fail2ban - 一个 IP 被多个 jail 多次禁止 - 取消禁止期间日志出现错误

fail2ban - 一个 IP 被多个 jail 多次禁止 - 取消禁止期间日志出现错误

我为不同的港口建造了几个类似的监狱......

监狱名称:http_https_deny、dns_deny、ftp_deny、smtp_pop3_deny、ssh_deny

这里是 http_https_deny 的firewalld 和 fail2ban 设置(其他几乎相同,只是端口不同):

LOG_TAG1=HTTP-DENY_
LOG_TAG2=HTTPS-DENY_
F2B_NAME=http_https_deny

sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=tcp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=udp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=tcp log prefix=${LOG_TAG2} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=udp log prefix=${LOG_TAG2} drop" --permanent

cat << EOF | sudo tee -a /etc/fail2ban/filter.d/${F2B_NAME}.conf
[Definition]
failregex = (${LOG_TAG1}|${LOG_TAG2}).* SRC=<HOST>
journalmatch = _TRANSPORT=kernel
EOF

cat << EOF | sudo tee -a /etc/fail2ban/action.d/${F2B_NAME}.conf
[INCLUDES]
before = 
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = firewall-cmd --zone=drop --add-source=<ip>
actionunban = firewall-cmd --zone=drop --remove-source=<ip>
EOF

cat << EOF | sudo tee -a /etc/fail2ban/jail.d/${F2B_NAME}.conf
[${F2B_NAME}]
enabled = true
filter = ${F2B_NAME}
banaction = ${F2B_NAME}
bantime = 48h
findtime = 10m
maxretry = 1

当有人扫描多个端口时,firewall-cmd 会将带有前缀 HTTP-DENY_、FTP-DENY_、SSH-DENY_ 等的系统日志条目添加到其中...然后 fail2ban 过滤器会在日志中找到此记录并禁止记录的 IP(正如我们稍后看到的,同一个 IP 会被禁止多次)

一切运行正常,但是......

在解禁过程中,我们可以看到fail2ban多次尝试解禁IP,这导致日志中出现错误...

2023-02-07 22:16:01,155 fail2ban.actions        [882]: NOTICE  [http_https_deny] Unban 138.199.42.209
2023-02-07 22:16:02,158 fail2ban.actions        [882]: NOTICE  [dns_deny] Unban 138.199.42.209
2023-02-07 22:16:02,237 fail2ban.actions        [882]: NOTICE  [ftp_deny] Unban 138.199.42.209
2023-02-07 22:16:02,326 fail2ban.actions        [882]: NOTICE  [smtp_pop3_deny] Unban 138.199.42.209
2023-02-07 22:16:02,426 fail2ban.actions        [882]: NOTICE  [ssh_deny] Unban 138.199.42.209

# trying to unban 'dns_deny'
2023-02-07 22:16:02,552 fail2ban.utils          [882]: ERROR   7f240e174168 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,553 fail2ban.utils          [882]: ERROR   7f240e174168 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,553 fail2ban.utils          [882]: ERROR   7f240e174168 -- returned 30
2023-02-07 22:16:02,553 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'dns_deny' action 'dns_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'ftp_deny'
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,935 fail2ban.utils          [882]: ERROR   7f240e1741d0 -- returned 30
2023-02-07 22:16:02,936 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'ftp_deny' action 'ftp_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'smtp_pop3_deny'
2023-02-07 22:16:03,335 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,335 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,336 fail2ban.utils          [882]: ERROR   7f2411fbb238 -- returned 30
2023-02-07 22:16:03,336 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'smtp_pop3_deny' action 'smtp_pop3_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

# trying to unban 'ssh_deny'
2023-02-07 22:16:03,719 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,720 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,720 fail2ban.utils          [882]: ERROR   7f2411fbb1d0 -- returned 30
2023-02-07 22:16:03,720 fail2ban.actions        [882]: ERROR   Failed to execute unban jail 'ssh_deny' action 'ssh_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209

如何解决这个问题?

是否有可能在“actionban”之前检查 IP 是否已被禁止?

附言

另请参阅相关问题:https://unix.stackexchange.com/questions/734413/fail2ban-and-firewalld-and-drop-zone-strange-behavior-with-rich-rule-add-sour

答案1

除了日志噪音外,没有什么需要修复的。从功能上讲,目标已经实现。但是,我担心解禁操作应用于任何 IP 地址,而不是与禁令相关的 IP 和端口。此外,我担心使用嵌入式/内联禁令/解禁命令(如您正在使用)而不是基于模板的系统。由此产生的部分问题在您的帖子中有所说明:配置生成器中的解禁命令不是日志中显示的解禁命令。

我建议看一下 Ubuntu/Debian 上如何开箱即用地配置 fail2ban,然后应用您所学到的知识来替换所有当前规则。

答案2

我同意上面的评论,最好使用模板并根据示例建模您的配置以避免奇怪的错误。

但如果它是相关的,其他人在使用时也遇到了类似的问题csffail2ban:当两个 jail 禁止同一个 IP 时,会采取解禁行为吗?

解决办法是将禁令行动设置为,csf以便由其处理。

我看到的另一种捕获端口扫描的方法是记录对知名端口的尝试,没有打开,例如 23、389、445 等等,然后先执行全部删除。

相关内容