我有一台运行着 fail2ban 的可靠 14.04.3 LTS 服务器。我受到了来自 43.229.53.71 的攻击;最后一个八位字节可能会发生变化。我的 auth.log 文件显示如下条目:
Dec 11 15:02:51 M1 sshd[5138]: Failed password for root from 43.229.53.71 port 39734 ssh2
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): getting password (0x00000388)
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): pam_get_item returned a password
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Dec 11 15:02:53 M1 sshd[5138]: Failed password for root from 43.229.53.71 port 39734 ssh2
Dec 11 15:02:53 M1 sshd[5138]: Received disconnect from 43.229.53.71: 11: [preauth]
Dec 11 15:02:53 M1 sshd[5138]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.71 user=root
这是我的 iptables 规则:
root@M1:/etc# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 7736 packets, 6163K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 fail2ban-mysqld-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 3306
2 45 2838 fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
3 45 2838 fail2ban-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
4 45 2838 fail2ban-apache-multiport tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
5 1581 100K fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
6 5080 5449K fail2ban-pam-generic tcp -- * * 0.0.0.0/0 0.0.0.0/0
7 1581 100K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
8 0 0 REJECT tcp -- * * 43.225.53.71 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
9 0 0 REJECT tcp -- * * 43.225.0.0/16 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
10 0 0 DROP all -- * * 43.225.0.0/16 0.0.0.0/0
11 0 0 DROP all -- * * 43.225.0.0/16 0.0.0.0/0
12 0 0 DROP all -- * * 43.225.53.71 0.0.0.0/0
13 0 0 DROP all -- * * 43.225.53.71 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5703 packets, 4217K bytes)
num pkts bytes target prot opt in out source destination
Chain fail2ban-apache-multiport (1 references)
num pkts bytes target prot opt in out source destination
1 45 2838 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-noscript (1 references)
num pkts bytes target prot opt in out source destination
1 45 2838 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-overflows (1 references)
num pkts bytes target prot opt in out source destination
1 45 2838 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-mysqld-auth (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pam-generic (1 references)
num pkts bytes target prot opt in out source destination
1 5080 5449K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
num pkts bytes target prot opt in out source destination
1 1581 100K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh-ddos (1 references)
num pkts bytes target prot opt in out source destination
1 1581 100K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
当我启用 SSH 时,他们开始攻击,如日志中所示。为什么来自此 IP 范围的数据包没有被丢弃?我肯定忽略了一些简单的东西,有什么想法吗?
答案1
唯一可以丢弃/拒绝 SSH 数据包的规则是:
8 0 0 REJECT tcp -- * * 43.225.53.71 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
9 0 0 REJECT tcp -- * * 43.225.0.0/16 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
10 0 0 DROP all -- * * 43.225.0.0/16 0.0.0.0/0
11 0 0 DROP all -- * * 43.225.0.0/16 0.0.0.0/0
12 0 0 DROP all -- * * 43.225.53.71 0.0.0.0/0
13 0 0 DROP all -- * * 43.225.53.71 0.0.0.0/0
而您不速之客的 IP 是 43.229.53.71。请注意第二个八位字节的差异:229 != 225。