Shorewall:阻止端口 22 上反复失败的 IP

tag-icon tag-icon security fedora shorewall
Shorewall:阻止端口 22 上反复失败的 IP

我在 Fedora 21 上,并且端口 22 对 ssh 连接开放。

我正在使用基于密钥的身份验证,并且禁用密码和根登录。

我的日志中充斥着类似帖子末尾附加的消息。

我正在使用 shorewall,有没有一种原生方法可以在连接失败 3 次后将 IP 列入黑名单 2 天?

如果不是,那么 fail2ban 的正则表达式是什么样的?

$ journalctl -u sshd

Jun 06 10:16:01 fedora sshd[27659]: input_userauth_request: invalid user admin [preauth]
Jun 06 10:16:01 fedora sshd[27659]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:02 fedora sshd[27661]: Invalid user support from 195.154.56.58
Jun 06 10:16:02 fedora sshd[27661]: input_userauth_request: invalid user support [preauth]
Jun 06 10:16:02 fedora sshd[27661]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:14 fedora sshd[27663]: Invalid user ubnt from 195.154.56.58
Jun 06 10:16:14 fedora sshd[27663]: input_userauth_request: invalid user ubnt [preauth]
Jun 06 10:16:14 fedora sshd[27663]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:18 fedora sshd[27665]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:21 fedora sshd[27668]: Invalid user user from 195.154.56.58
Jun 06 10:16:21 fedora sshd[27668]: input_userauth_request: invalid user user [preauth]
Jun 06 10:16:21 fedora sshd[27668]: error: Received disconnect from 195.154.56.58: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 10:16:32 fedora sshd[27670]: Did not receive identification string from 195.154.56.58
Jun 06 11:25:38 fedora sshd[27832]: Did not receive identification string from 92.27.215.72
Jun 06 11:26:52 fedora sshd[27836]: Invalid user usuario from 92.27.215.72
Jun 06 11:26:52 fedora sshd[27836]: input_userauth_request: invalid user usuario [preauth]
Jun 06 11:26:52 fedora sshd[27836]: Connection closed by 92.27.215.72 [preauth]
Jun 06 11:40:39 fedora sshd[27865]: reverse mapping checking getaddrinfo for 62-210-7-55.rev.poneytelecom.eu [62.210.7.55] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 06 11:40:39 fedora sshd[27865]: Invalid user admin from 62.210.7.55
Jun 06 11:40:39 fedora sshd[27865]: input_userauth_request: invalid user admin [preauth]
Jun 06 11:40:39 fedora sshd[27865]: error: Received disconnect from 62.210.7.55: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 06 11:40:44 fedora sshd[27867]: reverse mapping checking getaddrinfo for 62-210-7-55.rev.poneytelecom.eu [62.210.7.55] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 06 11:40:44 fedora sshd[27867]: Invalid user support from 62.210.7.55
Jun 06 11:40:44 fedora sshd[27867]: input_userauth_request: invalid user support [preauth]

答案1

以下配置似乎可以与 fail2ban 配合使用并完成所需的工作。

我原来的配置是错误的,因为我写[DEFAULT][default]

$ cat /etc/fail2ban/jail.local
[DEFAULT]
bantime = 172800 
findtime=3600
maxretry = 3
backend = systemd
action = shorewall

[sshd]
enabled = true

[sshd-ddos]
enabled = true

相关内容