Fail2Ban:这些 IP 真的被封锁了吗?

tag-icon tag-icon fail2ban
Fail2Ban:这些 IP 真的被封锁了吗?

这是我的jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24

[nginx-custom]
enabled  = true
logpath  = /var/log/nginx/access.log
action = iptables-multiport[name=nginx-custom, port="http,https", protocol=tcp, bantime=0]
findtime = 86400
bantime  = -1
maxretry = 1

[sshd]
enabled  = true
action   = iptables-ipset-proto6[name=ssh, port=ssh, protocol=tcp, bantime=0]
findtime = 3600
bantime  = -1
maxretry = 3

(我想阻止 443 端口上的流量,这是唯一暴露的端口)。

这是 fail2ban 日志的最后几行(1.2.3.4 是假 IP,当然真实的 IP 是不同的):

2021-02-13 00:53:52,639 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:52
2021-02-13 00:53:52,729 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:53,431 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:53
2021-02-13 00:53:53,931 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,139 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,343 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,465 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:56
2021-02-13 00:53:56,735 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,736 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:56,737 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 00:53:59,105 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 00:53:59
2021-02-13 00:53:59,341 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:11,629 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:11
2021-02-13 18:17:12,091 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:12
2021-02-13 18:17:12,152 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:12,153 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:13,799 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:13
2021-02-13 18:17:13,941 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:13
2021-02-13 18:17:14,157 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:14,157 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:17,494 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:17
2021-02-13 18:17:18,163 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned
2021-02-13 18:17:20,153 fail2ban.filter         [570]: INFO    [nginx-custom] Found 1.2.3.4 - 2021-02-13 18:17:20
2021-02-13 18:17:20,166 fail2ban.actions        [570]: WARNING [nginx-custom] 1.2.3.4 already banned

最后,这是我的sudo iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  456 19436 f2b-nginx-custom  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 399K  177M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 399K  177M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
95562 7166K ACCEPT     all  --  *      br-222  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2560  134K DOCKER     all  --  *      br-222  0.0.0.0/0            0.0.0.0/0           
78858  125M ACCEPT     all  --  br-222 !br-222  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-222 br-222  0.0.0.0/0            0.0.0.0/0           
  851  220K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
  866 99277 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-555  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-555  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-555 !br-555  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-555 br-555  0.0.0.0/0            0.0.0.0/0           
14761 7997K ACCEPT     all  --  *      br-444  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   49  5420 DOCKER     all  --  *      br-444  0.0.0.0/0            0.0.0.0/0           
14648 1203K ACCEPT     all  --  br-444 !br-444  0.0.0.0/0            0.0.0.0/0           
   49  5420 ACCEPT     all  --  br-444 br-444  0.0.0.0/0            0.0.0.0/0           
 115K   38M ACCEPT     all  --  *      br-111  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   61  3108 DOCKER     all  --  *      br-111  0.0.0.0/0            0.0.0.0/0           
 117K 4713K ACCEPT     all  --  br-111 !br-111  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-111 br-111  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-333  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-333  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-333 !br-333  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-333 br-333  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-nginx-custom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   42  1680 REJECT     all  --  *      *       37.160.x.y         0.0.0.0/0            reject-with icmp-port-unreachable
    
  410 17596 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-111 br-111  0.0.0.0/0            172.22.0.2           tcp dpt:9001
   61  3108 ACCEPT     tcp  --  !br-111 br-111  0.0.0.0/0            172.22.0.2           tcp dpt:1883
    0     0 ACCEPT     tcp  --  !br-555 br-555  0.0.0.0/0            172.21.0.2           tcp dpt:8080
 1178 61768 ACCEPT     tcp  --  !br-222 br-222  0.0.0.0/0            172.19.0.2           tcp dpt:443
   25  1500 ACCEPT     tcp  --  !br-222 br-222  0.0.0.0/0            172.19.0.2           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-444 br-444  0.0.0.0/0            172.20.0.2           tcp dpt:8086
    0     0 ACCEPT     tcp  --  !br-444 br-444  0.0.0.0/0            172.20.0.3           tcp dpt:3000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
78858  125M DOCKER-ISOLATION-STAGE-2  all  --  br-222 !br-222  0.0.0.0/0            0.0.0.0/0           
  866 99277 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-555 !br-555  0.0.0.0/0            0.0.0.0/0           
14648 1203K DOCKER-ISOLATION-STAGE-2  all  --  br-444 !br-444  0.0.0.0/0            0.0.0.0/0           
 117K 4713K DOCKER-ISOLATION-STAGE-2  all  --  br-111 !br-111  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-333 !br-333  0.0.0.0/0            0.0.0.0/0           
 454K  196M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-222  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-555  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-444  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-111  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-333  0.0.0.0/0            0.0.0.0/0           
 218K  142M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 454K  196M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

我不明白为什么我在 fail2ban 中多次看到 1.2.3.4 IP。这意味着攻击者尝试连接并且 fail2ban 重新阻止了它,但实际上攻击者无法再访问我的服务器?或者 Fail2ban 并没有真正禁止它?

今天我看到同一个 IP,Fail2Ban 显示“已禁止”。无法理解它是试图联系我还是真的联系我。有什么想法吗?

**

更新

**

我试图禁止我通过移动连接访问可疑链接。F2B 禁止了我,但我可以访问(从相同的被禁止 IP)我的资源。我以为我无法再访问我的资源了……我错在哪里?

更新

添加我的所有iptables -vnL

相关内容