这是我的jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
[nginx-custom]
enabled = true
logpath = /var/log/nginx/access.log
action = iptables-multiport[name=nginx-custom, port="http,https", protocol=tcp, bantime=0]
findtime = 86400
bantime = -1
maxretry = 1
[sshd]
enabled = true
action = iptables-ipset-proto6[name=ssh, port=ssh, protocol=tcp, bantime=0]
findtime = 3600
bantime = -1
maxretry = 3
(我想阻止 443 端口上的流量,这是唯一暴露的端口)。
这是 fail2ban 日志的最后几行(1.2.3.4 是假 IP,当然真实的 IP 是不同的):
2021-02-13 00:53:52,639 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:52
2021-02-13 00:53:52,729 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:53,431 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:53
2021-02-13 00:53:53,931 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,139 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,343 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,465 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,735 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,736 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,737 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:59,105 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:59
2021-02-13 00:53:59,341 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:11,629 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:11
2021-02-13 18:17:12,091 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:12
2021-02-13 18:17:12,152 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:12,153 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:13,799 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:13
2021-02-13 18:17:13,941 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:13
2021-02-13 18:17:14,157 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:14,157 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:17,494 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:17
2021-02-13 18:17:18,163 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:20,153 fail2ban.filter [570]: INFO [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:20
2021-02-13 18:17:20,166 fail2ban.actions [570]: WARNING [nginx-custom] 1.2.3.4 already banned
最后,这是我的sudo iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
456 19436 f2b-nginx-custom tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
399K 177M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
399K 177M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
95562 7166K ACCEPT all -- * br-222 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2560 134K DOCKER all -- * br-222 0.0.0.0/0 0.0.0.0/0
78858 125M ACCEPT all -- br-222 !br-222 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-222 br-222 0.0.0.0/0 0.0.0.0/0
851 220K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
866 99277 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-555 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-555 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-555 !br-555 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-555 br-555 0.0.0.0/0 0.0.0.0/0
14761 7997K ACCEPT all -- * br-444 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
49 5420 DOCKER all -- * br-444 0.0.0.0/0 0.0.0.0/0
14648 1203K ACCEPT all -- br-444 !br-444 0.0.0.0/0 0.0.0.0/0
49 5420 ACCEPT all -- br-444 br-444 0.0.0.0/0 0.0.0.0/0
115K 38M ACCEPT all -- * br-111 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
61 3108 DOCKER all -- * br-111 0.0.0.0/0 0.0.0.0/0
117K 4713K ACCEPT all -- br-111 !br-111 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-111 br-111 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-333 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-333 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-333 !br-333 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-333 br-333 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-custom (1 references)
pkts bytes target prot opt in out source destination
42 1680 REJECT all -- * * 37.160.x.y 0.0.0.0/0 reject-with icmp-port-unreachable
410 17596 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (6 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-111 br-111 0.0.0.0/0 172.22.0.2 tcp dpt:9001
61 3108 ACCEPT tcp -- !br-111 br-111 0.0.0.0/0 172.22.0.2 tcp dpt:1883
0 0 ACCEPT tcp -- !br-555 br-555 0.0.0.0/0 172.21.0.2 tcp dpt:8080
1178 61768 ACCEPT tcp -- !br-222 br-222 0.0.0.0/0 172.19.0.2 tcp dpt:443
25 1500 ACCEPT tcp -- !br-222 br-222 0.0.0.0/0 172.19.0.2 tcp dpt:80
0 0 ACCEPT tcp -- !br-444 br-444 0.0.0.0/0 172.20.0.2 tcp dpt:8086
0 0 ACCEPT tcp -- !br-444 br-444 0.0.0.0/0 172.20.0.3 tcp dpt:3000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
78858 125M DOCKER-ISOLATION-STAGE-2 all -- br-222 !br-222 0.0.0.0/0 0.0.0.0/0
866 99277 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-555 !br-555 0.0.0.0/0 0.0.0.0/0
14648 1203K DOCKER-ISOLATION-STAGE-2 all -- br-444 !br-444 0.0.0.0/0 0.0.0.0/0
117K 4713K DOCKER-ISOLATION-STAGE-2 all -- br-111 !br-111 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-333 !br-333 0.0.0.0/0 0.0.0.0/0
454K 196M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (6 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-222 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-555 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-444 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-111 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-333 0.0.0.0/0 0.0.0.0/0
218K 142M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
454K 196M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
我不明白为什么我在 fail2ban 中多次看到 1.2.3.4 IP。这意味着攻击者尝试连接并且 fail2ban 重新阻止了它,但实际上攻击者无法再访问我的服务器?或者 Fail2ban 并没有真正禁止它?
今天我看到同一个 IP,Fail2Ban 显示“已禁止”。无法理解它是试图联系我还是真的联系我。有什么想法吗?
**
更新
**
我试图禁止我通过移动连接访问可疑链接。F2B 禁止了我,但我可以访问(从相同的被禁止 IP)我的资源。我以为我无法再访问我的资源了……我错在哪里?
更新
添加我的所有iptables -vnL