我为不同的港口建造了几个类似的监狱......
监狱名称:http_https_deny、dns_deny、ftp_deny、smtp_pop3_deny、ssh_deny
这里是 http_https_deny 的firewalld 和 fail2ban 设置(其他几乎相同,只是端口不同):
LOG_TAG1=HTTP-DENY_
LOG_TAG2=HTTPS-DENY_
F2B_NAME=http_https_deny
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=tcp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=80 protocol=udp log prefix=${LOG_TAG1} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=tcp log prefix=${LOG_TAG2} drop" --permanent
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 port port=443 protocol=udp log prefix=${LOG_TAG2} drop" --permanent
cat << EOF | sudo tee -a /etc/fail2ban/filter.d/${F2B_NAME}.conf
[Definition]
failregex = (${LOG_TAG1}|${LOG_TAG2}).* SRC=<HOST>
journalmatch = _TRANSPORT=kernel
EOF
cat << EOF | sudo tee -a /etc/fail2ban/action.d/${F2B_NAME}.conf
[INCLUDES]
before =
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = firewall-cmd --zone=drop --add-source=<ip>
actionunban = firewall-cmd --zone=drop --remove-source=<ip>
EOF
cat << EOF | sudo tee -a /etc/fail2ban/jail.d/${F2B_NAME}.conf
[${F2B_NAME}]
enabled = true
filter = ${F2B_NAME}
banaction = ${F2B_NAME}
bantime = 48h
findtime = 10m
maxretry = 1
当有人扫描多个端口时,firewall-cmd 会将带有前缀 HTTP-DENY_、FTP-DENY_、SSH-DENY_ 等的系统日志条目添加到其中...然后 fail2ban 过滤器会在日志中找到此记录并禁止记录的 IP(正如我们稍后看到的,同一个 IP 会被禁止多次)
一切运行正常,但是......
在解禁过程中,我们可以看到fail2ban多次尝试解禁IP,这导致日志中出现错误...
2023-02-07 22:16:01,155 fail2ban.actions [882]: NOTICE [http_https_deny] Unban 138.199.42.209
2023-02-07 22:16:02,158 fail2ban.actions [882]: NOTICE [dns_deny] Unban 138.199.42.209
2023-02-07 22:16:02,237 fail2ban.actions [882]: NOTICE [ftp_deny] Unban 138.199.42.209
2023-02-07 22:16:02,326 fail2ban.actions [882]: NOTICE [smtp_pop3_deny] Unban 138.199.42.209
2023-02-07 22:16:02,426 fail2ban.actions [882]: NOTICE [ssh_deny] Unban 138.199.42.209
# trying to unban 'dns_deny'
2023-02-07 22:16:02,552 fail2ban.utils [882]: ERROR 7f240e174168 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,553 fail2ban.utils [882]: ERROR 7f240e174168 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,553 fail2ban.utils [882]: ERROR 7f240e174168 -- returned 30
2023-02-07 22:16:02,553 fail2ban.actions [882]: ERROR Failed to execute unban jail 'dns_deny' action 'dns_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209
# trying to unban 'ftp_deny'
2023-02-07 22:16:02,935 fail2ban.utils [882]: ERROR 7f240e1741d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:02,935 fail2ban.utils [882]: ERROR 7f240e1741d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:02,935 fail2ban.utils [882]: ERROR 7f240e1741d0 -- returned 30
2023-02-07 22:16:02,936 fail2ban.actions [882]: ERROR Failed to execute unban jail 'ftp_deny' action 'ftp_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209
# trying to unban 'smtp_pop3_deny'
2023-02-07 22:16:03,335 fail2ban.utils [882]: ERROR 7f2411fbb238 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,335 fail2ban.utils [882]: ERROR 7f2411fbb238 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,336 fail2ban.utils [882]: ERROR 7f2411fbb238 -- returned 30
2023-02-07 22:16:03,336 fail2ban.actions [882]: ERROR Failed to execute unban jail 'smtp_pop3_deny' action 'smtp_pop3_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209
# trying to unban 'ssh_deny'
2023-02-07 22:16:03,719 fail2ban.utils [882]: ERROR 7f2411fbb1d0 -- exec: firewall-cmd --zone=drop --remove-source=138.199.42.209
2023-02-07 22:16:03,720 fail2ban.utils [882]: ERROR 7f2411fbb1d0 -- stderr: "Error: UNKNOWN_SOURCE: '138.199.42.209' is not in any zone"
2023-02-07 22:16:03,720 fail2ban.utils [882]: ERROR 7f2411fbb1d0 -- returned 30
2023-02-07 22:16:03,720 fail2ban.actions [882]: ERROR Failed to execute unban jail 'ssh_deny' action 'ssh_deny' info 'ActionInfo({'ip': '138.199.42.209', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f240e1939d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f240e1940d0>})': Error unbanning 138.199.42.209
如何解决这个问题?
是否有可能在“actionban”之前检查 IP 是否已被禁止?
附言
答案1
除了日志噪音外,没有什么需要修复的。从功能上讲,目标已经实现。但是,我担心解禁操作应用于任何 IP 地址,而不是与禁令相关的 IP 和端口。此外,我担心使用嵌入式/内联禁令/解禁命令(如您正在使用)而不是基于模板的系统。由此产生的部分问题在您的帖子中有所说明:配置生成器中的解禁命令不是日志中显示的解禁命令。
我建议看一下 Ubuntu/Debian 上如何开箱即用地配置 fail2ban,然后应用您所学到的知识来替换所有当前规则。
答案2
我同意上面的评论,最好使用模板并根据示例建模您的配置以避免奇怪的错误。
但如果它是相关的,其他人在使用时也遇到了类似的问题csf:fail2ban:当两个 jail 禁止同一个 IP 时,会采取解禁行为吗?
解决办法是将禁令行动设置为,csf以便由其处理。
我看到的另一种捕获端口扫描的方法是记录对知名端口的尝试,没有打开,例如 23、389、445 等等,然后先执行全部删除。