fail2ban 不会禁止本地主机的 ssh

fail2ban 不会禁止本地主机的 ssh

我正在尝试配置 fail2ban 以阻止来自本地主机的 ssh。Fail2ban 安装在带有防火墙的 CentOS 7 上(Linux 3.10.0-229.4.2.el7.x86_64 x86_64)。我已将 jail.conf 复制到 jail.local,我已在 jail.local 中更改了以下参数:

banaction = firewallcmd-new
[sshd]
enabled = true
maxretry = 5
port = ssh
logpath = /var/log/secure
action = firewallcmd-ipset

但我没有得到任何结果。有什么想法吗?

一些日志信息:

Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server         [2487]: INFO    Starting Fail2ban v0.9.1
Jun 23 07:21:33 localhost.localdomain fail2ban-client[2486]: 2015-06-23 07:21:33,351 fail2ban.server         [2487]: INFO    Starting in daemon mode
Jun 23 07:21:33 localhost.localdomain systemd[1]: Started Fail2Ban Service.

2015-06-23 07:14:27,571 fail2ban.server         [1926]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:14:27,710 fail2ban.database       [1926]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:14:27,788 fail2ban.jail           [1926]: INFO    Creating new jail 'sshd'
2015-06-23 07:14:27,923 fail2ban.jail           [1926]: INFO    Jail 'sshd' uses poller
2015-06-23 07:14:27,985 fail2ban.filter         [1926]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:14:27,985 fail2ban.jail           [1926]: INFO    Initiated 'polling' backend
2015-06-23 07:14:28,063 fail2ban.filter         [1926]: INFO    Added logfile = /var/log/secure
2015-06-23 07:14:28,064 fail2ban.filter         [1926]: INFO    Set maxRetry = 2
2015-06-23 07:14:28,066 fail2ban.filter         [1926]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:14:28,066 fail2ban.actions        [1926]: INFO    Set banTime = 86400
2015-06-23 07:14:28,067 fail2ban.filter         [1926]: INFO    Set findtime = 600
2015-06-23 07:14:28,068 fail2ban.filter         [1926]: INFO    Set maxlines = 10
2015-06-23 07:14:28,158 fail2ban.server         [1926]: INFO    Jail sshd is not a JournalFilter instance
2015-06-23 07:14:28,459 fail2ban.jail           [1926]: INFO    Jail 'sshd' started
2015-06-23 07:21:32,667 fail2ban.server         [1926]: INFO    Stopping all jails
2015-06-23 07:21:33,181 fail2ban.jail           [1926]: INFO    Jail 'sshd' stopped
2015-06-23 07:21:33,188 fail2ban.server         [1926]: INFO    Exiting Fail2ban
2015-06-23 07:21:33,404 fail2ban.server         [2489]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-06-23 07:21:33,406 fail2ban.database       [2489]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-06-23 07:21:33,409 fail2ban.jail           [2489]: INFO    Creating new jail 'sshd'
2015-06-23 07:21:33,413 fail2ban.jail           [2489]: INFO    Jail 'sshd' uses poller
2015-06-23 07:21:33,433 fail2ban.filter         [2489]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:21:33,433 fail2ban.jail           [2489]: INFO    Initiated 'polling' backend
2015-06-23 07:21:33,438 fail2ban.filter         [2489]: INFO    Added logfile = /var/log/secure
2015-06-23 07:21:33,439 fail2ban.filter         [2489]: INFO    Set maxRetry = 3
2015-06-23 07:21:33,440 fail2ban.filter         [2489]: INFO    Set jail log file encoding to UTF-8
2015-06-23 07:21:33,441 fail2ban.actions        [2489]: INFO    Set banTime = 86400
2015-06-23 07:21:33,442 fail2ban.filter         [2489]: INFO    Set findtime = 600
2015-06-23 07:21:33,442 fail2ban.filter         [2489]: INFO    Set maxlines = 10
2015-06-23 07:21:33,501 fail2ban.server         [2489]: INFO    Jail sshd is not a JournalFilter instance
2015-06-23 07:21:33,599 fail2ban.jail           [2489]: INFO    Jail 'sshd' started

并且 SELinux 已被禁用。

答案1

在下面的文件中,

/etc/fail2ban/jail.conf(请注意,如果您使用jail.local相同的方法也可以在那里应用)尝试更改autogaminpolling

笔记: 如果systemd将后端选择为默认值,但您启用了一个 jail,而该 jail 的日志仅存在于其自己的日志文件中,请为该 jail 指定其他后端(例如轮询)并为 提供空值 journalmatch。请参阅https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200

因此,改变

backend = auto

backend = gamin 

或者

backend = polling

对我有用。

答案2

跑步

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

应该有 n 个匹配项。如果没有,请检查您的 failregex。

然后运行

sudo fail2ban-client set loglevel DEBUG

检查fail2ban.log它是否访问 sshd 日志文件(auth.log 或 secure)。

如果以上都没问题,请检查时区,fail2ban 使用系统时区,如果日志文件不使用,则导致 findtime 不起作用。

相关内容