调查时,打开 75 多个错误日志来搜索被禁止的 IP 地址是不可行的?
正在检查每个订阅的错误日志,因此似乎应该有一种方法可以将这些信息显示在fail2ban.log
或其他地方。
fail2ban.filter [1170]: INFO Added logfile = /var/www/vhosts/system/example.com/logs/error_log
我一直在寻找这个问题的答案。任何帮助我都感激不尽。
答案1
Fail2ban 可以在每次封禁时发送电子邮件,其中包括 IP 上的 whois 信息和日志中的相关行。可以通过行动。
引用jail.conf
:
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
因此可以自动发送包含 whois 和日志的电子邮件。也可以触发任何其他程序,例如,您可以将此信息转储到文件中。
设置默认操作:
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s
设置每个监狱的操作:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
action = %(action_mwl)s
那么这样的邮件看起来是这样的:(这个是特定于 postfix 的,并且缩短了)
From: [email protected]
To: root@localhost
Subject: [Fail2Ban] postfix: banned 192.0.2.0
Hi,
The IP 192.0.2.0 has just been banned by Fail2Ban after
3 attempts against postfix.
Here are more information about 192.0.2.0:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '192.0.2.0 - 192.0.2.255'
[... complete whois ...]
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
Lines containing IP:192.0.2.0 in /var/log/mail.log
Mar 9 04:37:05 sendai postfix/smtpd/smtpd[25172]: connect from unknown[192.0.2.0]
Mar 9 04:37:07 sendai postfix/smtpd/smtpd[25172]: NOQUEUE: reject: RCPT from unknown[192.0.2.0]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [192.0.2.0]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<invalid.example.com>
Mar 9 04:37:14 sendai postfix/smtpd/smtpd[25172]: disconnect from unknown[192.0.2.0]
[... and many other lines ...]
Regards,
Fail2Ban
您可以配置您的邮件客户端或邮箱服务器(使用筛选)在三天后自动删除这些邮件并仅在需要时查看它们。