服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Fail2Ban不添加iptables规则
Intereting Posts
在ubuntu中使用apache2托piperedmine服务器 修改外部域的内部DNS响应 将LXC容器从主机移动到另一个的要求 将$ REMOTE_ADDR设置为真实的客户端IP PHP-FPM max_requests参数导致502 SSRS失败,出现App_global.asax错误 Hyper-V中的IPv6问题 SOLR安装和使用帮助需要 Centos 5.6的NFS客户端挂载在文件/目录操作挂载,但10 +其他客户端(相同的机器构build)一切正常? 共享点列表名称问题 Xen开始等待根文件系统挂起 当大量的文本通过它传输时,SSH就会死亡 Apache虚拟主机,别名和目录 默认文件权限(Debian / Ubuntu) ping替代tcp?

Fail2Ban不添加iptables规则

Fail2Ban不添加iptables规则来阻止攻击者。 我正在运行CentOS 6.5(32位)

以下是我所做的:

  • 通过yum使用EPEL回购安装fail2ban
  • 我将jail.conf复制到jail.local

  • 我把jail.local的禁令时间改为3600 

     bantime = 3600

对于iptables我有这些关于SSH定义的规则 

 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 3 fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

我的jail.localconfiguration为SSH: 

 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/secure maxretry = 5

最新的日志条目: 

 2014-08-13 10:11:04,481 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2014-08-13 10:11:04,482 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2014-08-13 10:11:04,514 fail2ban.jail : INFO Jail 'ssh-iptables' uses pyinotify 2014-08-13 10:11:04,533 fail2ban.jail : INFO Initiated 'pyinotify' backend 2014-08-13 10:11:04,536 fail2ban.filter : INFO Added logfile = /var/log/secure 2014-08-13 10:11:04,537 fail2ban.filter : INFO Set maxRetry = 5 2014-08-13 10:11:04,540 fail2ban.filter : INFO Set findtime = 600 2014-08-13 10:11:04,540 fail2ban.actions: INFO Set banTime = 3600 2014-08-13 10:11:04,727 fail2ban.jail : INFO Jail 'ssh-iptables' started

然后,我开始fail2ban,但过了一段时间(一个小时左右),我检查/var/log/secure ,我仍然得到暴力攻击: 

 Aug 13 10:31:35 webhost sshd[15619]: Invalid user china from 128.199.147.79 Aug 13 10:31:35 webhost sshd[15620]: input_userauth_request: invalid user china Aug 13 10:31:36 webhost sshd[15620]: Connection closed by 128.199.147.79 Aug 13 10:35:04 webhost sshd[15661]: Invalid user klaudia from 106.187.90.33 Aug 13 10:35:04 webhost sshd[15662]: input_userauth_request: invalid user klaudia Aug 13 10:35:05 webhost sshd[15662]: Connection closed by 106.187.90.33 Aug 13 10:41:56 webhost sshd[15772]: Invalid user cassandra from 106.187.90.33 Aug 13 10:41:56 webhost sshd[15773]: input_userauth_request: invalid user cassandra Aug 13 10:41:57 webhost sshd[15773]: Connection closed by 106.187.90.33 Aug 13 10:44:10 webhost sshd[15807]: Invalid user knight from 106.187.90.33 Aug 13 10:44:10 webhost sshd[15808]: input_userauth_request: invalid user knight Aug 13 10:44:12 webhost sshd[15808]: Connection closed by 106.187.90.33

没有新的规则被添加到iptables中 

 Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0

如果我尝试使用fail2ban-regexdebugging问题: 

 fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf Running tests Use failregex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/secure Results Failregex: 1374 total |- #) [# of hits] regular expression | 5) [1374] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4615] MONTH Day Hour:Minute:Second `- Lines: 4615 lines, 0 ignored, 1374 matched, 3241 missed Missed line(s):: too many to print. Use --print-all-missed to print all 3241 lines </code> The missed lines are: Lines: 4621 lines, 0 ignored, 1376 matched, 3245 missed |- Missed line(s): | Aug 10 03:46:30 webhost sshd[12340]: input_userauth_request: invalid user simulator | Aug 10 03:46:30 webhost sshd[12340]: Connection closed by 106.187.90.33 | Aug 10 03:55:01 webhost sshd[12430]: input_userauth_request: invalid user simulation | Aug 10 03:55:02 webhost sshd[12430]: Connection closed by 106.187.90.33 | Aug 10 04:01:33 webhost sshd[12505]: Connection closed by 128.199.147.79 | Aug 10 04:02:46 webhost sshd[12539]: reverse mapping checking getaddrinfo for new.jerl.im [128.199.254.179] failed - POSSIBLE BREAK-IN ATTEMPT!

我对fail2ban知之甚less,不知道我的sshdfilter有什么问题。 我会认为默认的configuration就足够了? 我该如何解决?

检查你是否启用了IPTABLES jail和SSHfilter。 还检查f2b日志 – 是f2b试图禁止某人?

我不知道你使用/ var / log / secure或/var/log/auth.loglogging了什么,但是无论你是否需要告诉fail2ban它应该读取哪一个,也如前所述,如果你已经改变了默认值端口为ssh(22)然后再次你需要告诉fail2ban并打开它在你的防火墙(iptables等)。 正则expression式正如预期的那样工作,它匹配日志中的重要行 

 Aug 13 10:31:35 webhost sshd[15619]: Invalid user china from 128.199.147.79

其他被列为缺失的对fail2ban并不重要,因为它们没有提供fail2ban需要禁止客户端的<HOST><IP> 。 所以,如果所有的定义都符合你的系统设置,那么fail2ban就是为ssh正确设置的,那么它应该是禁止的,记住你必须触发'findtime'和'maxretry'值被禁止。 在任何改变之后,不要忘记' $ fail2ban-client reload '。

从我的SysAdmin经验来看,请尝试systemd作为后端,如果您使用的是CentOS,请使用banaction而不是action

例如,

在你的jail.local

[默认]

禁令时间= 4640000

banaction = firewalld-custom

后端= systemd

让我知道这个是否奏效。

当我遇到这个问题时,是因为“iptables”命令不起作用。 我相信我可以通过改变这条线来解决这个问题 

 iptables = iptables <lockingopt> 

 iptables = /sbin/iptables <lockingopt>

但是为了安全起见,并且因为我只使用了iptables-allports.conf,我简单地用/ sbin / iptablesreplace了该文件中的所有内容。