当我运行此命令时,fail2ban-client status sshd我得到了以下信息:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 81
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 8
`- Banned IP list: 218.65.30.61 116.31.116.7
它在禁止 IP 列表中仅显示两个 IP,而不是像 Total Banned 所说的那样显示 8 个。
当我这样做时,tail -f /var/log/auth.log我得到了这个:
Mar 29 11:08:40 DBSERVER sshd[29163]: error: maximum authentication attempts exceeded for root from 218.65.30.61 port 50935 ssh2 [preauth]
Mar 29 11:08:40 DBSERVER sshd[29163]: Disconnecting: Too many authentication failures [preauth]
Mar 29 11:08:40 DBSERVER sshd[29163]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.61 user=root
Mar 29 11:08:40 DBSERVER sshd[29163]: PAM service(sshd) ignoring max retries; 6 > 3
Mar 29 11:08:44 DBSERVER sshd[29165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.61 user=root
Mar 29 11:08:46 DBSERVER sshd[29165]: Failed password for root from 218.65.30.61 port 11857 ssh2
Mar 29 11:09:01 DBSERVER CRON[29172]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 29 11:09:01 DBSERVER CRON[29172]: pam_unix(cron:session): session closed for user root
Mar 29 11:10:01 DBSERVER CRON[29226]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 29 11:10:02 DBSERVER CRON[29226]: pam_unix(cron:session): session closed for user root
Mar 29 11:10:18 DBSERVER sshd[29238]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.122.43.185 user=root
Mar 29 11:10:20 DBSERVER sshd[29238]: Failed password for root from 113.122.43.185 port 46017 ssh2
Mar 29 11:10:33 DBSERVER sshd[29238]: message repeated 5 times: [ Failed password for root from 113.122.43.185 port 46017 ssh2]
Mar 29 11:10:33 DBSERVER sshd[29238]: error: maximum authentication attempts exceeded for root from 113.122.43.185 port 46017 ssh2 [preauth]
Mar 29 11:10:33 DBSERVER sshd[29238]: Disconnecting: Too many authentication failures [preauth]
Mar 29 11:10:33 DBSERVER sshd[29238]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.122.43.185 user=root
Mar 29 11:10:33 DBSERVER sshd[29238]: PAM service(sshd) ignoring max retries; 6 > 3
Mar 29 11:11:36 DBSERVER sshd[29245]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.7 user=root
Mar 29 11:11:38 DBSERVER sshd[29245]: Failed password for root from 116.31.116.7 port 24892 ssh2
Mar 29 11:11:43 DBSERVER sshd[29245]: message repeated 2 times: [ Failed password for root from 116.31.116.7 port 24892 ssh2]
Mar 29 11:11:43 DBSERVER sshd[29245]: Received disconnect from 116.31.116.7 port 24892:11: [preauth]
Mar 29 11:11:43 DBSERVER sshd[29245]: Disconnected from 116.31.116.7 port 24892 [preauth]
Mar 29 11:11:43 DBSERVER sshd[29245]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.7 user=root
Mar 29 11:12:39 DBSERVER sshd[29247]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.7 user=root
Mar 29 11:12:41 DBSERVER sshd[29247]: Failed password for root from 116.31.116.7 port 26739 ssh2
Mar 29 11:12:45 DBSERVER sshd[29247]: message repeated 2 times: [ Failed password for root from 116.31.116.7 port 26739 ssh2]
Mar 29 11:12:45 DBSERVER sshd[29247]: Received disconnect from 116.31.116.7 port 26739:11: [preauth]
Mar 29 11:12:45 DBSERVER sshd[29247]: Disconnected from 116.31.116.7 port 26739 [preauth]
Mar 29 11:12:45 DBSERVER sshd[29247]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.7 user=root
Mar 29 11:13:41 DBSERVER sshd[29249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.7 user=root
Mar 29 11:13:43 DBSERVER sshd[29249]: Failed password for root from 116.31.116.7 port 27040 ssh2
被禁 IP 仍在尝试。
然而当我检查时sudo iptables -L INPUT -v -n我得到了这个:
Chain INPUT (policy ACCEPT 228 packets, 18000 bytes)
pkts bytes target prot opt in out source destination
6050 435K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
我在这里做错了什么?
我如何显示所有被禁止的 IP 列表?
答案1
请记住,fail2ban 禁止 IP 是暂时的。
查看已被阻止的 IP 的完整列表的最佳方法是检查日志文件:
sudo zgrep 'Ban' /var/log/fail2ban.log*
编辑:这个答案以前搜索过'Ban:',但即使在 2013 年,来源也没有冒号(參考)。
以下命令也可以为您提供干净的输入规则列表:
sudo iptables -L INPUT -v -n | less
答案2
sudo zgrep 'Ban' /var/log/fail2ban.log*
但该输出有太多行。以下统计了所有已记录的被禁止(和可能未禁止)IP 的行数:
sudo zgrep 'Ban' /var/log/fail2ban.log* | wc -l
上述命令的输出(带行数)应该与 fail2ban 状态输出中的“Total Banned”计数相匹配:
fail2ban-client status sshd
在 Ubuntu 18.04.1 LTS 中测试。
我从‘wc -l’行输出:
7244
并且从fail2ban的状态来看,相同的7244数字也得到了验证:
Status for the jail: sshd
|- Filter
| |- Currently failed: 7
| |- Total failed: 49457
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 9
|- Total banned: 7244
`- Banned IP list: [...]
答案3
您可以使用sqlite3命令通过查询数据库bips表来进行一些统计/var/lib/fail2ban/fail2ban.sqlite3(如果您的fail2ban版本< v0.11.1,则更改为bips)bans。
显示所有 IP 地址及其监狱:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"
显示所有唯一 IP 地址:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"
sshd显示监狱中所有唯一的 IP 地址:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"
显示所有监狱中被禁止次数最多的前 20 个 IP 地址:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select jail,ip,count(*) as count from bips group by ip order by count desc limit 20"
如果您想在 GUI 应用程序中查看此文件的结构和所有数据,我推荐DB Browser For Sqlite。
从版本开始v0.11.1,fail2ban 改变了其数据库结构。我在 Linux 机器上运行此命令来查看有什么区别(Fail2Ban v0.11.1、Ubuntu 20.04)
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 '.schema'
部分输出为:
CREATE TABLE bans(jail TEXT NOT NULL, ip TEXT, timeofban INTEGER NOT NULL, bantime INTEGER NOT NULL, bancount INTEGER NOT NULL default 1, data JSON, FOREIGN KEY(jail) REFERENCES jails(name) );
CREATE TABLE bips(ip TEXT NOT NULL, jail TEXT NOT NULL, timeofban INTEGER NOT NULL, bantime INTEGER NOT NULL, bancount INTEGER NOT NULL default 1, data JSON, PRIMARY KEY(ip, jail), FOREIGN KEY(jail) REFERENCES jails(name) );
答案4
有banned命令(v0.11.2):
fail2ban-client banned
示例输出:
[{'sshd':[]},{'apache-badbots':[]},{'apache-auth':['XXX.24.23.164','XXX.155.205.108','XXX.62.130.158']}]