Jail 错误且无法启动

Jail 错误且无法启动

我创建了一个监狱和操作,试图捕获“DDoS 攻击”,但是每当我重新启动 Fail2Ban 时,日志文件都会显示此监狱的错误。监狱和过滤器看起来相当简单,并在几个博客中重现,但我用来比较的是这里

这是监狱:

[http-get-dos]
enabled = true
filter = http-get-dos
action =  iptables[name=Http-Get-Dos, port="http,https"]
logpath = %(apache_access_log)s
maxretry = 300
findtime = 300
bantime = 300

这是过滤器:

# Fail2Ban configuration file
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs
# You should set up in the jail.conf file, the maxretry and findtime carefully

failregex = ^<HOST> -.*"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#

这一切看起来很简单,但由于某种原因,如果我在启用此监狱后重新启动服务,我会在 Fail2ban 日志中看到以下错误:

2017-11-04 12:48:13,296 fail2ban.jail           [1460]: INFO    Creating new jail 'http-get-dos'
2017-11-04 12:48:13,298 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' uses poller
2017-11-04 12:48:13,300 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,300 fail2ban.jail           [1460]: INFO    Initiated 'polling' backend
2017-11-04 12:48:13,303 fail2ban.actions        [1460]: INFO    Set banTime = 300
2017-11-04 12:48:13,304 fail2ban.filter         [1460]: INFO    Set findtime = 300
2017-11-04 12:48:13,306 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/access.log
2017-11-04 12:48:13,308 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/other_vhosts_access.log
2017-11-04 12:48:13,309 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,310 fail2ban.filter         [1460]: INFO    Set maxRetry = 300

2017-11-04 12:48:14,411 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stdout: b''
2017-11-04 12:48:14,441 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stderr: b"iptables v1.6.0: invalid port/service `http,https' specified\nTry `iptables -h' or 'iptables --help' for more information.\n"
2017-11-04 12:48:14,458 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- returned 2
2017-11-04 12:48:14,463 fail2ban.actions        [1460]: ERROR   Failed to start jail 'http-get-dos' action 'iptables': Error starting action
2017-11-04 12:48:20,150 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' started

看起来 jail 的操作部分出现了问题,但我不明白为什么。该操作与其他 jail 所使用的操作类似。

有什么想法可以解决这个问题,以使监狱正常运行?

答案1

我的声誉不足以发表评论,因此我将在这里发布答案。

看起来好像这一行:

action = iptables[name=Http-Get-Dos, port="http,https"]

正在将变量传递给 iptables,并且由于port="http,https"您在单个 iptables 规则中指定了两个目标端口。我找不到有关此问题的任何具体文档,但在我看来这不对劲 - 我认为这就是问题的原因。

我认为应该针对 HTTP 和 HTTPS 采取单独的行动。

编辑:我在 google 上找到了一些使用 port="http,https" 的条目,它们指定了 iptables-multiport 而不是 iptables。iptables-multiport 操作似乎使用--match multiport(描述这里),允许您一次指定多个端口(请参阅这个 Server Fault 问题)。因此,我认为另一种解决方案是使用 iptables-multiport 操作。

相关内容