failure2ban 一段时间后(3-4 天)停止记录

failure2ban 一段时间后(3-4 天)停止记录

我注意到,每当我想在工作 3 或 4 天后查看fail2ban 日志时,它会将日志压缩为 .gz,我对此很满意:

-rw-r--r--. 1 root   root      90034 May  1 12:49 dmesg.old
-rw-------. 1 root   root          0 Jun 14 03:13 fail2ban.log
-rw-------. 1 root   root       8974 May 24 02:22 fail2ban.log-20150524.gz
-rw-------. 1 root   root         20 May 24 03:44 fail2ban.log-20150601.gz
-rw-------. 1 root   root         20 Jun  1 03:30 fail2ban.log-20150607.gz
-rw-------. 1 root   root       4785 Jun 14 03:10 fail2ban.log-20150614.gz

问题是它停止工作,就像你在我的 main failure2ban.log 中看到的那样,它有 0 字节,里面什么也没有。

我在想,fail2ban 可能没有任何可记录的内容,但我看到了安全日志,并且看到了以下内容:

Jun 18 09:24:52 localserver sshd[9641]: input_userauth_request: invalid user Exit [preauth]
Jun 18 09:24:53 localserver sshd[9641]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:03:19 localserver sshd[10218]: Invalid user alina from 123.56.112.165
Jun 18 10:03:19 localserver sshd[10218]: input_userauth_request: invalid user alina [preauth]
Jun 18 10:03:20 localserver sshd[10218]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Invalid user kadmin from 173.201.39.212
Jun 18 10:11:24 localserver sshd[10329]: input_userauth_request: invalid user kadmin [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:24 localserver sshd[10331]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Invalid user guest from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10333]: input_userauth_request: invalid user guest [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Invalid user pi from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10335]: input_userauth_request: invalid user pi [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Invalid user ubnt from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10337]: input_userauth_request: invalid user ubnt [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Invalid user xbian from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10339]: input_userauth_request: invalid user xbian [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10341]: Invalid user admin from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10341]: input_userauth_request: invalid user admin [preauth]
Jun 18 10:11:27 localserver sshd[10341]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Invalid user andrei from 123.56.112.165
Jun 18 10:42:29 localserver sshd[10741]: input_userauth_request: invalid user andrei [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Connection closed by 123.56.112.165 [preauth]

这让我很生气,因为攻击仍然存在,而fail2ban却对此无所作为。我检查了fail2ban是否仍然有效,在我看来是这样的:

sudo fail2ban-client status
Status
|- Number of jail:  1
`- Jail list:   ssh-iptables

我还确保日志路径是正确的:

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

sudo fail2ban-client status ssh-iptables给出以下结果:

Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 1089
|  `- File list:    /var/log/secure
`- Actions
   |- Currently banned: 0
   |- Total banned: 137
   `- Banned IP list:   

还有其他想法可以帮助我解决这个问题吗?

相关内容