Fail2Ban - 无法执行禁止监狱“xxx”操作“xarf-login-attack”

tag-icon tag-icon debian logs configuration fail2ban
Fail2Ban - 无法执行禁止监狱“xxx”操作“xarf-login-attack”

我最近设置了 Fail2Ban(Debian Jessie 上的 v0.9.4)。我只将它用于 SSH。
默认情况下,我的主要监狱在一天 10 分钟内 5 次失败尝试后被禁止。这个设置对我来说效果很好,但是有些机器人在解除禁止后仍然继续。
所以我又设置了 2 个监狱,它们具有更长的查找时间和更多的最大尝试次数,然后禁止该 IP 的时间更长。第二层还向我发送一封电子邮件(使用action = %(action_mwl)s),第三层也是最后一层使用 报告 IP action = %(action_xarf)s。配置本身正在工作,fail2ban 已经找到了最后一层的几个候选者。

但有时(大约 50% 的情况下)它会失败并显示如下错误消息(第 3 层称为 sshd-bot):

2016-03-31 10:59:44,849 fail2ban.actions        [30358]: NOTICE  [sshd-bot] Ban 95.59.143.167
2016-03-31 10:59:44,979 fail2ban.action         [30358]: ERROR   oifs=${IFS}; IFS=.;SEP_IP=( 95.59.143.167 ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
2016-03-31 10:59:44,980 fail2ban.action         [30358]: ERROR   oifs=${IFS}; IFS=.;SEP_IP=( 95.59.143.167 ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
2016-03-31 10:59:44,980 fail2ban.action         [30358]: ERROR   oifs=${IFS}; IFS=.;SEP_IP=( 95.59.143.167 ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
2016-03-31 10:59:44,981 fail2ban.actions        [30358]: ERROR   Failed to execute ban jail 'sshd-bot' action 'xarf-login-attack' info 'CallingMap({'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x6a07f4acc268>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x6a07f4acc158>, 'failures': 1588, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x6a07f4acc1e0>, 'time': 1459414784.8492236, 'matches': '  Long string containing all matches  ', 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x6a07f4acc2f0>, 'ip': '95.59.143.167'})': local variable 'popen' referenced before assignment

还有其他错误消息,但这是最常见的错误消息。

编辑:

以下是所有 3 个监狱的配置:

[sshd]

enabled = true

bantime = 86400 ; 1 day
findtime = 600 ; 10 minutes
maxretry = 5

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

action = %(action_)s


[sshd-repeat]

enabled = true

bantime = 2628000 ; 1 month
findtime = 604800 ; 1 week
maxretry = 20

filter  = sshd
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

action = %(action_mwl)s


[sshd-bot]

enabled = true

bantime = 315400000 ; 10 years
findtime = 31540000 ; 1 year
maxretry = 200

filter  = sshd
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

action = %(action_xarf)s

相关内容