Fail2ban 不阻止 ssh 尝试

Fail2ban 不阻止 ssh 尝试

我已经设置了 fail2ban 来阻止失败的 ssh 尝试。我使用 fail2ban-regex 和我的日志摘录检查了规则,这很有效。

我还检查了日志中有关“禁令”通知和相关 IP 的信息,它就在那里:

zgrep 'Ban.*202.29.214.13' /var/log/fail2ban.log*
/var/log/fail2ban.log:2021-08-23 01:27:19,023 fail2ban.actions        [1460]: NOTICE  [sshd] Ban 202.29.214.13

但是,我的 ssh / auth 日志仍然显示来自该 IP 的尝试有问题的时间戳:

Aug 23 01:27:23 myhost123 sshd[4526]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 47633 ssh2]
Aug 23 01:27:23 myhost123 sshd[4526]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 47633 ssh2 [preauth]
Aug 23 01:27:23 myhost123 sshd[4526]: Disconnecting authenticating user root 202.29.214.13 port 47633: Too many authentication failures [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 50424 ssh2]
Aug 23 01:27:31 myhost123 sshd[4533]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 50424 ssh2 [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: Disconnecting authenticating user root 202.29.214.13 port 50424: Too many authentication failures [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 53056 ssh2 [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: Disconnecting authenticating user root 202.29.214.13 port 53056: Too many authentication failures [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 55901 ssh2 [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: Disconnecting authenticating user root 202.29.214.13 port 55901: Too many authentication failures [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 58908 ssh2 [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: Disconnecting authenticating user root 202.29.214.13 port 58908: Too many authentication failures [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 61129 ssh2 [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: Disconnecting authenticating user root 202.29.214.13 port 61129: Too many authentication failures [preauth]
Aug 23 01:28:23 myhost123 sshd[4577]: error: maximum authentication attempts exceeded for invalid user admin from 202.29.214.13 port 3511 ssh2 [preauth]
Aug 23 01:29:24 myhost123 sshd[4613]: error: maximum authentication attempts exceeded for invalid user oracle from 202.29.214.13 port 24149 ssh2 [preauth]
Aug 23 01:30:07 myhost123 sshd[4641]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 37311 ssh2 [preauth]
Aug 23 01:30:15 myhost123 sshd[4647]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 39486 ssh2 [preauth]
Aug 23 01:30:58 myhost123 sshd[4684]: error: maximum authentication attempts exceeded for invalid user test from 202.29.214.13 port 52882 ssh2 [preauth]
Aug 23 01:31:33 myhost123 sshd[4699]: error: maximum authentication attempts exceeded for invalid user user from 202.29.214.13 port 64849 ssh2 [preauth]

fail2ban 不应该完全阻止来自该 IP 的所有请求吗?任何有关检查内容的提示都值得赞赏。

答案1

感谢 Dom 的提示:iptables 限制是该问题的根本原因。

检查:

grep "iptables: Memory allocation problem" /var/log/fail2ban.log

egrep "failcnt|numiptent" /proc/user_beancounters

看来我无法更改 iptables 限制,只有我的提供商可以。

相关内容