我试图在Ubuntu 12.04 x64服务器上实现fail2ban 。 我做了以下几点:
apt-get install fail2ban
在jail.conf中/etc/fail2ban/jail.conf.local了一个jail.conf的副本, jail.conf是摘录:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 600
然后我运行service fail2ban restart ,我确实看到它运行。 现在我尝试作为一个用户(根,随机用户等)连续多次login,它不会阻止我的IP地址。 我已经安装了iptables ,它使用我已经设置的规则,我确实有一个INPUT链当然。
当我cat /var/log/auth.log这是我看到的
Oct 26 08:55:21 prod sshd[10935]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 26 08:55:23 prod sshd[10935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:55:25 prod sshd[10935]: Failed password for root from 75.89.97.25 port 61449 ssh2 Oct 26 08:55:32 sshd[10935]: last message repeated 2 times Oct 26 08:55:32 prod sshd[10935]: Connection closed by 75.89.97.25 [preauth] Oct 26 08:55:32 prod sshd[10935]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:55:34 prod sshd[10944]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 26 08:55:35 prod sshd[10944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:55:37 prod sshd[10944]: Failed password for root from 75.89.97.25 port 61452 ssh2 Oct 26 08:55:44 sshd[10944]: last message repeated 2 times Oct 26 08:55:44 prod sshd[10944]: Connection closed by 75.89.97.25 [preauth] Oct 26 08:55:44 prod sshd[10944]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:55:47 prod sshd[10951]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 26 08:55:51 prod sshd[10951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:55:52 prod sshd[10951]: Failed password for root from 75.89.97.25 port 61455 ssh2 Oct 26 08:56:00 sshd[10951]: last message repeated 2 times Oct 26 08:56:00 prod sshd[10951]: Connection closed by 75.89.97.25 [preauth] Oct 26 08:56:00 prod sshd[10951]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:56:13 prod sshd[10971]: reverse mapping checking getaddrinfo for firewall.jaincpa.com [75.89.97.25] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 26 08:56:15 prod sshd[10971]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:56:16 prod sshd[10971]: Failed password for root from 75.89.97.25 port 61459 ssh2 Oct 26 08:56:22 sshd[10971]: last message repeated 2 times Oct 26 08:56:22 prod sshd[10971]: Connection closed by 75.89.97.25 [preauth] Oct 26 08:56:22 prod sshd[10971]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.89.97.25 user=root Oct 26 08:57:18 prod sshd[11002]: Connection closed by 50.116.16.93 [preauth] Oct 26 09:00:01 prod CRON[11099]: pam_unix(cron:session): session opened for user deploy by (uid=0) Oct 26 09:00:02 prod CRON[11099]: pam_unix(cron:session): session closed for user deploy Oct 26 09:02:18 prod sshd[11186]: Connection closed by 50.116.16.93 [preauth] root@prod:/etc/fail2ban#
所以它看起来像我通过sshd PAM进行身份validation,但fail2ban不阻止我的IP地址,我仍然可以尝试login和login时提供适当的凭据。
我希望得到这个工作,因为我最近在服务器上看到了很多暴力攻击。 任何帮助将不胜感激。
它看起来像我需要指定的后端来得到这个工作。 这是违反gamin whih不工作。 我改变了configurationbackend = polling并得到fail2ban正常工作。 还没有收到任何阻止的电子邮件通知,但我接近也搞清楚了。