有人能看看这些规则,看看它们是否发挥了应有的作用吗?特别是f2b-MALTRAIL一 - 因为这应该可以阻止恶意流量:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22122
f2b-MALTRAIL all -- 0.0.0.0/0 0.0.0.0/0
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-DB tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306,5432
fail2ban-MAIL tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525,110,995,143,993
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 139.162.208.251 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8338
DROP tcp -- 198.11.149.1 0.0.0.0/0
DROP tcp -- 198.11.149.124 0.0.0.0/0
ACCEPT tcp -- 109.74.193.98 0.0.0.0/0 multiport dports 3306,5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,22122
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8181,2812
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,12000:12100
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 multiport dports 3306,5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-MALTRAIL (1 references)
target prot opt source destination
REJECT all -- 196.52.43.59 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 196.52.43.122 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 138.197.222.97 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 195.54.160.183 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 106.12.40.74 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 157.230.38.102 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 71.6.199.23 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 206.189.88.253 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.234.218.85 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 92.62.131.106 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 60.220.187.113 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 159.65.196.65 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 36.112.172.125 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 202.154.180.51 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 165.227.225.195 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 104.236.72.182 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 157.230.245.91 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 106.12.82.89 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 138.197.89.212 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 218.88.215.49 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 112.122.5.6 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 92.118.161.17 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 150.109.151.206 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 46.101.220.225 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 89.248.168.112 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 196.52.43.58 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.8.10.202 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 159.203.30.50 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 81.68.77.53 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 139.59.83.179 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.205.5.158 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 61.155.209.51 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 92.118.160.5 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 67.207.88.180 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 174.138.42.143 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 92.118.160.9 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 167.248.133.30 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 62.219.3.58 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 142.93.121.47 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 196.52.43.103 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 128.199.143.19 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.44.240.67 0.0.0.0/0 reject-with icmp-port-unreachable
... removed some otherwise won't let me post!
REJECT all -- 35.239.58.193 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 164.68.112.178 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 216.218.206.121 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 74.82.47.4 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 74.82.47.57 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 122.228.19.79 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.129.33.129 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 104.248.229.42 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 184.105.139.93 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.148.10.186 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 178.73.215.171 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 106.12.37.20 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 104.248.176.46 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 146.88.240.4 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 116.196.105.232 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.52 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.84 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 74.82.47.22 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.166 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.192 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.133 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.39 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.149 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.5 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.35 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.55 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.62 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.180 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 80.82.70.118 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.93 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.21 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.58 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.137 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.99 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.38 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.59 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.54 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.51 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.215 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.60 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 89.248.167.131 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.121 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.90 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.53 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.147 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.183 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.209 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.79 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.32 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 45.142.120.74 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 197.248.10.108 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-DB (1 references)
target prot opt source destination
Chain fail2ban-MAIL (1 references)
target prot opt source destination
REJECT all -- 212.70.149.53 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.84 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.37 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 141.98.80.78 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 212.70.149.5 0.0.0.0/0 reject-with icmp-port-unreachable
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- 197.248.10.108 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-VESTA (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain vesta (0 references)
target prot opt source destination
从这里您可以看到,我们的日志系统上仍然有活动流量:
我不确定这是因为我的规则没有按我预期的方式工作,还是所有传入的网络流量即使被拒绝是否仍会通过并记录?
更新:在 jail.conf 中我有:
[maltrail-iptables]
enabled = true
filter = maltrail
bantime = 31536000
action = iptables-allports[name=MALTRAIL, protocol=all]
;action = vesta[name=MALTRAIL]
logpath = /var/log/maltrail/*-*-*.log
maxretry = 1
这是正确的跟踪它们并将其添加到 iptables 列表中 - 但似乎 iptables 部分工作不正常
以下是 iptables.rules 中的内容:
# Generated by iptables-save v1.6.0 on Wed Nov 4 16:32:24 2020
*security
:INPUT ACCEPT [1450417247:318113130613]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1501717071:15015375821026]
COMMIT
# Completed on Wed Nov 4 16:32:24 2020
# Generated by iptables-save v1.6.0 on Wed Nov 4 16:32:24 2020
*raw
:PREROUTING ACCEPT [1459728524:318650649615]
:OUTPUT ACCEPT [1501717071:15015375821026]
COMMIT
# Completed on Wed Nov 4 16:32:24 2020
# Generated by iptables-save v1.6.0 on Wed Nov 4 16:32:24 2020
*nat
:PREROUTING ACCEPT [19767360:1137058191]
:INPUT ACCEPT [11471679:654636123]
:OUTPUT ACCEPT [23944491:1577314712]
:POSTROUTING ACCEPT [23944491:1577314712]
COMMIT
# Completed on Wed Nov 4 16:32:24 2020
# Generated by iptables-save v1.6.0 on Wed Nov 4 16:32:24 2020
*mangle
:PREROUTING ACCEPT [1459728524:318650649615]
:INPUT ACCEPT [1459728524:318650649615]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1501717071:15015375821026]
:POSTROUTING ACCEPT [1501717071:15015375821026]
COMMIT
# Completed on Wed Nov 4 16:32:24 2020
# Generated by iptables-save v1.6.0 on Wed Nov 4 16:32:24 2020
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
:fail2ban-DB - [0:0]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m multiport --dports 3306,5432 -j fail2ban-DB
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 22122 -j fail2ban-SSH
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 139.162.208.252/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8338 -j ACCEPT
-A INPUT -s 198.11.149.1/32 -p tcp -j DROP
-A INPUT -s 198.11.149.124/32 -p tcp -j DROP
-A INPUT -s 109.74.193.98/32 -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,22122 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,8181,2812 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A f2b-sshd -j RETURN
-A fail2ban-DB -j RETURN
-A fail2ban-MAIL -s 45.142.120.74/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.147/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.149/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.79/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.192/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.209/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.133/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.121/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.99/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.166/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.180/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.93/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.51/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.84/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.60/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.15/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.137/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.39/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.62/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.58/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.35/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.183/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -s 45.142.120.38/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-MAIL -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VESTA -j RETURN
COMMIT
# Completed on Wed Nov 4 16:32:24 2020
奇怪的是,它已经两天没有更新了,这也许可以解释为什么它没有按照我的预期运行
答案1
方法fail2ban是查看日志。流量必须出现在那里才会被阻止(次数可在jail.conf/中配置jail.d)。
因此你会预计在某个时候可以在日志中看到链中的 IP f2b-。但是,在添加到链中后,它们应该不会再显示f2b-。
它是否正常工作实际上取决于时间——日志条目发生的时间以及添加的时间f2b-。
通常可以在其中找到禁令/解禁时间/var/log/fail2ban.log,但可能取决于发行版。