我正在尝试配置 fail2ban 以阻止来自本地主机的 ssh。Fail2ban 安装在带有防火墙的 CentOS 7 上(Linux 3.10.0-229.4.2.el7.x86_64 x86_64)。我已将 jail.conf 复制到 jail.local,我已在 jail.local 中更改了以下参数:
banaction = firewallcmd-new
[sshd]
enabled = true
maxretry = 5
port = ssh
logpath = /var/log/secure
action = firewallcmd-ipset
但我没有得到任何结果。有什么想法吗?
一些日志信息:
Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server [2487]: INFO Starting Fail2ban v0.9.1
Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server [2487]: INFO Starting in daemon mode
Jun 23 07:21:33 localhost.localdomain systemd[1]: Started Fail2Ban Service.
2015-06-23 07:14:27,571 fail2ban.server [1926]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:14:27,710 fail2ban.database [1926]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:14:27,788 fail2ban.jail [1926]: INFO Creating new jail 'sshd'
2015-06-23 07:14:27,923 fail2ban.jail [1926]: INFO Jail 'sshd' uses poller
2015-06-23 07:14:27,985 fail2ban.filter [1926]: INFO Set jail log file encoding to UTF-8
2015-06-23 07:14:27,985 fail2ban.jail [1926]: INFO Initiated 'polling' backend
2015-06-23 07:14:28,063 fail2ban.filter [1926]: INFO Added logfile = /var/log/secure
2015-06-23 07:14:28,064 fail2ban.filter [1926]: INFO Set maxRetry = 2
2015-06-23 07:14:28,066 fail2ban.filter [1926]: INFO Set jail log file encoding to UTF-8
2015-06-23 07:14:28,066 fail2ban.actions [1926]: INFO Set banTime = 86400
2015-06-23 07:14:28,067 fail2ban.filter [1926]: INFO Set findtime = 600
2015-06-23 07:14:28,068 fail2ban.filter [1926]: INFO Set maxlines = 10
2015-06-23 07:14:28,158 fail2ban.server [1926]: INFO Jail sshd is not a JournalFilter instance
2015-06-23 07:14:28,459 fail2ban.jail [1926]: INFO Jail 'sshd' started
2015-06-23 07:21:32,667 fail2ban.server [1926]: INFO Stopping all jails
2015-06-23 07:21:33,181 fail2ban.jail [1926]: INFO Jail 'sshd' stopped
2015-06-23 07:21:33,188 fail2ban.server [1926]: INFO Exiting Fail2ban
2015-06-23 07:21:33,404 fail2ban.server [2489]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:21:33,406 fail2ban.database [2489]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:21:33,409 fail2ban.jail [2489]: INFO Creating new jail 'sshd'
2015-06-23 07:21:33,413 fail2ban.jail [2489]: INFO Jail 'sshd' uses poller
2015-06-23 07:21:33,433 fail2ban.filter [2489]: INFO Set jail log file encoding to UTF-8
2015-06-23 07:21:33,433 fail2ban.jail [2489]: INFO Initiated 'polling' backend
2015-06-23 07:21:33,438 fail2ban.filter [2489]: INFO Added logfile = /var/log/secure
2015-06-23 07:21:33,439 fail2ban.filter [2489]: INFO Set maxRetry = 3
2015-06-23 07:21:33,440 fail2ban.filter [2489]: INFO Set jail log file encoding to UTF-8
2015-06-23 07:21:33,441 fail2ban.actions [2489]: INFO Set banTime = 86400
2015-06-23 07:21:33,442 fail2ban.filter [2489]: INFO Set findtime = 600
2015-06-23 07:21:33,442 fail2ban.filter [2489]: INFO Set maxlines = 10
2015-06-23 07:21:33,501 fail2ban.server [2489]: INFO Jail sshd is not a JournalFilter instance
2015-06-23 07:21:33,599 fail2ban.jail [2489]: INFO Jail 'sshd' started
并且 SELinux 已被禁用。
答案1
在下面的文件中,
/etc/fail2ban/jail.conf(请注意,如果您使用jail.local相同的方法也可以在那里应用)尝试更改auto为gamin或polling
笔记:
如果systemd将后端选择为默认值,但您启用了一个 jail,而该 jail 的日志仅存在于其自己的日志文件中,请为该 jail 指定其他后端(例如轮询)并为 提供空值
journalmatch。请参阅https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
因此,改变
backend = auto
到
backend = gamin
或者
backend = polling
对我有用。
答案2
跑步
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
应该有 n 个匹配项。如果没有,请检查您的 failregex。
然后运行
sudo fail2ban-client set loglevel DEBUG
检查fail2ban.log它是否访问 sshd 日志文件(auth.log 或 secure)。
如果以上都没问题,请检查时区,fail2ban 使用系统时区,如果日志文件不使用,则导致 findtime 不起作用。