我已经配置了 fail2ban 来监控我获取的某种恶意流量模式并禁止相关的 IP 地址。
一切似乎都运行良好——正则表达式正确匹配模式,问题 IP 地址被添加到 iptables 中。
然而,当我检查 Apache 日志时仍然从被禁止的 IP 地址获取命中。就好像 iptables 根本没有运行一样。
因此,让我分享一些细节,以确认一切配置正确。
首先,我将清除并重新加载 iptables 规则:
$ sudo iptables -F
$ cat /etc/iptables.firewall.rules
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
$ sudo iptables-restore < /etc/iptables.firewall.rules
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
14 1432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 1638 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
现在,fail2ban 配置如下所示:
$ cat /etc/fail2ban/filter.d/apache-xmlrpc.conf
[Definition]
failregex = .*:80 <HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
$ cat /etc/fail2ban/jail.local
[apache-xmlrpc]
enabled = true
port = http,https
filter = apache-xmlrpc
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 6
$ fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/apache-xmlrpc.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/apache-xmlrpc.conf
Use log file : /var/log/apache2/other_vhosts_access.log
Results
=======
Failregex
|- Regular expressions:
| [1] .*:80 <HOST> .*POST .*xmlrpc\.php.*
|
`- Number of matches:
[1] 29 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
80.82.70.239 (Sat Jul 13 02:41:52 2013)
80.82.70.239 (Sat Jul 13 02:41:53 2013)
80.82.70.239 (Sat Jul 13 02:41:55 2013)
80.82.70.239 (Sat Jul 13 02:41:56 2013)
80.82.70.239 (Sat Jul 13 02:41:57 2013)
80.82.70.239 (Sat Jul 13 02:41:58 2013)
80.82.70.239 (Sat Jul 13 02:41:59 2013)
80.82.70.239 (Sat Jul 13 02:42:00 2013)
80.82.70.239 (Sat Jul 13 02:42:02 2013)
80.82.70.239 (Sat Jul 13 02:42:03 2013)
80.82.70.239 (Sat Jul 13 02:42:04 2013)
80.82.70.239 (Sat Jul 13 02:42:05 2013)
80.82.70.239 (Sat Jul 13 02:42:06 2013)
80.82.70.239 (Sat Jul 13 02:42:07 2013)
80.82.70.239 (Sat Jul 13 02:42:09 2013)
80.82.70.239 (Sat Jul 13 02:42:10 2013)
80.82.70.239 (Sat Jul 13 02:42:11 2013)
80.82.70.239 (Sat Jul 13 02:42:12 2013)
80.82.70.239 (Sat Jul 13 02:42:13 2013)
80.82.70.239 (Sat Jul 13 02:42:15 2013)
80.82.70.239 (Sat Jul 13 02:42:16 2013)
80.82.70.239 (Sat Jul 13 02:42:17 2013)
80.82.70.239 (Sat Jul 13 02:42:18 2013)
80.82.70.239 (Sat Jul 13 02:42:19 2013)
80.82.70.239 (Sat Jul 13 02:42:20 2013)
80.82.70.239 (Sat Jul 13 02:42:22 2013)
80.82.70.239 (Sat Jul 13 02:42:23 2013)
80.82.70.239 (Sat Jul 13 02:42:24 2013)
80.82.70.239 (Sat Jul 13 02:42:25 2013)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
70 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 29
However, look at the above section 'Running tests' which could contain important
information.
如您所见,我在过滤器中设置了 failregex,并且过滤器已启用。使用 fail2ban-regex,过滤器确实在我正在监控的日志文件中找到匹配项。(我现在正受到一个有问题的 IP 地址的攻击,这使得测试变得非常容易。)
因此现在我重新启动 fail2ban 并观察规则生效:
$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
$ tail /var/log/fail2ban.log -n 50
2013-07-13 02:42:58,014 fail2ban.server : INFO Stopping all jails
2013-07-13 02:42:58,745 fail2ban.jail : INFO Jail 'apache-xmlrpc' stopped
2013-07-13 02:42:59,439 fail2ban.jail : INFO Jail 'ssh' stopped
2013-07-13 02:42:59,440 fail2ban.server : INFO Exiting Fail2ban
2013-07-13 02:43:08,055 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-07-13 02:43:08,057 fail2ban.jail : INFO Creating new jail 'ssh'
2013-07-13 02:43:08,111 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2013-07-13 02:43:08,397 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2013-07-13 02:43:08,404 fail2ban.filter : INFO Set maxRetry = 6
2013-07-13 02:43:08,414 fail2ban.filter : INFO Set findtime = 600
2013-07-13 02:43:08,435 fail2ban.actions: INFO Set banTime = 600
2013-07-13 02:43:09,277 fail2ban.jail : INFO Creating new jail 'apache-xmlrpc'
2013-07-13 02:43:09,277 fail2ban.jail : INFO Jail 'apache-xmlrpc' uses Gamin
2013-07-13 02:43:09,283 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log
2013-07-13 02:43:09,286 fail2ban.filter : INFO Set maxRetry = 6
2013-07-13 02:43:09,289 fail2ban.filter : INFO Set findtime = 600
2013-07-13 02:43:09,292 fail2ban.actions: INFO Set banTime = 600
2013-07-13 02:43:09,458 fail2ban.jail : INFO Jail 'ssh' started
2013-07-13 02:43:09,792 fail2ban.jail : INFO Jail 'apache-xmlrpc' started
2013-07-13 02:43:11,361 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
244 39277 fail2ban-apache-xmlrpc tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
101 7716 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
3404 582K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
349 20900 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
12 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3331 4393K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-xmlrpc (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 80.82.70.239 0.0.0.0/0
244 39277 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 223.4.147.8 0.0.0.0/0
101 7716 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
从 fail2ban 日志中可以看出,规则集配置正确。您已经可以看到有问题的 IP 地址立即被捕获并被禁止。iptables 的输出显示该 IP 地址实际上已被丢弃。
然而,我已经观察到,在 fail2ban-apache-xmlrpc 链下匹配的 IP 地址没有丢弃数据包。果然,我检查了 apache 日志:
$ tail /var/log/apache2/other_vhosts_access.log
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:53 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:54 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:56 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:57 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:58 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:59 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:00 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:02 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"
不,它没有被阻止!我也可以在 fail2ban 日志中确认这一点:
$ tail /var/log/fail2ban.log
2013-07-13 02:52:30,757 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:52:37,767 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:52:44,783 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:52:51,814 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:52:58,830 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:53:05,842 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:53:11,858 fail2ban.actions: WARNING [apache-xmlrpc] Unban 80.82.70.239
2013-07-13 02:53:12,910 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239
2013-07-13 02:53:20,118 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
2013-07-13 02:53:27,129 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
它不断出现在 apache 日志中,因此 fail2ban 正尝试不断禁止它!
说实话,我实在想不通为什么 iptables 没有丢弃来自这个 IP 地址的流量。规则顺序对我来说似乎是正确的,DROP 先于其他任何内容。
我在 Google 上搜索了一堆遇到类似问题的人,但似乎总是归结为禁止非标准端口上的 SSH 流量的问题。就我而言,我只是试图禁止标准 http 端口 80 上的 IP 地址。
我希望我只是忽略了一些非常简单的事情。这是在 Linode 上运行 Ubuntu 12.04 的 VPS。如果有人有任何想法,请告诉我。非常感谢...
编辑:这是输出iptables -S
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-apache-xmlrpc
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-xmlrpc
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A fail2ban-apache-xmlrpc -s 80.82.70.239/32 -j DROP
-A fail2ban-apache-xmlrpc -j RETURN
-A fail2ban-ssh -s 223.4.147.8/32 -j DROP
-A fail2ban-ssh -j RETURN
答案1
输出iptables -s看起来正确,我不知道如何通过防火墙进入您的服务器。我的第一个猜测是您在服务器前面有一个代理/负载平衡器,Apache 正在记录标80.82.70.239/32头或任何名称。如果事实确实如此,您将不得不将防火墙逻辑移至代理/负载平衡器或应用程序级别(Apache 计算标头并拒绝访问)。any:80HTTP_X_FORWARDED_FORFORWARDED_FOR
无论哪种方式:
我要采取的下一步行动是捕获iptables -s您上面发布的输出。禁用 fail2ban 并将带有 fail2ban 链和阻止的 IP 地址的配置加载到 iptables 中。
但请遵循以下第一条-A规则:
-A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP: "
如果您觉得捕获 80 和 443 更好,那就去做吧。我们的想法是,如果我们注意来自可疑来源的数据包,防火墙的日志可能会显示我们遗漏的某些信息。
答案2
iptables 的输出实际上显示,虽然存在一条针对 fail2ban 认为应该过滤和丢弃的 IP 地址的规则,但没有数据包通过 fail2ban xmlrpc 链并被该规则丢弃。相反,所有通过该链的 224 个数据包都被接受了。
也就是说,规则确实是正确的。但是,您的接受 TCP 端口 80 规则接受的流量似乎比通过 fail2ban 过滤器链的流量多。最可能的原因是您想要阻止的流量是在 fail2ban 链尚未插入输入时进入的(我注意到您的默认规则中没有它,这可能没问题,但这意味着如果您重新加载 iptables,fail2ban 链不会立即生效)。
尝试运行iptables -z以将数据包计数归零,然后iptables -nvL再次观察 的输出。输出应该不一样。此外,考虑在 iptables 的初始规则中保存 fail2ban 链的规则(/etc/iptables.firewall.rules)。保存委托规则,如下所示:
fail2ban-apache-xmlrpc tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
还保存链的存在(如fail2ban-apache-xmlrpc),但不保存实际被禁止的 IP。
答案3
我在自己的网站上遇到了和你一模一样的问题。设置非常相似,LAMP 堆栈,几个功能齐全的 fail2ban jail,但我仍然看到那些据称被禁止的 IP 地址出现在访问日志文件中。我在 Apache 前面没有任何代理/负载平衡器。
解决我的问题的方法出奇的简单:将禁止语句移到 iptables 配置文件的顶部!