我在我的 Ubuntu 服务器上安装了 fail2ban。
一切似乎都开始正常:
cat fail2ban.log
2023-12-07 14:55:27,758 fail2ban.server [803]: INFO --------------------------------------------------
2023-12-07 14:55:27,758 fail2ban.server [803]: INFO Starting Fail2ban v0.11.2
2023-12-07 14:55:27,759 fail2ban.observer [803]: INFO Observer start...
2023-12-07 14:55:27,767 fail2ban.database [803]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-12-07 14:55:27,768 fail2ban.database [803]: WARNING New database created. Version '4'
2023-12-07 14:55:27,769 fail2ban.jail [803]: INFO Creating new jail 'sshd'
2023-12-07 14:55:27,778 fail2ban.jail [803]: INFO Jail 'sshd' uses pyinotify {}
2023-12-07 14:55:27,779 fail2ban.jail [803]: INFO Initiated 'pyinotify' backend
2023-12-07 14:55:27,780 fail2ban.filter [803]: INFO maxLines: 1
2023-12-07 14:55:27,790 fail2ban.filter [803]: INFO maxRetry: 5
2023-12-07 14:55:27,790 fail2ban.filter [803]: INFO findtime: 600
2023-12-07 14:55:27,790 fail2ban.actions [803]: INFO banTime: 600
2023-12-07 14:55:27,790 fail2ban.filter [803]: INFO encoding: UTF-8
2023-12-07 14:55:27,790 fail2ban.filter [803]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = dbc10cda87971348abf435b463c625fcaf25d6de)
2023-12-07 16:32:52,352 fail2ban.jail [3466]: INFO Creating new jail 'sshd'
2023-12-07 16:32:52,354 fail2ban.jail [3466]: INFO Jail 'sshd' uses poller {}
2023-12-07 16:32:52,354 fail2ban.jail [3466]: INFO Initiated 'polling' backend
2023-12-07 16:32:52,354 fail2ban.filter [3466]: INFO maxLines: 1
2023-12-07 16:32:52,361 fail2ban.filter [3466]: INFO maxRetry: 3
2023-12-07 16:32:52,361 fail2ban.filter [3466]: INFO findtime: 900
2023-12-07 16:32:52,361 fail2ban.actions [3466]: INFO banTime: 900
2023-12-07 16:32:52,361 fail2ban.filter [3466]: INFO encoding: UTF-8
2023-12-07 16:32:52,361 fail2ban.filter [3466]: INFO Added logfile: '/var/log/auth.log' (pos = 106290, hash = dbc10cda87971348abf435b463c625fcaf25d6de)
2023-12-07 16:32:52,362 fail2ban.jail [3466]: INFO Jail 'sshd' started
当我查看它的状态时,它似乎也不错:
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
我在日志 /var/log/fail2ban.log 中添加了几行:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
port = ssh
backend = polling
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3
当我这样做时,cat fail2ban.log之后没有显示任何连接2023-12-07 16:32:52,362 fail2ban.jail [3466]: INFO Jail 'sshd' started。我正在通过我的 MacBook 与服务器进行 ssh 连接,它们出现在/var/log/auth.log,然而什么也没有出现在fail2ban.log。
答案1
尝试将您的后端设置为自动或 systemd,然后重新加载 fail2ban。
我建议你的监狱采用这种配置
[ssh]
enabled = true
port = ssh
filter = ssh
backend = systemd
maxretry = 3
bantime = 600
# Block DDOS on ssh
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
backend = systemd
maxretry = 2
bantime = 600
要查看被禁止的 IP,您需要检查监狱本身fail2ban-client status ssh(当您实现我的配置时),您的配置fail2ban-client status sshd(但在基于 Debian 的发行版中,sshd 是 ssh 服务,它只是 ssh)