我注意到,每当我想在工作 3 或 4 天后查看fail2ban 日志时,它会将日志压缩为 .gz,我对此很满意:
-rw-r--r--. 1 root root 90034 May 1 12:49 dmesg.old
-rw-------. 1 root root 0 Jun 14 03:13 fail2ban.log
-rw-------. 1 root root 8974 May 24 02:22 fail2ban.log-20150524.gz
-rw-------. 1 root root 20 May 24 03:44 fail2ban.log-20150601.gz
-rw-------. 1 root root 20 Jun 1 03:30 fail2ban.log-20150607.gz
-rw-------. 1 root root 4785 Jun 14 03:10 fail2ban.log-20150614.gz
问题是它停止工作,就像你在我的 main failure2ban.log 中看到的那样,它有 0 字节,里面什么也没有。
我在想,fail2ban 可能没有任何可记录的内容,但我看到了安全日志,并且看到了以下内容:
Jun 18 09:24:52 localserver sshd[9641]: input_userauth_request: invalid user Exit [preauth]
Jun 18 09:24:53 localserver sshd[9641]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:03:19 localserver sshd[10218]: Invalid user alina from 123.56.112.165
Jun 18 10:03:19 localserver sshd[10218]: input_userauth_request: invalid user alina [preauth]
Jun 18 10:03:20 localserver sshd[10218]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Invalid user kadmin from 173.201.39.212
Jun 18 10:11:24 localserver sshd[10329]: input_userauth_request: invalid user kadmin [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:24 localserver sshd[10331]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Invalid user guest from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10333]: input_userauth_request: invalid user guest [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Invalid user pi from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10335]: input_userauth_request: invalid user pi [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Invalid user ubnt from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10337]: input_userauth_request: invalid user ubnt [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Invalid user xbian from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10339]: input_userauth_request: invalid user xbian [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10341]: Invalid user admin from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10341]: input_userauth_request: invalid user admin [preauth]
Jun 18 10:11:27 localserver sshd[10341]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Invalid user andrei from 123.56.112.165
Jun 18 10:42:29 localserver sshd[10741]: input_userauth_request: invalid user andrei [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Connection closed by 123.56.112.165 [preauth]
这让我很生气,因为攻击仍然存在,而fail2ban却对此无所作为。我检查了fail2ban是否仍然有效,在我看来是这样的:
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
我还确保日志路径是正确的:
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
logpath = /var/log/fail2ban.log
port = all
protocol = all
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
sudo fail2ban-client status ssh-iptables给出以下结果:
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 1089
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 137
`- Banned IP list:
还有其他想法可以帮助我解决这个问题吗?