fail2ban 不再发现攻击者

fail2ban 不再发现攻击者

IP 218.92.1.158 目前正在攻击我的 Raspberry。

直到今天早上,fail2ban才正确地阻止了它。 /etc/fail2ban/jail.local

[DEFAULT]
bantime = 3600
findtime = 3600
maxretry = 5

从那时起我做的唯一一件事就是添加一个 cron 作业来复制/var/log/auth.log文件并清空它:

0   0  *   *   *     bash -c "cp /var/log/auth.log ~/auths/auth$((`ls ~/auths/auth* | sed -n 's/\/root\/auths\/auth\([0-9]*\)/\1/p' | sort -rh | head -n 1`+1))" && echo "" > /var/log/auth.log

这有效。以防万一它改变了权限,目前权限如下:

-rw-r----- 1 root adm 52569 Dec 22 15:20 /var/log/auth.log

从此以后,攻击者不再被禁止。以下是摘录/var/log/auth.log

# cat /var/log/auth.log | grep "Failed" | grep 218.92.1.158
Dec 22 15:22:55 JMPi sshd[29568]: Failed password for root from 218.92.1.158 port 18727 ssh2
Dec 22 15:23:54 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:57 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:59 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:24:58 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:01 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:04 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2

这意味着在 1 小时的时间范围内尝试了 6 次。

看着/var/log/fail2ban.log

# cat /var/log/fail2ban.log | grep "218.92.1.158"
2018-12-22 13:38:09,068 fail2ban.filter         [29522]: INFO    [sshd] Found 218.92.1.158
2018-12-22 13:38:09,726 fail2ban.actions        [29522]: NOTICE  [sshd] Ban 218.92.1.158
2018-12-22 13:38:10,730 fail2ban.filter         [29522]: INFO    [sshd] Found 218.92.1.158
2018-12-22 14:38:09,853 fail2ban.actions        [29522]: NOTICE  [sshd] Unban 218.92.1.158

fail2ban尽管袭击者不断尝试,但已经过去一个小时了,仍未找到他。

我已重启fail2ban多次:

# service fail2ban status
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-12-22 15:32:07 CET; 4s ago
     Docs: man:fail2ban(1)
  Process: 30011 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 30094 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 30098 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─30098 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Dec 22 15:32:03 JMPi systemd[1]: Starting Fail2Ban Service...
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR  No file(s) found for glob /var/log/nginx/*access.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR  No file(s) found for glob /var/log/lighttpd/error.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,610 fail2ban.server         [30096]: INFO    Starting Fail2ban v0.9.6
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,611 fail2ban.server         [30096]: INFO    Starting in daemon mode
Dec 22 15:32:07 JMPi systemd[1]: Started Fail2Ban Service.

尽管有两个文件错误(无论如何我的安装不会使用它们),但它们fail2ban似乎正在运行。

不同于为什么 fail2ban 能找到但不能禁止,尝试肯定在时间窗口内。

你知道这是什么原因造成的吗?

相关内容