编辑:添加额外的.conf文件,并略有改变措辞,由马可build议
我正在运行应该支持IPv6的Fail2ban v0.10 。
我已经根据这些指示设置了nftables的Fail2ban ,除了我使用nftables的'inet'系列而不是ip系列,因为我想允许IPv6stream量到我的服务器。
服务器可通过IPv6访问,我的防火墙(nftables)似乎正确configuration,据我所知(表inetfilter)。
然而,'表inet fail2ban'是为什么我这个post,在我看来,Fail2ban只读取IPv4日志,并阻止违规的IPv4主机。
我正在读这个吗? 如果有的话,是否有人知道如何使Fail2ban与IPv6stream量一起工作? 我知道Fail2ban v0.10 changelog指出并不是所有的禁止动作都是IPv6的,但我似乎无法find一个列表。
一个链接到我可以find的信息也欢迎,因为我似乎无法find自己。
我只包括recidive监狱configuration,因为我认为,如果我可以入狱与IPv6的工作,我可以做其他人一样,如果我误以为这个假设请告诉我:)
我的nftables规则集:
table inet filter { chain input { type filter hook input priority 0; policy accept; ct state { related, established} accept ct state invalid drop iifname "lo" accept ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport ssh accept tcp dport http accept tcp dport https accept limit rate 5/minute burst 5 packets counter packets 972 bytes 56710 log prefix " denied: " level debug drop } chain forward { type filter hook forward priority 0; policy accept; drop } chain output { type filter hook output priority 0; policy accept; accept } } table inet fail2ban { set f2b-sshd { type ipv4_addr } set f2b-nginx-botsearch { type ipv4_addr } set f2b-recidive { type ipv4_addr } chain INPUT { type filter hook input priority 100; policy accept; ip protocol hopopt-reserved ip saddr @f2b-recidive drop tcp dport { http, https} ip saddr @f2b-nginx-botsearch drop tcp dport { ssh} ip saddr @f2b-sshd drop } } /etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f table inet fail2ban { chain INPUT { type filter hook input priority 100; } }
/etc/nftables.conf
#!/usr/bin/nft -f table inet filter { chain input { type filter hook input priority 0; ct state {established, related} accept ct state invalid drop iifname lo accept ip protocol icmp accept ip6 nexthdr icmpv6 accept tcp dport ssh accept tcp dport http accept tcp dport https accept limit rate 5/minute burst 5 packets counter packets 0 bytes 0 log prefix " denied: " level debug drop } chain forward { type filter hook forward priority 0; drop } chain output { type filter hook output priority 0; accept } } include "/etc/nftables/fail2ban.conf"
/etc/fail2ban/action.d/nftables-common.local
[Init] nftables_family = inet nftables_table = fail2ban blocktype = drop nftables_set_prefix =
/etc/fail2ban/jail.local
[INCLUDES] before = paths-arch.conf [DEFAULT] ignorecommand = bantime = 1h findtime = 10m maxretry = 5 usedns = warn logencoding = auto enabled = false filter = %(__name__)s protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = nftables-multiport banaction_allports = nftables-allports action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action_abuseipdb = abuseipdb action = %(action_)s [sshd] enabled = true mode = normal filter = sshd[mode=%(mode)s] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [nginx-botsearch] enabled = true port = http,https logpath = %(nginx_error_log)s maxretry = 2 [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d maxretry = 3 protocol = 0-255
/etc/fail2ban/filter.d/recidive.conf
[INCLUDES] before = common.conf [Definition] _daemon = fail2ban\.actions\s* _jailname = recidive failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
/etc/fail2ban/filter.d/common.conf
[DEFAULT] _daemon = \S* __pid_re = (?:\[\d+\]) __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? __daemon_extra_re = \[ID \d+ \S+\] __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) __kernel_prefix = kernel: \[ *\d+\.\d+\] __hostname = \S+ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} __bsd_syslog_verbose = <[^.]+\.[^.]+> __vserver = @vserver_\S+ __date_ambit = (?:\[\]) __prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)$ __pam_auth = pam_unix datepattern = {^LN-BEG}