Fail2ban ipset 创建 fail2ban-sshd 哈希:ip 超时 -l

Fail2ban ipset 创建 fail2ban-sshd 哈希:ip 超时 -l

我有超过 250 万次 ssh 尝试和 fail2ban,但只有几千个 IP 被阻止。查找时间设置为 600,最大重试次数为 4,bantime 为 -1。服务器实际存在。我更改了 jail.local 并尝试重新启动,systemctl restart fail2ban但一开始出现一大堆错误。我将 jail.local 恢复到原来的状态并重试,但仍然出现相同的错误。我删除了一些日志并重试secure,它似乎启动了,但当我查看状态时,错误仍然存​​在,几乎没有任何内容被阻止。

我得到了一个错误Fail2ban ipset create fail2ban-sshd hash: ip timeout -l,随后又出现了一系列的后续失败,我认为这些都是由第一个错误引起的。

我尝试停止、卸载并重新安装 fail2ban,但仍然出现相同的初始错误,随后出现一大堆错误。

我的问题是:

1. ipset 为何/如何造成 fail2ban-sshd 哈希超时?

2. 我怎样才能正确地重新安装 fail2ban 以便它也许可以阻止某些东西?

3. 如果前两个问题没有可行的答案,那么 IP 阻止规则不能在 fail2ban 之外进行编程吗?

fail2ban.log:

2019-05-12 21:08:35,823 fail2ban.action         [1730]: ERROR   ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2019-05-12 21:08:35,823 fail2ban.action         [1730]: ERROR   ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: "ipset v6.29: Syntax error: '-1' is out of range 0-4294967\n\x1b[91mError: COMMAND_FAILED\x1b[00m\n"
2019-05-12 21:08:35,824 fail2ban.action         [1730]: ERROR   ipset create fail2ban-sshd hash:ip timeout -1
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- returned 13
2019-05-12 21:08:35,824 fail2ban.actions        [1730]: ERROR   Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action
2019-05-12 21:08:35,825 fail2ban.actions        [1730]: NOTICE  [sshd] Ban 218.92.0.147
2019-05-12 21:08:46,771 fail2ban.transmitter    [1730]: WARNING Command ['start', 'sshd'] has failed. Received OperationalError('database is locked',)
2019-05-12 21:08:51,787 fail2ban                [1730]: CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
    run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 290, in run
    self.jail.putFailTicket(ticket)
  File "/usr/lib/python2.7/site-packages/fail2ban/server/jail.py", line 195, in putFailTicket
    self.database.addBan(self, ticket)
  File "/usr/lib/python2.7/site-packages/fail2ban/server/database.py", line 96, in wrapper
    return f(self, self._db.cursor(), *args, **kwargs)
OperationalError: database is locked
2019-05-12 21:08:56,800 fail2ban.actions        [1730]: ERROR   Failed to get all bans merged, jail 'sshd': database is locked
2019-05-12 21:09:01,812 fail2ban.actions        [1730]: ERROR   Failed to get jail bans merged, jail 'sshd': database is locked
2019-05-12 21:09:01,941 fail2ban.action         [1730]: ERROR   ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- stdout: ''
2019-05-12 21:09:01,941 fail2ban.action         [1730]: ERROR   ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2019-05-12 21:09:01,942 fail2ban.action         [1730]: ERROR   ipset add fail2ban-sshd 218.92.0.147 timeout -1 -exist -- returned 1

systemctl 状态 fail2ban

fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-05-12 21:08:46 EDT; 38min ago
     Docs: man:fail2ban(1)
  Process: 1462 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=255)
  Process: 1726 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 1730 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           ├─1599 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
           └─1730 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

May 12 21:08:24 myHost systemd[1]: Starting Fail2Ban Service...
May 12 21:08:24 myHost fail2ban-client[1726]: 2019-05-12 21:08:24,579 fail2ban.server         [1728]: INFO    Starting Fail2ban v0.9.7
May 12 21:08:24 myHost fail2ban-client[1726]: 2019-05-12 21:08:24,580 fail2ban.server         [1728]: INFO    Starting in daemon mode
May 12 21:08:29 myHost fail2ban-client[1726]: ERROR  NOK: ('database is locked',)
May 12 21:08:34 myHost fail2ban-client[1726]: ERROR  NOK: ('database is locked',)
May 12 21:08:46 myHost fail2ban-client[1726]: ERROR  NOK: ('database is locked',)
May 12 21:08:46 myHost systemd[1]: Started Fail2Ban Service.
[root@myHost /]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     46
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   218.92.0.147

答案1

经过反复检查日志后,我决定关注以下一行:

ERROR   Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action

这让我检查了firewalld日志,其中显示

NOT_ENABLED: rule '('-p', 'tcp', '-m', 'multiport', '--dports', 'ssh', '-m', 'set', '--match-set', 'fail2ban-sshd', 'src', '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable')' is not in 'ipv4:filter:INPUT'

每次我尝试启动并重新启动 fail2ban 时。我搜索了该错误并发现https://www.centos.org/forums/viewtopic.php?t=60586建议改变添加

banaction = iptables-allports

到 sshd 部分下的 jails.local 文件。

我重新启动了 fail2ban,并且 ip 开始以一种更符合我预期的方式被阻止。

相关内容