我在 Fedora 21 上,并且端口 22 对 ssh 连接开放。
我正在使用基于密钥的身份验证,并且禁用密码和根登录。
我的日志中充斥着类似帖子末尾附加的消息。
我正在使用 shorewall,有没有一种原生方法可以在连接失败 3 次后将 IP 列入黑名单 2 天?
如果不是,那么 fail2ban 的正则表达式是什么样的?
$ journalctl -u sshd
Jun 06 10:16:01 fedora sshd[27659]: input_userauth_request: invalid user admin [preauth]
Jun 06 10:16:01 fedora sshd[27659]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:02 fedora sshd[27661]: Invalid user support from 195.154.56.58
Jun 06 10:16:02 fedora sshd[27661]: input_userauth_request: invalid user support [preauth]
Jun 06 10:16:02 fedora sshd[27661]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:14 fedora sshd[27663]: Invalid user ubnt from 195.154.56.58
Jun 06 10:16:14 fedora sshd[27663]: input_userauth_request: invalid user ubnt [preauth]
Jun 06 10:16:14 fedora sshd[27663]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:18 fedora sshd[27665]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:21 fedora sshd[27668]: Invalid user user from 195.154.56.58
Jun 06 10:16:21 fedora sshd[27668]: input_userauth_request: invalid user user [preauth]
Jun 06 10:16:21 fedora sshd[27668]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:32 fedora sshd[27670]: Did not receive identification string from 195.154.56.58
Jun 06 11:25:38 fedora sshd[27832]: Did not receive identification string from 92.27.215.72
Jun 06 11:26:52 fedora sshd[27836]: Invalid user usuario from 92.27.215.72
Jun 06 11:26:52 fedora sshd[27836]: input_userauth_request: invalid user usuario [preauth]
Jun 06 11:26:52 fedora sshd[27836]: Connection closed by 92.27.215.72 [preauth]
Jun 06 11:40:39 fedora sshd[27865]: reverse mapping checking getaddrinfo for 62-210-7-55.rev.poneytelecom.eu [62.210.7.55] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 06 11:40:39 fedora sshd[27865]: Invalid user admin from 62.210.7.55
Jun 06 11:40:39 fedora sshd[27865]: input_userauth_request: invalid user admin [preauth]
Jun 06 11:40:39 fedora sshd[27865]: error: Received disconnect from 62.210.7.55: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 11:40:44 fedora sshd[27867]: reverse mapping checking getaddrinfo for 62-210-7-55.rev.poneytelecom.eu [62.210.7.55] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 06 11:40:44 fedora sshd[27867]: Invalid user support from 62.210.7.55
Jun 06 11:40:44 fedora sshd[27867]: input_userauth_request: invalid user support [preauth]
答案1
以下配置似乎可以与 fail2ban 配合使用并完成所需的工作。
我原来的配置是错误的,因为我写[DEFAULT]
为[default]
。
$ cat /etc/fail2ban/jail.local
[DEFAULT]
bantime = 172800
findtime=3600
maxretry = 3
backend = systemd
action = shorewall
[sshd]
enabled = true
[sshd-ddos]
enabled = true