我正在尝试使用 Apache 在 Centos 7 上启用 fail2ban。我有一个应用程序,当登录失败时,它会将特定字符串写入错误日志。
使用禁止 IP 列表中的正确 IP 地址进行响应,
> fail2ban-client status appname
Status for the jail: appname
|- Filter
| |- Currently failed: 1
| |- Total failed: 7
| `- File list: /var/log/httpd/api.appname-error.log
`- Actions
|- Currently banned: 1
|- Total banned: 3
`- Banned IP list: 10.50.0.68
但是当我查看 iptables 时,我发现它阻止了第 1 行中与我的应用程序相对应的所有传入流量,已编辑:在问题底部添加了更详细的 iptables
> iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere multiport dports https,http match-set f2b-appname src reject-with icmp-port-unreachable
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ACCEPT all -- anywhere anywhere
4 INPUT_direct all -- anywhere anywhere
5 INPUT_ZONES_SOURCE all -- anywhere anywhere
6 INPUT_ZONES all -- anywhere anywhere
7 DROP all -- anywhere anywhere ctstate INVALID
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
这是我的过滤器,/etc/fail2ban/filter.d/appname.conf:
[Definition]
failregex = client <HOST>(.*)fail2ban\-appname\-login\-fail
jail.local很简短:
[DEFAULT]
bantime = 1200
findtime = 3600
maxmatches = 4
[appname]
enabled = true
filter = appname
action = iptables-ipset-proto6[name=appname, port="https,http", protocol=tcp]
logpath = /var/log/httpd/api.appname-error.log
maxretry = 3
mode = normal
backend = auto
Apache php 日志文件中有一行典型的内容:
[Sun Nov 26 10:22:31.255875 2023] [php7:notice] [pid 1837] [client 10.50.0.68:36530] fail2ban-appname-login-fail
更详细的 iptables 输出:
> sudo iptables-save -c
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*nat
:PREROUTING ACCEPT [18229:1086560]
:INPUT ACCEPT [17668:1053268]
:OUTPUT ACCEPT [10696:675656]
:POSTROUTING ACCEPT [10696:675656]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[18230:1087136] -A PREROUTING -j PREROUTING_direct
[18230:1087136] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[18230:1087136] -A PREROUTING -j PREROUTING_ZONES
[10696:675656] -A OUTPUT -j OUTPUT_direct
[10696:675656] -A POSTROUTING -j POSTROUTING_direct
[10696:675656] -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
[10696:675656] -A POSTROUTING -j POSTROUTING_ZONES
[2972:212273] -A POSTROUTING_ZONES -o eth0 -g POST_public
[7724:463383] -A POSTROUTING_ZONES -g POST_public
[10696:675656] -A POST_public -j POST_public_log
[10696:675656] -A POST_public -j POST_public_deny
[10696:675656] -A POST_public -j POST_public_allow
[18229:1086560] -A PREROUTING_ZONES -i eth0 -g PRE_public
[1:576] -A PREROUTING_ZONES -g PRE_public
[18230:1087136] -A PRE_public -j PRE_public_log
[18230:1087136] -A PRE_public -j PRE_public_deny
[18230:1087136] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*mangle
:PREROUTING ACCEPT [315975:53668565]
:INPUT ACCEPT [315975:53668565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301701:219207592]
:POSTROUTING ACCEPT [301701:219207592]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[315976:53669141] -A PREROUTING -j PREROUTING_direct
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES
[315975:53668565] -A INPUT -j INPUT_direct
[0:0] -A FORWARD -j FORWARD_direct
[301701:219207592] -A OUTPUT -j OUTPUT_direct
[301701:219207592] -A POSTROUTING -j POSTROUTING_direct
[170984:20172057] -A PREROUTING_ZONES -i eth0 -g PRE_public
[144992:33497084] -A PREROUTING_ZONES -g PRE_public
[315976:53669141] -A PRE_public -j PRE_public_log
[315976:53669141] -A PRE_public -j PRE_public_deny
[315976:53669141] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*security
:INPUT ACCEPT [315132:53613699]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301701:219207592]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
[315132:53613699] -A INPUT -j INPUT_direct
[0:0] -A FORWARD -j FORWARD_direct
[301701:219207592] -A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*raw
:PREROUTING ACCEPT [315975:53668565]
:OUTPUT ACCEPT [301701:219207592]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[315976:53669141] -A PREROUTING -j PREROUTING_direct
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES
[301701:219207592] -A OUTPUT -j OUTPUT_direct
[170984:20172057] -A PREROUTING_ZONES -i eth0 -g PRE_public
[144992:33497084] -A PREROUTING_ZONES -g PRE_public
[315976:53669141] -A PRE_public -j PRE_public_log
[315976:53669141] -A PRE_public -j PRE_public_deny
[315976:53669141] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [132432:168012162]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
[459:26548] -A INPUT -p tcp -m multiport --dports 443,80 -m set --match-set f2b-appname src -j REJECT --reject-with icmp-port-unreachable
[289740:52097048] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[7724:463383] -A INPUT -i lo -j ACCEPT
[17676:1053754] -A INPUT -j INPUT_direct
[17676:1053754] -A INPUT -j INPUT_ZONES_SOURCE
[17676:1053754] -A INPUT -j INPUT_ZONES
[8:486] -A INPUT -m conntrack --ctstate INVALID -j DROP
[0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i lo -j ACCEPT
[0:0] -A FORWARD -j FORWARD_direct
[0:0] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
[0:0] -A FORWARD -j FORWARD_IN_ZONES
[0:0] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
[0:0] -A FORWARD -j FORWARD_OUT_ZONES
[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[144991:33496508] -A OUTPUT -o lo -j ACCEPT
[156710:185711084] -A OUTPUT -j OUTPUT_direct
[0:0] -A FORWARD_IN_ZONES -i eth0 -g FWDI_public
[0:0] -A FORWARD_IN_ZONES -g FWDI_public
[0:0] -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
[0:0] -A FORWARD_OUT_ZONES -g FWDO_public
[0:0] -A FWDI_public -j FWDI_public_log
[0:0] -A FWDI_public -j FWDI_public_deny
[0:0] -A FWDI_public -j FWDI_public_allow
[0:0] -A FWDI_public -p icmp -j ACCEPT
[0:0] -A FWDO_public -j FWDO_public_log
[0:0] -A FWDO_public -j FWDO_public_deny
[0:0] -A FWDO_public -j FWDO_public_allow
[17676:1053754] -A INPUT_ZONES -i eth0 -g IN_public
[0:0] -A INPUT_ZONES -g IN_public
[17676:1053754] -A IN_public -j IN_public_log
[17676:1053754] -A IN_public -j IN_public_deny
[17676:1053754] -A IN_public -j IN_public_allow
[0:0] -A IN_public -p icmp -j ACCEPT
[11:660] -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
[17651:1052260] -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
[6:348] -A IN_public_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
我期望 IP 地址会出现在 iptables -L INPUT --line-numbers 的“源”中,但却惊讶地看到它出现在“任何地方”。
我不明白,如果 fail2ban 在禁止 IP 列表中显示我的 IP 地址,为什么它不在 iptables 中仅使用该 IP 地址?
我该如何诊断或纠正这个问题?
感谢您!
答案1
以下行:
1 REJECT tcp -- anywhere anywhere multiport dports https,http match-set f2b-appname src reject-with icmp-port-unreachable
相当于:
[459:26548] -A INPUT -p tcp -m multiport --dports 443,80 -m set --match-set f2b-appname src -j REJECT --reject-with icmp-port-unreachable
如果所有火柴评估为真,那么目标规则(引入-j)被执行。如果有匹配评估结果为假,这将在到达目标规则之前停止规则的处理,并继续执行下一个规则。
具有附加条件,例如:“并且匹配任何 IP 源地址”,这将是-s 0.0.0.0/0或作为“并且匹配任何 IP 目标地址”(-d 0.0.0.0/0)始终为真,不会改变结果(逻辑推理:(x AND true)<=> x)。这种情况很常见,尽管iptables(当它仍然是 时iptables-legacy)即使使用 0.0.0.0/0 也始终用于存储此类源和目标信息,它不会显示在旨在可重现的规则集输出中(iptables-save或iptables -S),但仍然显示为anywhere因为iptables -L无论如何都有一个固定的列用于此类信息。
重要的是ipset在fail2ban的配置中看到:
action = iptables-ipset-proto6[name=appname, port="https,http", protocol=tcp] logpath = /var/log/httpd/api.appname-error.log
添加从日志中检索到的 IP 地址(当此类日志的条件适用等时,通常会出现错误)...
... 以及相关-m set匹配模块iptables' 规则。此规则规定,对于传入的目标 TCP 端口 443 或 80(否则不会进一步),它将在ipset设置f2b-appname,如果找到则评估为真,从而进入终端(无需进一步处理)REJECT目标:禁止,否则继续执行规则集中的下一个规则。
这意味着 fail2ban 使用命令ipset将 IP 条目添加到IP设置,然后可以通过以下方式检查(在数据包路径中)iptables它将会拒绝任何匹配。
要检查已添加的内容,请运行:
ipset list
或者更准确地说,如果还有其他情况:
ipset list f2b-appname
其结尾应类似于:
Number of entries: 1
Members:
10.50.0.68
笔记:
iptables-ipset-proto6尽管它的名字同时处理 IPv4 和 IPv6(通过检查/etc/fail2ban/action.d/iptables-ipset-proto6.conf->iptables-ipset.conf以不同的方式处理每个协议)ipset--由于历史原因,接受以或不以开头的子命令。