我在 CentOS 8 上运行 fail2ban,并配置了 ssh 和 Nginx。当我执行 fail2ban-client status 时,它们都显示 ip 被阻止,但它们实际上并没有被防火墙阻止。我遭受了 ssh 攻击的轰炸,而防火墙方面却没有任何反应。我正在运行“tcpdump - i 任何端口 80 或端口 443 或端口 22”,看到多次失败的尝试。fail2ban 再次看到它们并说它们被禁止了,但它们实际上并没有被禁止。有什么建议吗?
[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.0/24
bantime = 21600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
[sshd]
enabled = true
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/gitlab/nginx/error.log
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/gitlab/nginx/access.log
maxretry = 6
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/gitlab/nginx/access.log
maxretry = 2
[nginx-nohome]
enabled = true
port = http,https
filter = nginx-nohome
logpath = /var/log/gitlab/nginx/access.log
maxretry = 2
[nginx-noproxy]
enabled = true
port = http,https
filter = nginx-noproxy
logpath = /var/log/gitlab/nginx/access.log
maxretry = 2
[gitlab]
enabled = true
port = http,https
filter = gitlab
logpath = /var/log/gitlab/gitlab_error.log
答案1
如果您实际正在使用firewalld,请确保使用与firewalld兼容的,banaction
例如firewallcmd-ipset
。
答案2
您的配置看起来不错,特别是当您看到 fail2ban-client status sshd 的输出中列出的 ip 时。
您如何检查 IP 是否已被禁止?这是我在负责的 IP 被禁止的系统上检查它的方法。
iptables -L f2b-sshd
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 120.29.125.240 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
如果那里没有列出,是不是因为它被禁止和解禁得太快了?我知道你的配置设置为 6 小时,这应该足够长了。
除此之外,您还可以检查 /var/log/fail2ban.log 以查找可能相关的活动。例如:
2020-12-04 09:17:07,590 fail2ban.filter [9089]: INFO [sshd] Found 120.29.125.240
2020-12-04 09:17:09,883 fail2ban.filter [9089]: INFO [sshd] Found 120.29.125.240
2020-12-04 09:17:12,163 fail2ban.filter [9089]: INFO [sshd] Found 120.29.125.240
2020-12-04 09:17:14,381 fail2ban.filter [9089]: INFO [sshd] Found 120.29.125.240
2020-12-04 09:17:16,874 fail2ban.filter [9089]: INFO [sshd] Found 120.29.125.240
2020-12-04 09:17:17,805 fail2ban.actions [9089]: NOTICE [sshd] Ban 120.29.125.240