我对 fail2ban 完全陌生。我实施了一个自定义过滤器和一个自定义 jail,以禁止某些用户访问由 apache 托管的网站。Fail2ban 似乎识别了我的正则表达式失败规则,我确实看到我预计会被关进 jail 的 IP 地址实际上被关进了 jail。但被关进 jail 的用户仍然可以访问我的网站,我没有看到任何 iptables 规则表明它知道 fail2ban 的存在。我如何使用 fail2ban 阻止用户访问我的网站。
以下是我拥有的文件:
/etc/fail2ban/filter.d/apache-custom.conf
[Definition]
badagents =
failregex = ^<HOST> -.*"(GET|POST|HEAD) \/+dns-query.*$
ignoreregex =
/etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignorecommand =
bantime = 10m
findtime = 10m
maxretry = 5
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(action_)s
%(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(action_)s
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_xarf = %(action_)s
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
[apache-custom]
enabled = true
logpath = /var/log/apache2/access.log
action = iptables-ipset-proto6[name=apache-custom, port="http,https", protocol=tcp, bantime=-1]
findtime = 86400
bantime = -1
maxretry = 1
当我运行命令时fail2ban-client status apache-custom,我看到以下详细信息:
Status for the jail: apache-custom
|- Filter
| |- Currently failed: 0
| |- Total failed: 25
| `- File list: /var/log/apache2/access.log
`- Actions
|- Currently banned: 4
|- Total banned: 4
`- Banned IP list: 49.12.196.18 38.132.118.73 216.244.66.231 38.112.49.40
该 IP38.112.49.40是我表弟的手机,尽管 fail2ban 说他已被监禁,但他仍然可以看到我的网站。
我在我的 .ipv4 文件中没有看到任何关于这 4 个 IP 地址的提及iptables -L -n。
http我做错了什么?如何禁止这 4 个 IP 地址访问我的网站https?
解决方案:
好的,我可以通过删除以下行来解决问题
action = iptables-ipset-proto6[name=apache-custom, port="http,https", protocol=tcp, bantime=-1]
我认为如果没有那行,fail2ban 将使用默认操作。我不太确定,因为我仍在学习这一切是如何工作的。将继续阅读我在网上看到的教程/博客/文档,以了解 fail2ban 的实际工作原理。