fail2ban 识别导致 IP 被禁止的订阅特定错误日志

fail2ban 识别导致 IP 被禁止的订阅特定错误日志

我正在通过 Parallels Plesk 12.x 在多个 CentOS 6 容器上运行 Fail2Ban,这些容器中有多个活跃的 jail(apache-noscriptsplesk-apache等等)。Fail2Ban.log 提供了被禁止的 IP 地址;但是,我希望看到违规者访问了哪个订阅,以便我可以快速打开该特定订阅error_log并确定在禁止操作之前与被禁止 IP 地址相关的活动。这是否可行,因为每次我想进一步调查时,打开 75 多个错误日志来搜索被禁止的 IP 地址是不可行的?

正在检查每个订阅的错误日志,因此似乎应该有一种方法可以将这些信息显示在fail2ban.log或其他地方。

fail2ban.filter [1170]: INFO Added logfile = /var/www/vhosts/system/example.com/logs/error_log

我一直在寻找这个问题的答案。任何帮助我都感激不尽。

答案1

Fail2ban 可以在每次封禁时发送电子邮件,其中包括 IP 上的 whois 信息和日志中的相关行。可以通过行动

引用jail.conf

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

因此可以自动发送包含 whois 和日志的电子邮件。也可以触发任何其他程序,例如,您可以将此信息转储到文件中。

设置默认操作:

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s

设置每个监狱的操作:

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
action   = %(action_mwl)s

那么这样的邮件看起来是这样的:(这个是特定于 postfix 的,并且缩短了)

From: [email protected]
To: root@localhost
Subject: [Fail2Ban] postfix: banned 192.0.2.0

Hi,

The IP 192.0.2.0 has just been banned by Fail2Ban after
3 attempts against postfix.


Here are more information about 192.0.2.0:

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '192.0.2.0 - 192.0.2.255'

[... complete whois ...]

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)


Lines containing IP:192.0.2.0 in /var/log/mail.log

Mar  9 04:37:05 sendai postfix/smtpd/smtpd[25172]: connect from unknown[192.0.2.0]
Mar  9 04:37:07 sendai postfix/smtpd/smtpd[25172]: NOQUEUE: reject: RCPT from unknown[192.0.2.0]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [192.0.2.0]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<invalid.example.com>
Mar  9 04:37:14 sendai postfix/smtpd/smtpd[25172]: disconnect from unknown[192.0.2.0]
[... and many other lines ...]


Regards,

Fail2Ban

您可以配置您的邮件客户端或邮箱服务器(使用筛选)在三天后自动删除这些邮件并仅在需要时查看它们。

相关内容