Fail2ban 不会禁止 IP

tag-icon tag-icon fail2ban
Fail2ban 不会禁止 IP

我在 Ubuntu 18 服务器上安装了 Fail2ban等/fail2ban/jail.loca升文件

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/fail2ssh.log
maxretry = 2

重启 fail2ban 服务后,我总是可以看到登录尝试认证日志

Jul 26 14:43:24 vps249697 sshd[4383]: Received disconnect from 118.25.48.254 port 55848:11: Bye Bye [preauth]
Jul 26 14:43:24 vps249697 sshd[4383]: Disconnected from invalid user radik 118.25.48.254 port 55848 [preauth]
Jul 26 14:43:49 vps249697 sshd[4379]: Connection reset by invalid user adm 91.236.116.89 port 28767 [preauth]
Jul 26 14:43:50 vps249697 sshd[4385]: Invalid user adm from 91.236.116.89 port 38386
Jul 26 14:43:50 vps249697 sshd[4385]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:43:50 vps249697 sshd[4385]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.$
Jul 26 14:43:53 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:43:53 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:43:53 vps249697 sshd[4385]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:43:55 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:44:17 vps249697 sshd[4387]: Invalid user tomcat from 153.126.159.208 port 50732
Jul 26 14:44:17 vps249697 sshd[4387]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:17 vps249697 sshd[4387]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.126$
Jul 26 14:44:18 vps249697 sshd[4389]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.12.$
Jul 26 14:44:19 vps249697 sshd[4387]: Failed password for invalid user tomcat from 153.126.159.208 port 50732 ssh2
Jul 26 14:44:19 vps249697 sshd[4387]: Received disconnect from 153.126.159.208 port 50732:11: Bye Bye [preauth]
Jul 26 14:44:19 vps249697 sshd[4387]: Disconnected from invalid user tomcat 153.126.159.208 port 50732 [preauth]
Jul 26 14:44:20 vps249697 sshd[4391]: Invalid user user from 173.212.232.230 port 34124
Jul 26 14:44:20 vps249697 sshd[4391]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:20 vps249697 sshd[4391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=173.212$
Jul 26 14:44:20 vps249697 sshd[4389]: Failed password for root from 187.12.167.85 port 33518 ssh2
Jul 26 14:44:21 vps249697 sshd[4389]: Received disconnect from 187.12.167.85 port 33518:11: Bye Bye [preauth]
Jul 26 14:44:21 vps249697 sshd[4389]: Disconnected from authenticating user root 187.12.167.85 port 33518 [preauth]
Jul 26 14:44:22 vps249697 sshd[4391]: Failed password for invalid user user from 173.212.232.230 port 34124 ssh2
Jul 26 14:44:22 vps249697 sshd[4391]: Received disconnect from 173.212.232.230 port 34124:11: Bye Bye [preauth]
Jul 26 14:44:22 vps249697 sshd[4391]: Disconnected from invalid user user 173.212.232.230 port 34124 [preauth]
Jul 26 14:44:27 vps249697 sshd[4385]: Connection reset by invalid user adm 91.236.116.89 port 38386 [preauth]
Jul 26 14:44:27 vps249697 sshd[4385]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.116.89
Jul 26 14:44:28 vps249697 sshd[4394]: Invalid user scan from 103.99.113.35 port 57228
Jul 26 14:44:28 vps249697 sshd[4394]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:28 vps249697 sshd[4394]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.99.$
Jul 26 14:44:28 vps249697 sshd[4397]: Invalid user adm from 91.236.116.89 port 48694
Jul 26 14:44:28 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:28 vps249697 sshd[4397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.$
Jul 26 14:44:29 vps249697 sshd[4394]: Failed password for invalid user scan from 103.99.113.35 port 57228 ssh2
Jul 26 14:44:29 vps249697 sshd[4394]: Received disconnect from 103.99.113.35 port 57228:11: Bye Bye [preauth]
Jul 26 14:44:29 vps249697 sshd[4394]: Disconnected from invalid user scan 103.99.113.35 port 57228 [preauth]
Jul 26 14:44:30 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:30 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:32 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:47 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:49 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:49 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:51 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2

如何禁止这些 IP?

感谢您的帮助。

答案1

你的问题在这里:

logpath = /var/log/fail2ssh.log

监狱选择 logpath定义了

提供给过滤器的日志文件的路径

如果尝试出现在中auth.log,那应该在您的中定义logpath,而不是在这里fail2ssh.log

附加提示:maxretry = 2非常低,可能会禁止合法用户,包括您自己。将自己的 IP 地址列入白名单可能是个好主意。

相关内容