服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 为什么fail2ban不禁止这种攻击?
Intereting Posts
SuSE 11:“最高”CPU百分比不加起来 Eucalyputs实例SSH不起作用,尽pipe服务器正在运行且端口已打开 如何使用网站的只读副本实例? Amazon RDS MySQL 命令行 – 切换到pipe理员模式 在VMware Workstation中启用Intel-VT 后缀 – 无法接收来自某些域的电子邮件 将所有子域redirect到vhost内的主域 ProFTPd:如何在列表中显示虚拟用户名? Windows 2008 R2 NFS到ESXi 4.1 NFS数据存储 通过盐堆和信标进行服务监测 Debian Jessie:dhclient一直很活跃 同时处理SQL备份和Acronis SQL备份 Windows 7计算机不会从DHCP获取保留的IP地址 OpenLDAP:检索组的成员 如果在特定目录中访问,Apache重写URL

为什么fail2ban不禁止这种攻击?

我已经安装了fail2ban来禁止对ssh密码进行暴力破解。 有没有禁用密码authentication在这台机器的业务要求。

fail2ban安装使用相同的厨师食谱,有效地禁止ssh攻击其他机器。 有一个SSH监狱configuration: 

# service fail2ban status fail2ban-server (pid 5480) is running... WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid' Status |- Number of jail: 1 `- Jail list: ssh

手动禁止用户作品: 

 # fail2ban-client set ssh banip 103.41.124.46

但似乎没有自动禁止任何人: 

 # cat /var/log/fail2ban.log 2014-11-20 18:23:47,069 fail2ban.server [67569]: INFO Exiting Fail2ban 2014-11-20 18:44:59,202 fail2ban.server [5480]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14 2014-11-20 18:44:59,213 fail2ban.jail [5480]: INFO Creating new jail 'ssh' 2014-11-20 18:44:59,214 fail2ban.jail [5480]: INFO Jail 'ssh' uses poller 2014-11-20 18:44:59,249 fail2ban.jail [5480]: INFO Initiated 'polling' backend 2014-11-20 18:44:59,270 fail2ban.filter [5480]: INFO Added logfile = /var/log/secure 2014-11-20 18:44:59,271 fail2ban.filter [5480]: INFO Set maxRetry = 6 2014-11-20 18:44:59,272 fail2ban.filter [5480]: INFO Set findtime = 600 2014-11-20 18:44:59,272 fail2ban.actions[5480]: INFO Set banTime = 300 2014-11-20 18:44:59,431 fail2ban.jail [5480]: INFO Jail 'ssh' started 2014-11-21 11:09:37,447 fail2ban.actions[5480]: WARNING [ssh] Ban 103.41.124.46 2014-11-21 11:10:32,602 fail2ban.actions[5480]: WARNING [ssh] Ban 122.225.97.75 2014-11-21 11:14:37,899 fail2ban.actions[5480]: WARNING [ssh] Unban 103.41.124.46 2014-11-21 11:15:32,976 fail2ban.actions[5480]: WARNING [ssh] Unban 122.225.97.75 2014-11-21 11:30:06,295 fail2ban.comm [5480]: WARNING Command ['ban', 'ssh', '189.203.240.89'] has failed. Received Exception('Invalid command',) 2014-11-21 11:30:33,966 fail2ban.actions[5480]: WARNING [ssh] Ban 189.203.240.89 2014-11-21 11:35:34,303 fail2ban.actions[5480]: WARNING [ssh] Unban 189.203.240.89

例如,这是/var/log/messages中的一个攻击,本应该被捕获和禁止: 

 Nov 21 07:51:32 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:34 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2 Nov 21 07:51:35 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2 Nov 21 07:51:35 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:37 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2 Nov 21 07:51:37 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:38 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2 Nov 21 07:51:38 my_hostname sshd[51084]: Failed password for root from 122.225.109.219 port 3501 ssh2 Nov 21 07:51:39 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2

这也被logging在/var/log/secure

 Nov 25 16:06:40 cluster-122-1413591380-db sshd[75769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:46 cluster-122-1413591380-db sshd[75769]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:48 cluster-122-1413591380-db sshd[75778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:55 cluster-122-1413591380-db sshd[75778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:57 cluster-122-1413591380-db sshd[75780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:03 cluster-122-1413591380-db sshd[75780]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:05 cluster-122-1413591380-db sshd[75793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:12 cluster-122-1413591380-db sshd[75793]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:13 cluster-122-1413591380-db sshd[75797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:21 cluster-122-1413591380-db sshd[75797]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:22 cluster-122-1413591380-db sshd[75803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:28 cluster-122-1413591380-db sshd[75803]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:29 cluster-122-1413591380-db sshd[75809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:36 cluster-122-1413591380-db sshd[75809]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:38 cluster-122-1413591380-db sshd[75811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root

这是我的jail.local

 # Fail2Ban configuration file. # # The configuration here inherits from /etc/fail2ban/jail.conf. Any setting # omitted here will take it's value from that file # # Author: Yaroslav O. Halchenko <snip> # # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 findtime = 600 bantime = 300 maxretry = 5 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails can inherit from the configuration in /etc/fail2ban/jail.conf. # Enable any defined in that file jail by including # # [SECTION_NAME] # enabled = true # # Optionally you may override any other parameter (eg banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 6 [ssh-iptables] enabled = false

为什么不是fail2ban工作? 或者,为什么没有我的手动干预,禁止上面的攻击者呢?

参数logpath应该被设置为loggingSSH尝试日志文件的path。所以如果是/var/log/messages ,那么/var/log/secure显然是不正确的。

logpath参数更改为正确的文件。

在RHEL和CentOS上,身份validation错误转到/ var / log / messages或/ var / log secure: 

 # cat /etc/rsyslog.conf | grep auth # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure

默认情况下,将sshdconfiguration为将SyslogFacility设置为AUTH,并将其发送到/ var / log / messages。 如果按如下方式覆盖/ etc / ssh / sshd_config,则会转到/ var / log / secure: 

 SyslogFacility AUTHPRIV

我正在使用SoftLayer云上的机器,去年的某个时候,他们的基本映像configuration从AUTHPRIV变成了AUTH。

默认情况下,fail2ban在/etc/fail2ban/jail.local中有下列监牢: 

 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 6

我build议添加第二个监狱/etc/fail2ban/jail.local: 

 [ssh-log-messages] enabled = true port = ssh filter = sshd logpath = /var/log/messages maxretry = 6

之后,重新启动fail2ban以使第二个监狱生效: 

 service fail2ban restart

另一种方法是在/etc/fail2ban/filter.d/sshd.conf中扩展sshd正则expression式。 在/ var / log / secure和/ var / log / messages中有足够的信息来禁止IP。 不幸的是,fail2ban无法parsing所有的消息,而无需添加替代正则expression式。 这是一个练习。