我有超过 250 万次 ssh 尝试和 fail2ban,但只有几千个 IP 被阻止。查找时间设置为 600,最大重试次数为 4,bantime 为 -1。服务器实际存在。我更改了 jail.local 并尝试重新启动,systemctl restart fail2ban但一开始出现一大堆错误。我将 jail.local 恢复到原来的状态并重试,但仍然出现相同的错误。我删除了一些日志并重试secure,它似乎启动了,但当我查看状态时,错误仍然存在,几乎没有任何内容被阻止。
我得到了一个错误Fail2ban ipset create fail2ban-sshd hash: ip timeout -l,随后又出现了一系列的后续失败,我认为这些都是由第一个错误引起的。
我尝试停止、卸载并重新安装 fail2ban,但仍然出现相同的初始错误,随后出现一大堆错误。
我的问题是:
1. ipset 为何/如何造成 fail2ban-sshd 哈希超时?
2. 我怎样才能正确地重新安装 fail2ban 以便它也许可以阻止某些东西?
3. 如果前两个问题没有可行的答案,那么 IP 阻止规则不能在 fail2ban 之外进行编程吗?
fail2ban.log:
2019-05-12 21:08:35,823 fail2ban.action [1730]: ERROR ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2019-05-12 21:08:35,823 fail2ban.action [1730]: ERROR ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: "ipset v6.29: Syntax error: '-1' is out of range 0-4294967\n\x1b[91mError: COMMAND_FAILED\x1b[00m\n"
2019-05-12 21:08:35,824 fail2ban.action [1730]: ERROR ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- returned 13
2019-05-12 21:08:35,824 fail2ban.actions [1730]: ERROR Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action
2019-05-12 21:08:35,825 fail2ban.actions [1730]: NOTICE [sshd] Ban 218.92.0.147
2019-05-12 21:08:46,771 fail2ban.transmitter [1730]: WARNING Command ['start', 'sshd'] has failed. Received OperationalError('database is locked',)
2019-05-12 21:08:51,787 fail2ban [1730]: CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 290, in run
self.jail.putFailTicket(ticket)
File "/usr/lib/python2.7/site-packages/fail2ban/server/jail.py", line 195, in putFailTicket
self.database.addBan(self, ticket)
File "/usr/lib/python2.7/site-packages/fail2ban/server/database.py", line 96, in wrapper
return f(self, self._db.cursor(), *args, **kwargs)
OperationalError: database is locked
2019-05-12 21:08:56,800 fail2ban.actions [1730]: ERROR Failed to get all bans merged, jail 'sshd': database is locked
2019-05-12 21:09:01,812 fail2ban.actions [1730]: ERROR Failed to get jail bans merged, jail 'sshd': database is locked
2019-05-12 21:09:01,941 fail2ban.action [1730]: ERROR ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- stdout: ''
2019-05-12 21:09:01,941 fail2ban.action [1730]: ERROR ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2019-05-12 21:09:01,942 fail2ban.action [1730]: ERROR ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- returned 1
systemctl 状态 fail2ban
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-05-12 21:08:46 EDT; 38min ago
Docs: man:fail2ban(1)
Process: 1462 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=255)
Process: 1726 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 1730 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
├─1599 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
└─1730 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
May 12 21:08:24 myHost systemd[1]: Starting Fail2Ban Service...
May 12 21:08:24 myHost fail2ban-client[1726]: 2019-05-12 21:08:24,579 fail2ban.server [1728]: INFO Starting Fail2ban v0.9.7
May 12 21:08:24 myHost fail2ban-client[1726]: 2019-05-12 21:08:24,580 fail2ban.server [1728]: INFO Starting in daemon mode
May 12 21:08:29 myHost fail2ban-client[1726]: ERROR NOK: ('database is locked',)
May 12 21:08:34 myHost fail2ban-client[1726]: ERROR NOK: ('database is locked',)
May 12 21:08:46 myHost fail2ban-client[1726]: ERROR NOK: ('database is locked',)
May 12 21:08:46 myHost systemd[1]: Started Fail2Ban Service.
[root@myHost /]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 7
| |- Total failed: 46
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 218.92.0.147
答案1
经过反复检查日志后,我决定关注以下一行:
ERROR Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action
这让我检查了firewalld日志,其中显示
NOT_ENABLED: rule '('-p', 'tcp', '-m', 'multiport', '--dports', 'ssh', '-m', 'set', '--match-set', 'fail2ban-sshd', 'src', '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable')' is not in 'ipv4:filter:INPUT'
每次我尝试启动并重新启动 fail2ban 时。我搜索了该错误并发现https://www.centos.org/forums/viewtopic.php?t=60586建议改变添加
banaction = iptables-allports
到 sshd 部分下的 jails.local 文件。
我重新启动了 fail2ban,并且 ip 开始以一种更符合我预期的方式被阻止。