我们正在使用失败2伊班在Ubuntu 18检测错误的登录尝试并禁止尝试次数过多的 IP 地址。我们使用iptables用于 IP 封锁。
使用一段时间后,我们注意到一些禁令不起作用 - 一些 IP 地址被正确禁止,而一些 IP 地址被允许进行更多次登录尝试,但似乎没有什么可以阻止它们。
有没有人遇到过类似这样的 iptables 奇怪问题?我看到很多关于 iptables 根本不起作用的票,但我们的问题不同 - 大部分阻止都有效,只有一小部分失败。
问题不在于 fail2ban。我们记录iptables -vnL
每一分钟,以确保 IP 地址不会无缘无故地从列表中消失。
AB 提出了一个很好的建议,因为我们使用带有 REJECT 的 iptables,攻击者可能会使用已建立的连接发送更多不良请求。所以我们调整了规则以使用 DROP。
但问题仍未解决。我们注意到来自 2.58.149.35 的恶意请求,该请求已出现在列表中至少几天了。
iptables 中的规则如下所示(iptables -vnL
):
Chain INPUT (policy DROP 66 packets, 3358 bytes)
pkts bytes target prot opt in out source destination
37M 131G f2b-fv-dos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 0:65535
14M 1466M f2b-wordpress tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
14M 1467M f2b-waf tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
14M 1476M f2b-repeated tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
238M 821G ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
238M 821G ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
201K 657M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
199K 657M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
199K 657M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
199K 657M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47 packets, 4596 bytes)
pkts bytes target prot opt in out source destination
237M 1038G ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
237M 1038G ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
845K 798M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
845K 798M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
845K 798M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
845K 798M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-fv-dos (1 references)
pkts bytes target prot opt in out source destination
37M 131G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-repeated (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 187.54.60.43 0.0.0.0/0
14M 1475M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-waf (1 references)
pkts bytes target prot opt in out source destination
30 1520 DROP all -- * * 2.58.149.35 0.0.0.0/0
14M 1467M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-wordpress (1 references)
pkts bytes target prot opt in out source destination
14M 1466M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
830 64740 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
14 632 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
590 30068 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
99M 534G ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
61M 20G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
34209 1913K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
34209 1913K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
11833 788K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
2074K 122M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
2074K 122M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
99M 534G ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
62M 194G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
499K 35M ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
2074K 122M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
1434 95440 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
177K 13M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
309K 20M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
786 46748 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
53508 3142K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
475K 28M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * * 89.173.195.48 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 89.173.195.48 0.0.0.0/0 udp dpt:3306
702 28308 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 49152:65534
0 0 ACCEPT tcp -- * * 89.173.200.197 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 89.173.200.197 0.0.0.0/0 udp dpt:3306
0 0 ACCEPT tcp -- * * 46.101.206.200 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 46.101.206.200 0.0.0.0/0 udp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
234 288K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
48 2752 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
0 0 ACCEPT tcp -- * * 54.39.160.178 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 54.39.160.178 0.0.0.0/0 udp dpt:3306
0 0 DROP all -- * * 45.33.124.193 0.0.0.0/0
0 0 DROP all -- * * 185.93.3.241 0.0.0.0/0
0 0 DROP all -- * * 209.58.131.100 0.0.0.0/0
0 0 ACCEPT tcp -- * * 188.167.252.65 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 188.167.252.65 0.0.0.0/0 udp dpt:3306
0 0 DROP all -- * * 139.215.2.66 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 REJECT all -- * * 10.11.12.14 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
上面的规则列表被缩短了,列表上还有许多其他 IP 地址,但我确保结构保持完整。
- IP 187.54.60.43 是一个可以正常运作的 IP 禁令示例
- IP 2.58.149.35 以某种方式能够发送更多请求,尽管它使用相同类型的 DROP 规则来阻止
更新 2022-06-13:我们发现这些被允许通过的恶意请求是通过 CDN 传入的。CDN 背后的原始 IP可以使用 iptables 正确阻止吗?
更新时间:2022-06-20:我们仅允许特定文件类型在我们的 CDN 上。这肯定比任何可以检查 HTTP 标头以找出 CDN 请求背后的原始 IP 的防火墙要简单得多。