在Fail2Ban中,如何更改SSH端口号?

在我的服务器,ssh端口不是标准的22.我已经设置了一个不同的。 如果我设置fail2ban,它是否能够检测到该端口? 我怎么能告诉它检查端口,而不是端口22?

iptables -L -v -n的输出:

  Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 119.235.2.158 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh-ddos (0 references) pkts bytes target prot opt in out source destination 

服务iptables状态的输出:

 iptables: unrecognized service 

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

 Summary ======= Addresses found: [1] [2] [3] 113.59.222.240 (Wed Mar 21 18:24:47 2012) 113.59.222.240 (Wed Mar 21 18:24:52 2012) 119.235.14.153 (Wed Mar 21 21:52:53 2012) 113.59.222.21 (Thu Mar 22 07:50:44 2012) 176.9.57.203 (Fri Mar 23 19:34:29 2012) 176.9.57.203 (Fri Mar 23 19:34:42 2012) 113.59.222.56 (Sat Mar 31 14:23:52 2012) 113.59.222.56 (Sat Mar 31 14:24:05 2012) 119.235.14.183 (Mon Apr 02 20:49:13 2012) 119.235.14.168 (Sat Apr 21 09:58:56 2012) 119.235.2.158 (Wed Apr 25 13:11:03 2012) 119.235.2.158 (Wed Apr 25 13:11:40 2012) 119.235.2.158 (Wed Apr 25 13:11:43 2012) 119.235.2.158 (Wed Apr 25 13:11:47 2012) 119.235.2.158 (Wed Apr 25 13:12:49 2012) 119.235.2.158 (Wed Apr 25 13:12:52 2012) 119.235.2.158 (Wed Apr 25 13:12:55 2012) 119.235.2.158 (Wed Apr 25 13:12:58 2012) 119.235.2.158 (Wed Apr 25 13:13:02 2012) 119.235.2.158 (Wed Apr 25 13:13:04 2012) 119.235.2.158 (Wed Apr 25 13:13:25 2012) 119.235.2.158 (Wed Apr 25 13:19:18 2012) 119.235.2.158 (Wed Apr 25 13:19:52 2012) 119.235.2.158 (Wed Apr 25 13:19:55 2012) 119.235.2.158 (Wed Apr 25 13:19:55 2012) 119.235.2.158 (Wed Apr 25 13:19:58 2012) 119.235.2.158 (Wed Apr 25 13:20:02 2012) 119.235.2.158 (Wed Apr 25 13:20:05 2012) 119.235.2.158 (Wed Apr 25 13:40:16 2012) [4] [5] 119.235.2.158 (Wed Apr 25 13:11:38 2012) 119.235.2.158 (Wed Apr 25 13:12:46 2012) 119.235.2.158 (Wed Apr 25 13:19:49 2012) [6] 119.235.2.155 (Wed Mar 21 13:13:30 2012) 113.59.222.240 (Wed Mar 21 18:24:43 2012) 119.235.14.153 (Wed Mar 21 21:52:51 2012) 176.9.57.203 (Fri Mar 23 19:34:26 2012) 119.235.2.158 (Wed Apr 25 13:19:15 2012) [7] [8] [9] [10] Date template hits: 1169837 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 37 However, look at the above section 'Running tests' which could contain important information. 

jail.conf

  # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # Author: Yaroslav O. Halchenko <[email protected]> # # $Revision: 281 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 14400 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overriden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (eg banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 # # HTTP servers # [apache] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = false port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = false port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [nginx-auth] enabled = true filter = nginx-auth action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /var/log/nginx*/*error*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-login] enabled = true filter = nginx-login action = iptables-multiport[name=NoLoginFailures, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 600 # 10 minutes maxretry = 6 [nginx-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] logpath = /var/log/nginx*/*access*.log bantime = 86400 # 1 day maxretry = 1 [nginx-noscript] enabled = true action = iptables-multiport[name=NoScript, port="http,https"] filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 6 bantime = 86400 # 1 day [nginx-proxy] enabled = true action = iptables-multiport[name=NoProxy, port="http,https"] filter = nginx-proxy logpath = /var/log/nginx*/*access*.log maxretry = 0 bantime = 86400 # 1 day # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierauth] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/warn.log instead # if you are running postfix. See http://bugs.debian.org/507990 logpath = /var/log/mail.log # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connectionless protocol, spoofing of IP and immitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log 

我只注意到fail2ban log中的一个错误:

2012-04-25 14:57:29,359 fail2ban.actions.action:错误iptables -N fail2ban-ssh-ddos

    Fail2Ban使用文件/etc/fail2ban/jail.local并查找[ssh]部分,您可以在那里更改端口。

     [ssh] enabled = true port = ssh 

    您可以将port值更改为任何正整数。

    如果它不工作,你想进一步看看/etc/fail2ban/jail.conf ,应该是这样的:

      logpath = /var/log/auth.log 

    这是fail2ban使用检测虚假login的原因。

    如果工作不正常,可以尝试一些事情来查明问题。 从检查是否安装开始:

     dpkg -l |grep fail 

    检查服务是否正在运行:

     /etc/init.d/fail2ban status 

    检查你的SSH监狱是否设置:

     sudo fail2ban-client status 

    检查日志文件:

     fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf 

    检查你的date/时间:

     date && tail -2 /var/log/auth.log 

    (你应该首先得到date,然后是auth.log的最后一行,如果你仍然不能确定错误,请将你的configuration文件添加到你的文章中。

    fail2ban将检测login尝试与日志内容。 fail2ban不要使用端口进行检测,只能阻塞。
    要阻止正确的端口,你必须告诉fail2ban哪一个才能正确设置iptable。
    进入/etc/fail2ban/jail.local

     [ssh] enabled = true port = ssh <-- just modify this with your port port = 1234 

    另一种方法是阻止有问题的主机的一切。 所以iptable将从他们的每一个paquets,不仅ssh的。
    /etc/fail2ban/jail.local的开头:

     banaction = iptables-multiport <-- regular blocking (one or several ports) banaction = iptables-allports <-- block everything 

    有了iptables-allports你不必担心端口。 只保留默认的。

    简而言之:如果您更改了ssh端口号,您必须将其添加到jail.conf文件中!

    例如:(我在端口1234上使用SSH,SFTP)

    jail.conf

     [ssh] enabled = true port = ssh,sftp,1234 filter = sshd logpath = /var/log/auth.log maxretry = 6 

    我知道这不是严格地回答这个问题,但无论如何…

    作为解决问题的另一种方法,可以考虑在服务器configuration中保留标准端口,然后在路由器中执行NAT。

    例如,在我的设置中,我也没有从外部使用标准的SSH端口,但我的服务器configuration是标准的SSH(以及它的FTP,VPN等),我只是打开非标准端口在路由器和让他们转发到标准端口。

    这样做可以节省我很多时间configuration我的设置。