我在 /etc/fail2ban/jail.conf 中定义了以下 jail。为了保护隐私/安全,我将对 IP 的引用替换为本地 10.0.0.x 地址。
[ssh-iptables]
enabled = true
filter = sshd
banaction = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
backend = auto
findtime = 18000
bantime = 65535
maxretry = 5
使用可用的过滤器这里对于 sshd。我确实尝试添加此行:
^.*authentication failure;.*rhost=<HOST>按照建议的文件这个答案
当我运行时,fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf我收到许多指示为失败的命中。下面是基于今天早些时候的 150 行 /var/log/secure 的示例。
$ cat /tmp/output.txt
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /tmp/failed3.log
Results
=======
Failregex: 56 total
|- #) [# of hits] regular expression
| 3) [42] ^\s*(<[^.]+ [^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s(?:\[ID \d+ \S+\])?\s*(?:(?:error|fatal): (?:PAM: )?)?Failed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 13) [14] ^\s*(<[^.]+ [^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s(?:\[ID \d+ \S+\])?\s*(?:(?:error|fatal): (?:PAM: )?)?pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*(?: \[preauth\])?\s*$
`-
Ignoreregex: 0 total
Summary
=======
Addresses found:
[3]
10.0.0.1 (Mon Feb 24 11:46:29 2020)
10.0.0.1 (Mon Feb 24 11:46:32 2020)
10.0.0.1 (Mon Feb 24 11:46:34 2020)
10.0.0.1 (Mon Feb 24 11:46:43 2020)
10.0.0.1 (Mon Feb 24 11:46:46 2020)
10.0.0.1 (Mon Feb 24 11:46:48 2020)
10.0.0.1 (Mon Feb 24 11:46:59 2020)
10.0.0.1 (Mon Feb 24 11:47:02 2020)
10.0.0.1 (Mon Feb 24 11:47:03 2020)
10.0.0.1 (Mon Feb 24 11:47:15 2020)
10.0.0.1 (Mon Feb 24 11:47:17 2020)
10.0.0.1 (Mon Feb 24 11:47:20 2020)
10.0.0.1 (Mon Feb 24 11:47:30 2020)
10.0.0.1 (Mon Feb 24 11:47:32 2020)
10.0.0.1 (Mon Feb 24 11:47:34 2020)
10.0.0.1 (Mon Feb 24 11:47:45 2020)
10.0.0.1 (Mon Feb 24 11:47:48 2020)
10.0.0.1 (Mon Feb 24 11:47:51 2020)
10.0.0.1 (Mon Feb 24 11:48:03 2020)
10.0.0.1 (Mon Feb 24 11:48:06 2020)
10.0.0.1 (Mon Feb 24 11:48:08 2020)
10.0.0.1 (Mon Feb 24 11:48:18 2020)
10.0.0.1 (Mon Feb 24 11:48:21 2020)
10.0.0.1 (Mon Feb 24 11:48:23 2020)
10.0.0.1 (Mon Feb 24 11:48:38 2020)
10.0.0.1 (Mon Feb 24 11:48:40 2020)
10.0.0.1 (Mon Feb 24 11:48:43 2020)
10.0.0.1 (Mon Feb 24 11:48:50 2020)
10.0.0.1 (Mon Feb 24 11:48:53 2020)
10.0.0.1 (Mon Feb 24 11:48:55 2020)
10.0.0.1 (Mon Feb 24 11:49:07 2020)
10.0.0.1 (Mon Feb 24 11:49:10 2020)
10.0.0.1 (Mon Feb 24 11:49:13 2020)
10.0.0.2 (Mon Feb 24 11:49:20 2020)
10.0.0.2 (Mon Feb 24 11:49:23 2020)
10.0.0.1 (Mon Feb 24 11:49:24 2020)
10.0.0.2 (Mon Feb 24 11:49:25 2020)
10.0.0.1 (Mon Feb 24 11:49:27 2020)
10.0.0.1 (Mon Feb 24 11:49:29 2020)
10.0.0.1 (Mon Feb 24 11:49:37 2020)
10.0.0.1 (Mon Feb 24 11:49:40 2020)
10.0.0.1 (Mon Feb 24 11:49:43 2020)
[13]
10.0.0.1 (Mon Feb 24 11:46:27 2020)
10.0.0.1 (Mon Feb 24 11:46:41 2020)
10.0.0.1 (Mon Feb 24 11:46:57 2020)
10.0.0.1 (Mon Feb 24 11:47:13 2020)
10.0.0.1 (Mon Feb 24 11:47:28 2020)
10.0.0.1 (Mon Feb 24 11:47:44 2020)
10.0.0.1 (Mon Feb 24 11:48:01 2020)
10.0.0.1 (Mon Feb 24 11:48:16 2020)
10.0.0.1 (Mon Feb 24 11:48:35 2020)
10.0.0.1 (Mon Feb 24 11:48:48 2020)
10.0.0.1 (Mon Feb 24 11:49:05 2020)
10.0.0.2 (Mon Feb 24 11:49:18 2020)
10.0.0.1 (Mon Feb 24 11:49:22 2020)
10.0.0.1 (Mon Feb 24 11:49:35 2020)
Date template hits:
2606 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 56
However, look at the above section 'Running tests' which could contain important
information.
将日志级别增加到 4 会产生此输出。
2020-02-24 12:33:24,612 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.10
2020-02-24 12:33:24,612 fail2ban.comm : DEBUG Command: ['add', 'ssh-iptables', 'auto']
2020-02-24 12:33:24,613 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2020-02-24 12:33:24,633 fail2ban.jail : INFO Jail 'ssh-iptables' uses pyinotify
2020-02-24 12:33:24,647 fail2ban.filter : DEBUG Setting usedns = warn for FilterPyinotify(Jail('ssh-iptables'))
2020-02-24 12:33:24,652 fail2ban.filter : DEBUG Created FilterPyinotify(Jail('ssh-iptables'))
2020-02-24 12:33:24,653 fail2ban.filter : DEBUG Created FilterPyinotify
2020-02-24 12:33:24,653 fail2ban.jail : INFO Initiated 'pyinotify' backend
2020-02-24 12:33:24,654 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'usedns', 'warn']
2020-02-24 12:33:24,654 fail2ban.filter : DEBUG Setting usedns = warn for FilterPyinotify(Jail('ssh-iptables'))
2020-02-24 12:33:24,654 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addlogpath', '/var/log/secure']
2020-02-24 12:33:24,663 fail2ban.filter : INFO Added logfile = /var/log/secure
2020-02-24 12:33:24,663 fail2ban.filter : DEBUG Added monitor for the parent directory /var/log
2020-02-24 12:33:24,663 fail2ban.filter : DEBUG Added file watcher for /var/log/secure
2020-02-24 12:33:24,663 fail2ban.filter.datedetector: DEBUG Sorting the template list
2020-02-24 12:33:24,664 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 0 hits
2020-02-24 12:33:24,664 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'maxretry', '5']
2020-02-24 12:33:24,664 fail2ban.filter : INFO Set maxRetry = 5
2020-02-24 12:33:24,665 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addignoreip', '127.0.0.1/8,']
2020-02-24 12:33:24,665 fail2ban.filter : DEBUG Add 127.0.0.1/8, to ignore list
2020-02-24 12:33:24,665 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addignoreip', 10.0.0.0/8’]
2020-02-24 12:33:24,666 fail2ban.filter : DEBUG Add 10.0.0.0/8 to ignore list
2020-02-24 12:33:24,666 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'findtime', '18000']
2020-02-24 12:33:24,666 fail2ban.filter : INFO Set findtime = 18000
2020-02-24 12:33:24,667 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'bantime', '65535']
2020-02-24 12:33:24,667 fail2ban.actions: INFO Set banTime = 65535
2020-02-24 12:33:24,667 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,670 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,681 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)']
2020-02-24 12:33:24,685 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,696 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$']
2020-02-24 12:33:24,699 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,703 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,714 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,718 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,729 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,733 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,746 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', "^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"]
2020-02-24 12:33:24,750 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,766 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)? \\[preauth\\]$']
2020-02-24 12:33:24,771 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?User .+ not allowed because account is locked(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>: 11: .+(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,788 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Connection closed by <HOST>(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,794 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?Connection from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+(?: \\[preauth\\])?\\s*$']
2020-02-24 12:33:24,808 fail2ban.comm : DEBUG Command: ['start', 'ssh-iptables']
2020-02-24 12:33:24,808 fail2ban.jail : INFO Jail 'ssh-iptables' started
2020-02-24 12:33:24,812 fail2ban.filter : DEBUG pyinotifier started for ssh-iptables.
2020-02-24 12:33:26,493 fail2ban.filter : DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/secure pathname=/var/log/secure wd=2 >
2020-02-24 12:33:26,493 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2020-02-24 12:33:26,494 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2020-02-24 12:33:26,498 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2020-02-24 12:33:26,498 fail2ban.filter : DEBUG Processing line with time:1582559963.0 and ip:PROBLEM-IP
2020-02-24 12:33:40,959 fail2ban.comm : DEBUG Command: ['status']
2020-02-24 12:33:45,745 fail2ban.comm : DEBUG Command: ['status', 'ssh-iptables']
该行2020-02-24 12:33:26,498 fail2ban.filter : DEBUG Processing line with time:1582559963.0 and ip:PROBLEM-IP对应于我当前安全日志中的第一个条目(由于一段时间没有轮换,该文件已被截断)。但是安全日志中有数百行类似的行:
$ sudo grep "Failed password" /var/log/secure | grep 10.0.0.1 | wc -l
1182
Pyinotify 已安装(sudo yum install pyinotify -y)并且 NTP 已配置并处于活动状态,我的日志日期/时间与给出的时间同步date。
$ ntpstat
synchronised to NTP server (209.51.161.238) at stratum 2
time correct to within 26 ms
polling server every 512 s
$ date
Mon Feb 24 12:56:34 EST 2020
$ tail /var/log/secure -n1
Feb 24 12:56:37 localhost sshd[24764]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=root
其他信息:
Fail2Ban v0.8.10
Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).
Written by Cyril Jaquier <[email protected]>.
Many contributions by Yaroslav O. Halchenko <[email protected]>.
fail2ban-client-d 输出
$ sudo fail2ban-client -d
WARNING 'action' not defined in 'ssh-messages'. Using default one: ''
['set', 'loglevel', 4]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh-iptables', 'auto']
['set', 'ssh-iptables', 'usedns', 'warn']
['set', 'ssh-iptables', 'addlogpath', '/var/log/secure']
['set', 'ssh-iptables', 'maxretry', 5]
['set', 'ssh-iptables', 'addignoreip', '127.0.0.1/8,']
['set', 'ssh-iptables', 'addignoreip', '10.0.0.0/8']
['set', 'ssh-iptables', 'findtime', 18000]
['set', 'ssh-iptables', 'bantime', 65535]
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', "^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"]
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:(?:error|fatal): (?:PAM: )?)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)? \\[preauth\\]$']
['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?User .+ not allowed because account is locked(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>: 11: .+(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Connection closed by <HOST>(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+ [^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)(?:(?:error|fatal): (?:PAM: )?)?Connection from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+(?: \\[preauth\\])?\\s*$']
['set', 'ssh-iptables', 'addaction', 'iptables']
['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'ssh-iptables', 'actioncheck', 'iptables', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"]
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'chain', 'INPUT']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', 'ssh']
['start', 'ssh-iptables']
iptables -L
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
值得注意的是,如果我运行fail2ban-client set ssh-iptables banip IPADDR给定的内容,它将被添加到 iptables,并使用给定 IP 的 rDNS 名称显示(至少对于我正在测试的服务器)。
$ sudo fail2ban-client set ssh-iptables banip 10.0.0.10
10.0.0.10
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- REVERSE-DNS-NAME-FOR-10.0.0.10 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
我对 fail2ban 还不太熟悉,可能忽略了一些显而易见的东西,但我现在很难确定是什么。根据我所能解析的上述输出,它似乎应该可以正常工作,但尽管在安全日志中看到来自同一 IP 的数十次失败,但我得到的禁令为 0。
答案1
不确定这是否是“正确”的解决方案,但我能够ssh-iptables通过重新安装、重新创建 jail.local 并将 jail.local 的内容更改为以下内容来使 jail 正常运行:
[DEFAULT]
bantime = 600
ignorecommand =
findtime = 600
maxretry = 3
usedns = warn
banaction = iptables-multiport
banaction_allports = iptables-allports
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=tcp]
backend = polling
logpath = /var/log/secure
pathname = /var/log/secure
bantime = 86400
findtime = 1200
mode = normal
maxretry = 5
## disabled jails removed to save space ##
由于某种原因,将禁令从 改为iptables对iptables-allports我来说是有效的,正如 IgorG 在近 5 年前的 Plesk 支持帖子中所建议的那样。我想是时候研究一下 fail2ban 的文档并尝试理解为什么它有效了...
答案2
似乎你没有实际action定义。尝试添加此行
action = %(action_)s