[DEFAULT] ignoreip = 127.0.0.1 bantime = 10 # made for test purposes maxretry = 3 backend = polling destemail = [email protected] banaction = iptables-multiport mta = sendmail protocol = tcp action = %(action_mw)s [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [pam-generic] enabled = true filter = pam-generic port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 其余的fail2banconfiguration只是默认的configuration。
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session required pam_loginuid.so
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid session required pam_unix.so session optional pam_winbind.so session required pam_loginuid.so
请注意唯一的区别是在cron quiet use_uid中添加会话[success = 1 default = ignore] pam_succeed_if.so服务 。
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0) May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0) May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root
fail2ban-client set ssh banip 1.2.3.4 ,那么这个IP将在15:30被禁止。 这就是为什么我把它与上面列出的cron工作联系起来的原因。 /etc/pam.d/common-session-noninteractive并重复fail2ban-client命令,在/var/log/auth.log没有进入并且没有禁止。 更多信息:
默认/etc/pam.d/common-session-noninteractive :
fail2ban-client set ssh banip 1.2.3.4 – > IP被禁止,每5分钟运行一次不可见的 cron作业。 我检查了/etc/cron*和/var/spool/cron/* 每个文件 ,并且没有这样的作业。 底线:手动禁止最多延迟5分钟。
添加session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid在/etc/pam.d/common-session-noninteractivebuild议在这里 :
fail2ban-client set ssh banip 1.2.3.4 – > 不可见的 cron作业不会运行 ,也不会禁止发生。
如何在/etc/pam.d/common-session-noninteractive交互更改防止fail2ban客户端禁止IP? 为什么?
root@node1:~# fail2ban-client set loglevel 4 Current logging level is DEBUG root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4 DEBUG Reading /etc/fail2ban/fail2ban DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG OK : '1.2.3.4' DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4'] 1.2.3.4 root@zap:~# tail -f /var/log/fail2ban.log 2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
结果:禁止。
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid删除quiet session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid在/etc/pam.d/common-session-noninteractive : 结果:成功禁令。
/var/log/auth.log :
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root" May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
/var/log/fail2ban.log :
2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4'] 2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4'] 2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4'] 2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list 2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list 2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4 2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh 2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully 2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP 2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP 2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG 2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully ...
fail2ban 0.8.7.1-2〜ppa7〜从这里清理。 股票一(版本0.8.4)一直没有做到:
"global name 'time' is not defined"
这促使我寻找更新的版本。
我认为(但没有证实)在应用fail2ban-client命令之前,fail2ban只是在auth.log中等待新行,所以禁止不是由“一个看不见的cron作业,每5分钟运行一次”,而是“通过无限循环读取'logpath'“,auth.log在特定情况下。 如果这是真的,那么在/etc/pam.d/common-session-noninteractive中做的更改不会阻止fail2ban-client禁止IP,但会延迟它,直到auth.log中出现新行。 新的日志行出现频率较低,因为您禁用了cron消息,并且需要等待更长的IP禁止时间。