IP 218.92.1.158 目前正在攻击我的 Raspberry。
直到今天早上,fail2ban才正确地阻止了它。
/etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
findtime = 3600
maxretry = 5
从那时起我做的唯一一件事就是添加一个 cron 作业来复制/var/log/auth.log文件并清空它:
0 0 * * * bash -c "cp /var/log/auth.log ~/auths/auth$((`ls ~/auths/auth* | sed -n 's/\/root\/auths\/auth\([0-9]*\)/\1/p' | sort -rh | head -n 1`+1))" && echo "" > /var/log/auth.log
这有效。以防万一它改变了权限,目前权限如下:
-rw-r----- 1 root adm 52569 Dec 22 15:20 /var/log/auth.log
从此以后,攻击者不再被禁止。以下是摘录/var/log/auth.log:
# cat /var/log/auth.log | grep "Failed" | grep 218.92.1.158
Dec 22 15:22:55 JMPi sshd[29568]: Failed password for root from 218.92.1.158 port 18727 ssh2
Dec 22 15:23:54 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:57 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:59 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:24:58 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:01 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:04 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
这意味着在 1 小时的时间范围内尝试了 6 次。
看着/var/log/fail2ban.log:
# cat /var/log/fail2ban.log | grep "218.92.1.158"
2018-12-22 13:38:09,068 fail2ban.filter [29522]: INFO [sshd] Found 218.92.1.158
2018-12-22 13:38:09,726 fail2ban.actions [29522]: NOTICE [sshd] Ban 218.92.1.158
2018-12-22 13:38:10,730 fail2ban.filter [29522]: INFO [sshd] Found 218.92.1.158
2018-12-22 14:38:09,853 fail2ban.actions [29522]: NOTICE [sshd] Unban 218.92.1.158
fail2ban尽管袭击者不断尝试,但已经过去一个小时了,仍未找到他。
我已重启fail2ban多次:
# service fail2ban status
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2018-12-22 15:32:07 CET; 4s ago
Docs: man:fail2ban(1)
Process: 30011 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 30094 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 30098 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─30098 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Dec 22 15:32:03 JMPi systemd[1]: Starting Fail2Ban Service...
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR No file(s) found for glob /var/log/nginx/*access.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR No file(s) found for glob /var/log/lighttpd/error.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,610 fail2ban.server [30096]: INFO Starting Fail2ban v0.9.6
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,611 fail2ban.server [30096]: INFO Starting in daemon mode
Dec 22 15:32:07 JMPi systemd[1]: Started Fail2Ban Service.
尽管有两个文件错误(无论如何我的安装不会使用它们),但它们fail2ban似乎正在运行。
不同于为什么 fail2ban 能找到但不能禁止,尝试肯定在时间窗口内。
你知道这是什么原因造成的吗?