失败 2 禁令似乎阻止了 IP,但请求仍然可以通过

失败 2 禁令似乎阻止了 IP,但请求仍然可以通过

我有一条阻止过多调用 wordpress xml-rpc 的规则:

筛选:

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

监狱:

enabled  = true
port     = http,https
filter   = php-xmlrpc
logpath  = /var/log/httpd/access_log
maxretry = 6
bantime  = 3600
action   = iptables[name=PHP_XMLRPC, port=http, protocol=tcp]

这似乎有效,因为我在最近的 xml-rpc 垃圾邮件攻击中得到了以下 iptables 规则:

Chain INPUT (policy ACCEPT)
target               prot opt source               destination         
MANUAL_BANS          all  --  0.0.0.0/0            0.0.0.0/0           
fail2ban-PHP_XMLRPC  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain MANUAL_BANS (1 references)
target     prot opt source               destination         
DROP       tcp  --  221.194.47.0/24      0.0.0.0/0           
DROP       tcp  --  121.18.238.0/24      0.0.0.0/0           
DROP       tcp  --  221.194.44.0/24      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-PHP_XMLRPC (1 references)
target     prot opt source               destination         
REJECT     all  --  191.96.249.54        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  191.96.249.53        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0     

但是...不知何故我的 Apache 服务器继续看到请求:

191.96.249.53 - - [14/Mar/2017:11:51:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:13 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:32 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:36 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:42 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:33 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:45 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

fail2ban 在线手册说 bantime 是以秒为单位的,但上面的代码看起来实际上是以毫秒为单位(即 3.6 秒,而不是 60 分钟)?我是不是漏掉了什么?否则 httpd 还能通过什么方式看到请求?

我在用

Name        : fail2ban
Arch        : noarch
Version     : 0.8.10
Release     : 3.6.amzn1

相关内容