我为 PHP 应用程序登录页面配置了一个 jail,但登录尝试失败:
stephane@example:~$ tail -400f /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
[15-Oct-2019 12:15:18 Europe/London] (10.255.0.2) [WARNING] fail2ban -- Failed admin login attempt for root at https://www.example.com:83
永远不会触发禁令:
Every 2.0s: fail2ban-client status learnintouch-admin example.com: Tue Oct 15 13:21:17 2019
Status for the jail: learnintouch-admin
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
在 DEBUG 级别运行fail2ban显示日志文件已被修改:
stephane@example:~$ sudo tail -f /var/log/fail2ban.log
[sudo] password for stephane:
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set blocktype = 'reject'
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set destination = 'any'
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set application = ''
2019-10-15 12:57:38,814 fail2ban.jail [25514]: DEBUG Starting jail 'learnintouch-admin'
2019-10-15 12:57:38,814 fail2ban.filterpoll [25514]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-15 12:57:38,815 fail2ban.filter [25514]: DEBUG Seek to find time 1571136458.8108385 (2019-10-15 12:47:38), file size 0
2019-10-15 12:57:38,815 fail2ban.filter [25514]: DEBUG Position -1 from 0, found time None () within 0 seeks
2019-10-15 12:57:38,816 fail2ban.jail [25514]: INFO Jail 'learnintouch-admin' started
2019-10-15 13:15:18,414 fail2ban.filterpoll [25514]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
测试正则表达式表明它是匹配的:
stephane@example:~/dev/docker/projects/learnintouch/www.example/app$ fail2ban-regex /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log "\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for"
Running tests
=============
Use failregex line : \(<HOST>\) \[WARNING\] fail2ban -- Failed admin lo...
Use log file : /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
Use encoding : UTF-8
Results
=======
Failregex: 6 total
|- #) [# of hits] regular expression
| 1) [6] \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[processed in 0.02 sec]
我的配置/etc/fail2ban/jail.local文件包含:
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 1800
findtime = 600
maxretry = 5
banaction = ufw
[sshd]
enabled = false
[learnintouch-admin]
enabled = true
port = 81,83
filter = learnintouch-admin.fail2ban
logpath = /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
监狱配置/etc/fail2ban/filter.d/learnintouch-admin.fail2ban.conf文件:
[INCLUDES]
before = common.conf
[Definition]
failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
我使用fail2ban以下命令安装:
sudo apt-get install fail2ban
sudo apt-get install iptables-persistent
我配置了/etc/fail2ban/action.d/ufw.conf文件:
Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any port 83
actionunban = ufw delete deny from <ip> to any port 83
防火墙ufw状态:
stephane@example:~/dev/docker/projects/user-rest/app$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
3306 ALLOW IN 127.0.0.0
6379 ALLOW IN 127.0.0.0
8080 ALLOW IN Anywhere
81 ALLOW IN Anywhere
83 ALLOW IN Anywhere
8443 ALLOW IN Anywhere
9001 ALLOW IN Anywhere
5000 ALLOW IN 127.0.0.0
22 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
Anywhere ALLOW IN Anywhere
82 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
8080 (v6) ALLOW IN Anywhere (v6)
81 (v6) ALLOW IN Anywhere (v6)
83 (v6) ALLOW IN Anywhere (v6)
8443 (v6) ALLOW IN Anywhere (v6)
9001 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN Anywhere (v6)
82 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
如果我重新启动 fail2ban 并连续 6 次登录尝试失败,则日志仅显示:
stephane@thalasoft:~$ sudo tail -f /var/log/fail2ban.log
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate [12908]: DEBUG constructed regex (@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:05,628 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:10,242 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:12,452 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:14,456 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:11,743 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:14,359 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:16,362 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
iptables输入输出配置:
stephane@thalasoft:~$ sudo iptables -n -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
stephane@thalasoft:~$ sudo iptables -n -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
stephane@thalasoft:~$
更新:我还从源代码安装了 fail2ban,先是 0.10.4 版本,然后是 0.10.3 版本。
sudo apt-get remove fail2ban
wget https://github.com/fail2ban/fail2ban/archive/0.10.3.tar.gz
mv 0.10.3.tar.gz fail2ban-0.10.3.tar.gz
gzip -d fail2ban-0.10.3.tar.gz
tar -xvf fail2ban-0.10.3.tar
cd ~/programs/fail2ban-0.10.3
mkdir ~/programs/install/fail2ban
sudo python setup.py install --root=~/programs/install/fail2ban
sudo cp files/debian-initd /etc/init.d/fail2ban
sudo update-rc.d fail2ban defaults
sudo systemctl unmask fail2ban.service
sudo service fail2ban start
但在两个源版本下我仍然遇到完全相同的错误。
更新:我可以在文件中看到许多传入的被阻止的登录尝试/var/log/ufw.log:
Oct 23 10:19:01 thalasoft kernel: [336294.072283] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=218.92.0.204 DST=149.28.60.185 LEN=700 TOS=0x00 PREC=0x00 TTL=48 ID=55749 DF PROTO=TCP SPT=50112 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
Oct 23 10:19:07 thalasoft kernel: [336300.735374] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=47855 PROTO=TCP SPT=55690 DPT=281 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 23 10:20:13 thalasoft kernel: [336366.115758] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=958 PROTO=TCP SPT=55690 DPT=147 WINDOW=1024 RES=0x00 SYN URGP=0
即使我停止了fail2ban服务器也是如此。
答案1
failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
无法工作,因为 HOST 前面有字符,请尝试以下操作:
failregex = ^.*\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for