我已经按照本教程设置了 fail2banhttp://wireflare.com/permanently-ban-repeat-offenders-with-fail2ban/看起来似乎有效。但攻击者正在更改他们的 IP,这就是我决定手动阻止 Range 的原因。
这是“iptables -S”的输出
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N fail2ban-apache
-N fail2ban-apache-overflows
-N fail2ban-ip-blocklist
-N fail2ban-postfix
-N fail2ban-proftpd
-N fail2ban-repeatoffender
-N fail2ban-sasl
-N fail2ban-sasl-blocklist
-N fail2ban-ssh
-N fail2ban-ssh-blocklist
-N fail2ban-ssh-ddos
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-blocklist
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-sasl-blocklist
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-sasl
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-proftpd
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -j LOG
-A INPUT -j LOG
-A INPUT -s 43.255.190.0/24 -j DROP
-A INPUT -s 77.35.0.0/16 -j DROP
-A INPUT -s 221.229.0.0/16 -j DROP
-A INPUT -s 58.218.0.0/16 -j DROP
-A INPUT -s 31.184.0.0/16 -j DROP
-A INPUT -s 66.135.38.0/24 -j DROP
-A INPUT -s 95.70.0.0/16 -j DROP
-A INPUT -s 90.151.0.0/16 -j DROP
-A INPUT -s 93.177.0.0/16 -j DROP
-A INPUT -s 59.45.0.0/16 -j DROP
-A INPUT -s 182.100.0.0/16 -j DROP
-A INPUT -s 95.70.0.0/16 -j DROP
-A INPUT -s 80.82.0.0/16 -j DROP
-A INPUT -s 43.255.0.0/16 -j DROP
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j LOG
-A FORWARD -j LOG
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A fail2ban-apache -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-ip-blocklist -s 80.82.70.167/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 95.70.11.191/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 90.151.18.181/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 95.70.118.101/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 93.177.38.30/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 77.35.237.38/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 77.35.123.98/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.188/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 66.135.38.206/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 194.63.142.101/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 182.100.67.115/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.152/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 95.70.120.147/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.139/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.126/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.93/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.144/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 59.45.79.116/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.171/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 58.218.204.248/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.168/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.89/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.118/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 31.184.194.115/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 58.218.204.226/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 221.229.166.29/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 117.21.174.111/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 78.37.215.18/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 43.255.190.191/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -s 221.229.166.30/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-postfix -s 95.159.158.40/32 -j DROP
-A fail2ban-postfix -s 77.35.24.1/32 -j DROP
-A fail2ban-postfix -s 95.53.63.247/32 -j DROP
-A fail2ban-postfix -s 95.159.171.246/32 -j DROP
-A fail2ban-postfix -s 77.35.252.25/32 -j DROP
-A fail2ban-postfix -s 77.35.31.133/32 -j DROP
-A fail2ban-postfix -s 95.73.6.87/32 -j DROP
-A fail2ban-postfix -s 198.0.140.14/32 -j DROP
-A fail2ban-postfix -s 90.151.18.181/32 -j DROP
-A fail2ban-postfix -s 95.70.11.191/32 -j DROP
-A fail2ban-postfix -s 77.35.123.98/32 -j DROP
-A fail2ban-postfix -s 95.70.118.101/32 -j DROP
-A fail2ban-postfix -s 93.177.38.30/32 -j DROP
-A fail2ban-postfix -s 77.35.237.38/32 -j DROP
-A fail2ban-postfix -s 176.51.127.83/32 -j DROP
-A fail2ban-postfix -s 42.112.20.51/32 -j DROP
-A fail2ban-postfix -s 95.70.120.147/32 -j DROP
-A fail2ban-postfix -s 78.37.215.18/32 -j DROP
-A fail2ban-postfix -j RETURN
-A fail2ban-proftpd -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-sasl -s 95.159.158.40/32 -j DROP
-A fail2ban-sasl -s 77.35.24.1/32 -j DROP
-A fail2ban-sasl -s 95.53.63.247/32 -j DROP
-A fail2ban-sasl -s 95.159.171.246/32 -j DROP
-A fail2ban-sasl -s 77.35.252.25/32 -j DROP
-A fail2ban-sasl -s 77.35.31.133/32 -j DROP
-A fail2ban-sasl -s 95.73.6.87/32 -j DROP
-A fail2ban-sasl -s 198.0.140.14/32 -j DROP
-A fail2ban-sasl -s 90.151.18.181/32 -j DROP
-A fail2ban-sasl -s 95.70.11.191/32 -j DROP
-A fail2ban-sasl -s 80.82.70.167/32 -j DROP
-A fail2ban-sasl -s 77.35.123.98/32 -j DROP
-A fail2ban-sasl -s 95.70.118.101/32 -j DROP
-A fail2ban-sasl -s 93.177.38.30/32 -j DROP
-A fail2ban-sasl -s 77.35.237.38/32 -j DROP
-A fail2ban-sasl -s 176.51.127.83/32 -j DROP
-A fail2ban-sasl -s 42.112.20.51/32 -j DROP
-A fail2ban-sasl -s 95.70.120.147/32 -j DROP
-A fail2ban-sasl -s 78.37.215.18/32 -j DROP
-A fail2ban-sasl -s 194.63.142.101/32 -j DROP
-A fail2ban-sasl -j RETURN
-A fail2ban-sasl-blocklist -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-blocklist -j RETURN
-A fail2ban-ssh-ddos -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 115 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 571 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 571 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -s 77.35.0.0/16 -j DROP
-A ufw-user-input -s 95.159.0.0/16 -j DROP
-A ufw-user-input -s 95.53.0.0/16 -j DROP
-A ufw-user-input -s 95.73.0.0/16 -j DROP
-A ufw-user-input -s 198.0.0.0/16 -j DROP
-A ufw-user-input -s 90.151.0.0/16 -j DROP
-A ufw-user-input -s 80.82.0.0/16 -j DROP
-A ufw-user-input -s 93.177.0.0/16 -j DROP
-A ufw-user-input -s 176.51.0.0/16 -j DROP
-A ufw-user-input -s 195.70.0.0/16 -j DROP
-A ufw-user-input -s 194.63.0.0/16 -j DROP
-A ufw-user-input -s 78.37.0.0/16 -j DROP
-A ufw-user-input -s 42.112.0.0/16 -j DROP
-A ufw-user-input -s 95.70.0.0/16 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
/var/log/fail2ban.log
2015-04-15 13:56:13,584 fail2ban.actions: WARNING [sasl] Ban 198.0.140.14
2015-04-15 13:56:13,801 fail2ban.actions: WARNING [postfix] Ban 198.0.140.14
2015-04-15 15:20:58,784 fail2ban.actions: WARNING [sasl] Unban 90.151.18.181
2015-04-15 15:21:14,591 fail2ban.actions: WARNING [postfix] Unban 90.151.18.181
2015-04-15 15:21:18,634 fail2ban.actions: WARNING [postfix] Unban 95.70.11.191
2015-04-15 15:21:22,693 fail2ban.actions: WARNING [postfix] Unban 77.35.123.98
2015-04-15 15:21:27,751 fail2ban.actions: WARNING [postfix] Unban 77.35.237.38
2015-04-15 15:21:31,811 fail2ban.actions: WARNING [postfix] Unban 93.177.38.30
2015-04-15 15:21:34,865 fail2ban.actions: WARNING [postfix] Unban 95.70.118.101
2015-04-15 15:22:04,983 fail2ban.actions: WARNING [sasl] Unban 95.70.11.191
2015-04-15 15:22:09,044 fail2ban.actions: WARNING [sasl] Unban 77.35.123.98
2015-04-15 15:22:12,107 fail2ban.actions: WARNING [sasl] Unban 77.35.237.38
2015-04-15 15:22:15,158 fail2ban.actions: WARNING [sasl] Unban 93.177.38.30
2015-04-15 15:22:21,207 fail2ban.actions: WARNING [sasl] Unban 95.70.118.101
2015-04-15 15:22:25,278 fail2ban.actions: WARNING [sasl] Unban 80.82.70.167
2015-04-15 16:59:03,918 fail2ban.actions: WARNING [postfix] Ban 95.73.6.87
2015-04-15 16:59:04,269 fail2ban.actions: WARNING [sasl] Ban 95.73.6.87
2015-04-15 16:59:09,901 fail2ban.actions: WARNING [postfix] 95.73.6.87 already banned
2015-04-15 16:59:18,115 fail2ban.actions: WARNING [sasl] 95.73.6.87 already banned
2015-04-15 16:59:28,924 fail2ban.actions: WARNING [postfix] Ban 77.35.31.133
2015-04-15 16:59:29,127 fail2ban.actions: WARNING [sasl] Ban 77.35.31.133
2015-04-15 16:59:43,671 fail2ban.actions: WARNING [postfix] Ban 77.35.252.25
2015-04-15 16:59:44,875 fail2ban.actions: WARNING [sasl] Ban 77.35.252.25
2015-04-15 17:00:03,713 fail2ban.actions: WARNING [sasl] Ban 95.159.171.246
2015-04-15 17:00:04,045 fail2ban.actions: WARNING [postfix] Ban 95.159.171.246
2015-04-15 17:00:16,605 fail2ban.actions: WARNING [postfix] Ban 95.53.63.247
2015-04-15 17:00:17,177 fail2ban.actions: WARNING [sasl] Ban 95.53.63.247
2015-04-15 19:56:13,801 fail2ban.actions: WARNING [postfix] Unban 198.0.140.14
2015-04-15 19:56:14,229 fail2ban.actions: WARNING [sasl] Unban 198.0.140.14
2015-04-15 20:06:30,405 fail2ban.filter : WARNING Unable to find a corresponding IP address for time
2015-04-15 20:06:30,470 fail2ban.filter : WARNING Unable to find a corresponding IP address for time
2015-04-15 20:06:32,709 fail2ban.actions: WARNING [repeatoffender] Ban 221.229.166.30
2015-04-15 20:06:33,207 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.191
2015-04-15 20:06:34,083 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.190
2015-04-15 20:06:34,937 fail2ban.actions: WARNING [repeatoffender] Ban 90.151.18.181
2015-04-15 20:06:35,340 fail2ban.actions: WARNING [repeatoffender] Ban 78.37.215.18
2015-04-15 20:06:35,741 fail2ban.actions: WARNING [repeatoffender] Ban 117.21.174.111
2015-04-15 20:06:36,142 fail2ban.actions: WARNING [repeatoffender] Ban 221.229.166.29
2015-04-15 20:06:36,551 fail2ban.actions: WARNING [repeatoffender] Ban 58.218.204.226
2015-04-15 20:06:36,953 fail2ban.actions: WARNING [repeatoffender] Ban 31.184.194.115
2015-04-15 20:06:37,386 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.118
2015-04-15 20:06:38,220 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.117
2015-04-15 20:06:39,069 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.116
2015-04-15 20:06:39,899 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.152
2015-04-15 20:06:40,759 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.168
2015-04-15 20:06:41,637 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.163
2015-04-15 20:06:42,492 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.160
2015-04-15 20:06:43,189 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.167
2015-04-15 20:06:43,845 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.164
2015-04-15 20:06:44,503 fail2ban.actions: WARNING [repeatoffender] Ban 43.255.190.165
2015-04-15 20:06:45,171 fail2ban.actions: WARNING [repeatoffender] Ban 58.218.204.248
/etc/fail2ban/jail.conf
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
findtime = 10800
bantime = 21600
maxretry = 3
action = %(action_mwl)s
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
#destemail = admin@domain, [email protected]
sendermail = admin@domain
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
action = %(action_mwl)s
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3
action = %(action_mwl)s
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
action = %(action_mwl)s
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
action = %(action_mwl)s
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/auth.log
maxretry = 6
action = %(action_mwl)s
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
action = %(action_mwl)s
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
maxretry = 3
action = %(action_mwl)s
[sasl-blocklist]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/blocklist-error.log
maxretry = 3
bantime = 86400
action = %(action_mwl)s
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
[ssh-blocklist]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/blocklist-error.log
maxretry = 4
action = %(action_mwl)s
[repeatoffender]
enabled = true
filter = repeatoffender
action = repeatoffender[name=repeatoffender]
sendmail-whois[name=Repeat-Offender, dest=admin@domain, sender=fail2ban@domain]
logpath = /var/log/fail2ban*
maxretry = 3
findtime = 31536000
bantime = -1
正如你在输出中看到的iptables我屏蔽了 IP 范围,但他们仍然试图访问服务器。我的 fail2ban jail 有问题吗?我不知道。
答案1
使用:
iptables -I INPUT -s 77.35.0.0/16 -j DROP
iptables -I INPUT -s 95.159.0.0/16 -j DROP