我已经设置了 fail2ban 来阻止失败的 ssh 尝试。我使用 fail2ban-regex 和我的日志摘录检查了规则,这很有效。
我还检查了日志中有关“禁令”通知和相关 IP 的信息,它就在那里:
zgrep 'Ban.*202.29.214.13' /var/log/fail2ban.log*
/var/log/fail2ban.log:2021-08-23 01:27:19,023 fail2ban.actions [1460]: NOTICE [sshd] Ban 202.29.214.13
但是,我的 ssh / auth 日志仍然显示来自该 IP 的尝试后有问题的时间戳:
Aug 23 01:27:23 myhost123 sshd[4526]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 47633 ssh2]
Aug 23 01:27:23 myhost123 sshd[4526]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 47633 ssh2 [preauth]
Aug 23 01:27:23 myhost123 sshd[4526]: Disconnecting authenticating user root 202.29.214.13 port 47633: Too many authentication failures [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 50424 ssh2]
Aug 23 01:27:31 myhost123 sshd[4533]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 50424 ssh2 [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: Disconnecting authenticating user root 202.29.214.13 port 50424: Too many authentication failures [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 53056 ssh2 [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: Disconnecting authenticating user root 202.29.214.13 port 53056: Too many authentication failures [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 55901 ssh2 [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: Disconnecting authenticating user root 202.29.214.13 port 55901: Too many authentication failures [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 58908 ssh2 [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: Disconnecting authenticating user root 202.29.214.13 port 58908: Too many authentication failures [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 61129 ssh2 [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: Disconnecting authenticating user root 202.29.214.13 port 61129: Too many authentication failures [preauth]
Aug 23 01:28:23 myhost123 sshd[4577]: error: maximum authentication attempts exceeded for invalid user admin from 202.29.214.13 port 3511 ssh2 [preauth]
Aug 23 01:29:24 myhost123 sshd[4613]: error: maximum authentication attempts exceeded for invalid user oracle from 202.29.214.13 port 24149 ssh2 [preauth]
Aug 23 01:30:07 myhost123 sshd[4641]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 37311 ssh2 [preauth]
Aug 23 01:30:15 myhost123 sshd[4647]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 39486 ssh2 [preauth]
Aug 23 01:30:58 myhost123 sshd[4684]: error: maximum authentication attempts exceeded for invalid user test from 202.29.214.13 port 52882 ssh2 [preauth]
Aug 23 01:31:33 myhost123 sshd[4699]: error: maximum authentication attempts exceeded for invalid user user from 202.29.214.13 port 64849 ssh2 [preauth]
fail2ban 不应该完全阻止来自该 IP 的所有请求吗?任何有关检查内容的提示都值得赞赏。
答案1
感谢 Dom 的提示:iptables 限制是该问题的根本原因。
检查:
grep "iptables: Memory allocation problem" /var/log/fail2ban.log
egrep "failcnt|numiptent" /proc/user_beancounters
看来我无法更改 iptables 限制,只有我的提供商可以。