Ubuntu 20.04。我的 /var/log/nginx/access.log 中有大量记录,如下所示:
85.249.25.218 - - [15/Dec/2020:08:12:15 +0300] "POST /api/v1/device/analytics HTTP/1.1" 404 162 "-" "okhttp/4.8.1"
我已经安装了 fail2ban,我的 /etc/fail2ban/jail.local 的内容是:
[sshd]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
banaction = iptables-allports
[nginx-botsearch]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_error_log)s
banaction = iptables-allports
[nginx-custom2]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_access_log)s
banaction = iptables-allports
过滤/etc/fail2ban/filter.d/nginx-custom2.conf:
[Definition]
failregex = ^<HOST>.*GET \/api\/v1\/device\/.*
^<HOST>.*POST \/api\/v1\/device\/.*
^<HOST>.*PUT \/api\/v1\/device\/.*
ignoreregex =
Fail2ban 禁止我感兴趣的 IP 并将它们放入 iptables 中,我的 fail2ban-client -v status nginx-custom2 输出是:
Status for the jail: nginx-custom2
|- Filter
| |- Currently failed: 11
| |- Total failed: 2962
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 88
|- Total banned: 88
`- Banned IP list: 176.59.129.174 176.59.129.44 176.59.130.124 176.59.132.106 176.59.133.195 176.59.134.14 176.59.142.78 176.59.146.203 176.59.151.46 176.59.193.194 176.59.194.205 176.59.200.101 176.59.200.92 176.59.201.16 176.59.201.174 176.59.32.58 176.59.32.99 176.59.33.4 176.59.33.43 176.59.33.86 176.59.34.97 176.59.38.189 176.59.39.47 176.59.43.227 176.59.46.102 176.59.46.210 176.59.49.240 176.59.52.215 176.59.68.151 176.99.82.18 178.176.48.132 178.67.194.209 178.67.196.94 188.113.141.148 213.234.251.192 213.27.48.88 213.87.250.113 217.118.64.2 217.118.93.139 31.13.144.102 31.173.241.11 31.173.80.23 37.29.40.213 37.29.41.108 37.29.41.208 46.187.12.73 46.45.200.129 62.133.162.154 80.83.237.30 80.83.237.34 83.149.21.218 83.234.120.247 85.115.243.47 85.115.248.16 85.115.248.250 85.140.0.111 85.140.0.159 85.140.0.9 85.140.1.20 85.140.1.225 85.140.12.183 85.140.19.132 85.140.2.127 85.140.4.36 85.140.4.92 85.174.194.255 85.174.198.90 85.249.163.166 85.249.25.218 85.26.164.108 85.26.164.151 85.26.165.234 85.26.165.238 85.26.232.91 85.26.233.73 85.26.235.207 89.113.138.149 89.113.138.255 89.113.139.227 89.113.140.202 89.178.132.99 93.88.25.3 95.153.129.19 95.153.129.237 109.197.205.118 85.115.248.36 176.59.140.152 176.59.68.199
iptables -L -n -v 输出为:
Chain INPUT (policy ACCEPT 419 packets, 175K bytes)
pkts bytes target prot opt in out source destination
23438 6327K f2b-nginx-custom2 all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-nginx-botsearch all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 412 packets, 60919 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-botsearch (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 87.26.121.231 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 8.129.209.71 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 47.98.190.243 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 171.244.49.242 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 157.131.240.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 149.129.137.131 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 128.106.166.8 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.76.228.45 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.44.245.166 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-nginx-custom2 (1 references)
pkts bytes target prot opt in out source destination
117 7020 REJECT all -- * * 176.59.68.199 0.0.0.0/0 reject-with icmp-port-unreachable
58 3480 REJECT all -- * * 176.59.140.152 0.0.0.0/0 reject-with icmp-port-unreachable
72 4320 REJECT all -- * * 85.115.248.36 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 109.197.205.118 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.237 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.19 0.0.0.0/0 reject-with icmp-port-unreachable
23 1380 REJECT all -- * * 93.88.25.3 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.178.132.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.140.202 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.139.227 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.149 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.235.207 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.233.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.232.91 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.238 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.234 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.164.151 0.0.0.0/0 reject-with icmp-port-unreachable
17 1020 REJECT all -- * * 85.26.164.108 0.0.0.0/0 reject-with icmp-port-unreachable
32 1920 REJECT all -- * * 85.249.25.218 0.0.0.0/0 reject-with icmp-port-unreachable
189 11340 REJECT all -- * * 85.249.163.166 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.198.90 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.194.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.36 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.2.127 0.0.0.0/0 reject-with icmp-port-unreachable
15 900 REJECT all -- * * 85.140.19.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.12.183 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.225 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.20 0.0.0.0/0 reject-with icmp-port-unreachable
40 2400 REJECT all -- * * 85.140.0.9 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.159 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.111 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.250 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.243.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 83.234.120.247 0.0.0.0/0 reject-with icmp-port-unreachable
66 3960 REJECT all -- * * 83.149.21.218 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.34 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.30 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 62.133.162.154 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.45.200.129 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.187.12.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.208 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.108 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.40.213 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.173.80.23 0.0.0.0/0 reject-with icmp-port-unreachable
12 720 REJECT all -- * * 31.173.241.11 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.13.144.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.93.139 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.64.2 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 213.87.250.113 0.0.0.0/0 reject-with icmp-port-unreachable
4 240 REJECT all -- * * 213.27.48.88 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 213.234.251.192 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.113.141.148 0.0.0.0/0 reject-with icmp-port-unreachable
210 12600 REJECT all -- * * 178.67.196.94 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.67.194.209 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.176.48.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.99.82.18 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.68.151 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.52.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.49.240 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.210 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.43.227 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 176.59.39.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.38.189 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.34.97 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.86 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.4 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.58 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.174 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.101 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.194.205 0.0.0.0/0 reject-with icmp-port-unreachable
102 6120 REJECT all -- * * 176.59.193.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.151.46 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.146.203 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.142.78 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.134.14 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.133.195 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.132.106 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.130.124 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.44 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.174 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
9 724 REJECT all -- * * 110.16.95.6 0.0.0.0/0 reject-with icmp-port-unreachable
18 1384 REJECT all -- * * 113.190.235.28 0.0.0.0/0 reject-with icmp-port-unreachable
45 3192 REJECT all -- * * 94.191.38.203 0.0.0.0/0 reject-with icmp-port-unreachable
20 1556 REJECT all -- * * 14.232.214.138 0.0.0.0/0 reject-with icmp-port-unreachable
18 1424 REJECT all -- * * 222.252.30.29 0.0.0.0/0 reject-with icmp-port-unreachable
31 2268 REJECT all -- * * 146.59.157.181 0.0.0.0/0 reject-with icmp-port-unreachable
11 660 REJECT all -- * * 110.35.79.23 0.0.0.0/0 reject-with icmp-port-unreachable
20 1512 REJECT all -- * * 190.202.32.2 0.0.0.0/0 reject-with icmp-port-unreachable
23 1732 REJECT all -- * * 190.79.227.81 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.127.108.96 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.123.246.130 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.36.110.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.109.245.158 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 1.245.61.144 0.0.0.0/0 reject-with icmp-port-unreachable
21387 6197K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ispmgr_allow_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_allow_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
但是,我的 /var/log/nginx/access.log 中仍然有来自已被禁止的 IP 的记录。此外,我的 /var/log/fail2ban.log 中也有很多记录,如下所示:
2020-12-15 08:23:38,156 fail2ban.actions [2803]: WARNING [nginx-custom2] 83.149.21.218 already banned
请帮助我了解下一步该去哪里。
答案1
我ufw在你的输出中看到了链iptables。可能是你ufw使用的 net-filter 后端是nftables?如果我没记错的话,后端切换计划在 20.10 版中为 Ubuntu 提供,但也许你自己更改了它或安装了某些服务(在这种情况下你最好切换到 nftables 禁止操作)。
虽然使用低级 net-filter 不会有太大问题,但是如果使用 ufw,有什么理由反对在 fail2ban 中使用 ufw-banning 操作呢?
而且好像还有一个ispmanager...
无论如何,我在 iptables 中看到了所有链(ispmgr_*和ufw-*),但没有对它们的引用。因此,要么是配置不当,要么是此系统上的防火墙子系统出了问题。
它是虚拟机吗?(如果是,是哪一个?)...
您的系统是否使用(允许)iptables 内核模块?
您的 ufw 后端到底是什么?