Ubuntu 20.04,fail2ban 禁止 IP 并将其放入 iptables,但被禁止的 IP 仍然可以连接,并且 fail2ban 日志显示 IP 已被禁止

Ubuntu 20.04,fail2ban 禁止 IP 并将其放入 iptables,但被禁止的 IP 仍然可以连接,并且 fail2ban 日志显示 IP 已被禁止

Ubuntu 20.04。我的 /var/log/nginx/access.log 中有大量记录,如下所示:

85.249.25.218 - - [15/Dec/2020:08:12:15 +0300] "POST /api/v1/device/analytics HTTP/1.1" 404 162 "-" "okhttp/4.8.1"

我已经安装了 fail2ban,我的 /etc/fail2ban/jail.local 的内容是:

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1w
bantime   = 4w
protocol  = all
port      = all
banaction = iptables-allports

[nginx-botsearch]
enabled   = true
maxretry  = 3
findtime  = 1w
bantime   = 4w
protocol  = all
port      = all
logpath   = %(nginx_error_log)s
banaction = iptables-allports

[nginx-custom2]
enabled   = true
maxretry  = 3
findtime  = 1w
bantime   = 4w
protocol  = all
port      = all
logpath   = %(nginx_access_log)s
banaction = iptables-allports

过滤/etc/fail2ban/filter.d/nginx-custom2.conf:

[Definition]
failregex = ^<HOST>.*GET \/api\/v1\/device\/.*
            ^<HOST>.*POST \/api\/v1\/device\/.*
            ^<HOST>.*PUT \/api\/v1\/device\/.*
ignoreregex =

Fail2ban 禁止我感兴趣的 IP 并将它们放入 iptables 中,我的 fail2ban-client -v status nginx-custom2 输出是:

Status for the jail: nginx-custom2
|- Filter
|  |- Currently failed: 11
|  |- Total failed: 2962
|  `- File list:    /var/log/nginx/access.log
`- Actions
   |- Currently banned: 88
   |- Total banned: 88
   `- Banned IP list:   176.59.129.174 176.59.129.44 176.59.130.124 176.59.132.106 176.59.133.195 176.59.134.14 176.59.142.78 176.59.146.203 176.59.151.46 176.59.193.194 176.59.194.205 176.59.200.101 176.59.200.92 176.59.201.16 176.59.201.174 176.59.32.58 176.59.32.99 176.59.33.4 176.59.33.43 176.59.33.86 176.59.34.97 176.59.38.189 176.59.39.47 176.59.43.227 176.59.46.102 176.59.46.210 176.59.49.240 176.59.52.215 176.59.68.151 176.99.82.18 178.176.48.132 178.67.194.209 178.67.196.94 188.113.141.148 213.234.251.192 213.27.48.88 213.87.250.113 217.118.64.2 217.118.93.139 31.13.144.102 31.173.241.11 31.173.80.23 37.29.40.213 37.29.41.108 37.29.41.208 46.187.12.73 46.45.200.129 62.133.162.154 80.83.237.30 80.83.237.34 83.149.21.218 83.234.120.247 85.115.243.47 85.115.248.16 85.115.248.250 85.140.0.111 85.140.0.159 85.140.0.9 85.140.1.20 85.140.1.225 85.140.12.183 85.140.19.132 85.140.2.127 85.140.4.36 85.140.4.92 85.174.194.255 85.174.198.90 85.249.163.166 85.249.25.218 85.26.164.108 85.26.164.151 85.26.165.234 85.26.165.238 85.26.232.91 85.26.233.73 85.26.235.207 89.113.138.149 89.113.138.255 89.113.139.227 89.113.140.202 89.178.132.99 93.88.25.3 95.153.129.19 95.153.129.237 109.197.205.118 85.115.248.36 176.59.140.152 176.59.68.199

iptables -L -n -v 输出为:

Chain INPUT (policy ACCEPT 419 packets, 175K bytes)
 pkts bytes target     prot opt in     out     source               destination         
23438 6327K f2b-nginx-custom2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
22460 6268K f2b-nginx-botsearch  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
22460 6268K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 412 packets, 60919 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-nginx-botsearch (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       87.26.121.231        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       8.129.209.71         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       47.98.190.243        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       171.244.49.242       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       157.131.240.194      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       149.129.137.131      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       128.106.166.8        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       103.76.228.45        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       103.44.245.166       0.0.0.0/0            reject-with icmp-port-unreachable
22460 6268K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-nginx-custom2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  117  7020 REJECT     all  --  *      *       176.59.68.199        0.0.0.0/0            reject-with icmp-port-unreachable
   58  3480 REJECT     all  --  *      *       176.59.140.152       0.0.0.0/0            reject-with icmp-port-unreachable
   72  4320 REJECT     all  --  *      *       85.115.248.36        0.0.0.0/0            reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       109.197.205.118      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       95.153.129.237       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       95.153.129.19        0.0.0.0/0            reject-with icmp-port-unreachable
   23  1380 REJECT     all  --  *      *       93.88.25.3           0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.178.132.99        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.113.140.202       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.113.139.227       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.113.138.255       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.113.138.149       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.235.207        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.233.73         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.232.91         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.165.238        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.165.234        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.26.164.151        0.0.0.0/0            reject-with icmp-port-unreachable
   17  1020 REJECT     all  --  *      *       85.26.164.108        0.0.0.0/0            reject-with icmp-port-unreachable
   32  1920 REJECT     all  --  *      *       85.249.25.218        0.0.0.0/0            reject-with icmp-port-unreachable
  189 11340 REJECT     all  --  *      *       85.249.163.166       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.174.198.90        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.174.194.255       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.4.92          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.4.36          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.2.127         0.0.0.0/0            reject-with icmp-port-unreachable
   15   900 REJECT     all  --  *      *       85.140.19.132        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.12.183        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.1.225         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.1.20          0.0.0.0/0            reject-with icmp-port-unreachable
   40  2400 REJECT     all  --  *      *       85.140.0.9           0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.0.159         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.140.0.111         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.115.248.250       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.115.248.16        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       85.115.243.47        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       83.234.120.247       0.0.0.0/0            reject-with icmp-port-unreachable
   66  3960 REJECT     all  --  *      *       83.149.21.218        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       80.83.237.34         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       80.83.237.30         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       62.133.162.154       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       46.45.200.129        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       46.187.12.73         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       37.29.41.208         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       37.29.41.108         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       37.29.40.213         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       31.173.80.23         0.0.0.0/0            reject-with icmp-port-unreachable
   12   720 REJECT     all  --  *      *       31.173.241.11        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       31.13.144.102        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       217.118.93.139       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       217.118.64.2         0.0.0.0/0            reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       213.87.250.113       0.0.0.0/0            reject-with icmp-port-unreachable
    4   240 REJECT     all  --  *      *       213.27.48.88         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       213.234.251.192      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       188.113.141.148      0.0.0.0/0            reject-with icmp-port-unreachable
  210 12600 REJECT     all  --  *      *       178.67.196.94        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       178.67.194.209       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       178.176.48.132       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.99.82.18         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.68.151        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.52.215        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.49.240        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.46.210        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.46.102        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.43.227        0.0.0.0/0            reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       176.59.39.47         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.38.189        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.34.97         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.33.86         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.33.43         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.33.4          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.32.99         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.32.58         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.201.174       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.201.16        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.200.92        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.200.101       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.194.205       0.0.0.0/0            reject-with icmp-port-unreachable
  102  6120 REJECT     all  --  *      *       176.59.193.194       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.151.46        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.146.203       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.142.78        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.134.14        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.133.195       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.132.106       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.130.124       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.129.44        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.59.129.174       0.0.0.0/0            reject-with icmp-port-unreachable
22460 6268K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   724 REJECT     all  --  *      *       110.16.95.6          0.0.0.0/0            reject-with icmp-port-unreachable
   18  1384 REJECT     all  --  *      *       113.190.235.28       0.0.0.0/0            reject-with icmp-port-unreachable
   45  3192 REJECT     all  --  *      *       94.191.38.203        0.0.0.0/0            reject-with icmp-port-unreachable
   20  1556 REJECT     all  --  *      *       14.232.214.138       0.0.0.0/0            reject-with icmp-port-unreachable
   18  1424 REJECT     all  --  *      *       222.252.30.29        0.0.0.0/0            reject-with icmp-port-unreachable
   31  2268 REJECT     all  --  *      *       146.59.157.181       0.0.0.0/0            reject-with icmp-port-unreachable
   11   660 REJECT     all  --  *      *       110.35.79.23         0.0.0.0/0            reject-with icmp-port-unreachable
   20  1512 REJECT     all  --  *      *       190.202.32.2         0.0.0.0/0            reject-with icmp-port-unreachable
   23  1732 REJECT     all  --  *      *       190.79.227.81        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       103.127.108.96       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       103.123.246.130      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       101.36.110.215       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       101.109.245.158      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       1.245.61.144         0.0.0.0/0            reject-with icmp-port-unreachable
21387 6197K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ispmgr_allow_ip (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ispmgr_allow_sub (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ispmgr_deny_ip (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ispmgr_deny_sub (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination 

但是,我的 /var/log/nginx/access.log 中仍然有来自已被禁止的 IP 的记录。此外,我的 /var/log/fail2ban.log 中也有很多记录,如下所示:

2020-12-15 08:23:38,156 fail2ban.actions [2803]: WARNING [nginx-custom2] 83.149.21.218 already banned

请帮助我了解下一步该去哪里。

答案1

ufw在你的输出中看到了链iptables。可能是你ufw使用的 net-filter 后端是nftables?如果我没记错的话,后端切换计划在 20.10 版中为 Ubuntu 提供,但也许你自己更改了它或安装了某些服务(在这种情况下你最好切换到 nftables 禁止操作)。

虽然使用低级 net-filter 不会有太大问题,但是如果使用 ufw,有什么理由反对在 fail2ban 中使用 ufw-banning 操作呢?

而且好像还有一个ispmanager...

无论如何,我在 iptables 中看到了所有链(ispmgr_*ufw-*),但没有对它们的引用。因此,要么是配置不当,要么是此系统上的防火墙子系统出了问题。

它是虚拟机吗?(如果是,是哪一个?)...
您的系统是否使用(允许)iptables 内核模块?
您的 ufw 后端到底是什么?

相关内容