服务器 Gind.cn
  1. 服务器 Gind.cn
  3. fail2ban不能在Ubuntu 14.04新鲜安装,为什么?
Intereting Posts
如何获得另一个子网上的所有MAC地址的报告? 在一个目录中查找一个文件名与20000个项目一样高效在数据库中查找一行? 两个Web主机,一个域名,如何分享这两个? 当我使用Powershell将用户添加到安全组时,他们不会显示在AD中 Apache重写将文件夹分配给域 以编程方式获取正在运行的ec2实例的列表 SQL Server复制只适用于企业版? 它是否需要双方的企业? 其他scheme? 使用terminal访问已经通过SMB安装的目录/文件? 301redirect规则负载平衡F5 BigIp Procurve交换机中的服务器到交换机的中继,这是什么意思? 零星的高stream量 生成一个CSR到一个特定的密码套件 累积的嵌套(警告)/ Apacheconfigurationmacros 如何在Xen虚拟机上安装CDROM? 在Exchange 2010中拨号扩展没有磅键

fail2ban不能在Ubuntu 14.04新鲜安装,为什么?

在安装和configurationfail2ban之后,我尝试用一​​个错误的密码通过sshlogin到我的服务器。 经过几次尝试,我试着用正确的密码成功。 所以,fail2ban没有禁止用户ip允许他login。 不pipe我设定的规则,maxretry = 1等

我的iptables -L输出: 

Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere

这里是debugging日志,不完整的版本如下: 

 root@host:~# fail2ban-client -v -v -v start DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/fail2ban.conf DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/fail2ban.conf DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/filter.d/sshd under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/filter.d/sshd.conf DEBUG Reading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/common.local', '/etc/fail2ban/filter.d/sshd.conf'] DEBUG Reading configs for /etc/fail2ban/action.d/iptables under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/action.d/iptables.conf DEBUG Reading files: ['/etc/fail2ban/action.d/iptables-blocktype.conf', '/etc/fail2ban/action.d/iptables-blocktype.local', '/etc/fail2ban/action.d/iptables.conf'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local [...] SKIPPED SOME READING CONFIG FILES here DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] INFO [# ] Waiting on the server...DEBUG Starting '/usr/bin/fail2ban-server' with args ['fail2ban-server', '-b', '-s', '/var/run/fail2ban/fail2ban.sock', '-p', '/var/run/fail2ban/fail2ban.pid'] 2014-05-22 15:29:14,376 fail2ban.server : INFO Starting Fail2ban v0.8.11 2014-05-22 15:29:14,376 fail2ban.server : INFO Starting in daemon mode DEBUG OK : 'pong' DEBUG OK : 3 DEBUG OK : '/var/log/fail2ban.log' DEBUG OK : 'ssh' DEBUG OK : 'warn' DEBUG OK : ['/var/log/auth.log'] DEBUG OK : 1 DEBUG OK : ['127.0.0.1/8'] DEBUG OK : 600 DEBUG OK : 600 DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$'] DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)\\s*$'] [...] SKIPPED SOME REGEX HERE DEBUG OK : 'iptables' DEBUG OK : 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>' DEBUG OK : 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>' DEBUG OK : 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>' DEBUG OK : 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>' DEBUG OK : "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'" DEBUG OK : 'REJECT --reject-with icmp-port-unreachable' DEBUG OK : 'tcp' DEBUG OK : 'SSH' DEBUG OK : 'INPUT' DEBUG OK : 'ssh' DEBUG OK : None

我的fail2ban.log,jail.local: 

 tail /var/log/fail2ban.log 2014-05-22 15:30:27,729 fail2ban.server : INFO Exiting Fail2ban 2014-05-22 15:30:32,668 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2014-05-22 15:30:32,668 fail2ban.jail : INFO Creating new jail 'ssh' 2014-05-22 15:30:32,668 fail2ban.jail : INFO Jail 'ssh' uses poller 2014-05-22 15:30:32,679 fail2ban.jail : INFO Initiated 'polling' backend 2014-05-22 15:30:32,680 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2014-05-22 15:30:32,681 fail2ban.filter : INFO Set maxRetry = 1 2014-05-22 15:30:32,681 fail2ban.filter : INFO Set findtime = 600 2014-05-22 15:30:32,682 fail2ban.actions: INFO Set banTime = 600 2014-05-22 15:30:32,716 fail2ban.jail : INFO Jail 'ssh' started

尾巴/etc/fail2ban/jail.local 

 [ssh] enabled = true logpath = /var/log/auth.log filter = sshd maxretry = 1 action = iptables[name=SSH, port=ssh, protocol=tcp] port = ssh tail /var/log/auth.log

tail /var/log/auth.log是空的!

root @ host:〜#fail2ban-client -d 

 ['set', 'loglevel', 3] ['set', 'logtarget', '/var/log/fail2ban.log'] ['add', 'ssh', 'polling'] ['set', 'ssh', 'usedns', 'warn'] ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] ['set', 'ssh', 'maxretry', 1] ['set', 'ssh', 'addignoreip', '127.0.0.1/8'] ['set', 'ssh', 'findtime', 600] ['set', 'ssh', 'bantime', 600] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \\S+)?\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Failed \\S+ for .*? from <HOST>(?: port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:[\\da-f]{2}:){15}[\\da-f]{2}(, client user ".*", client host ".*")?))?\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because listed in DenyUsers\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not in any group\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$'] ['set', 'ssh', 'addfailregex', "^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"] ['set', 'ssh', 'addaction', 'iptables'] ['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>'] ['set', 'ssh', 'actionstop', 'iptables', 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>'] ['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>'] ['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>'] ['set', 'ssh', 'actioncheck', 'iptables', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"] ['set', 'ssh', 'setcinfo', 'iptables', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp'] ['set', 'ssh', 'setcinfo', 'iptables', 'name', 'SSH'] ['set', 'ssh', 'setcinfo', 'iptables', 'chain', 'INPUT'] ['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh'] ['start', 'ssh']

其他信息: 

 dpkg -l |grep fail ii fail2ban 0.8.11-1 all ban hosts that cause multiple authentication errors /etc/init.d/fail2ban status * Status of authentication failure monitor * fail2ban is running fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh

任何提示? 感谢您的期待!

不知道是否相关,但我删除并重新创build/var/log/auth.log,因为我需要清空它,debugging情况

这可能是问题所在。 系统日志守护进程可能仍在写入原始的fd。 您应该尝试重新启动syslog守护程序以查看它是否开始login到正确的文件。 

 service rsyslog restart

一旦你有消息去auth.log它应该开始工作。

有时这是因为__bsd_syslog_verbose错误。 fail2ban期望/var/log/auth.log以YYYY.MM.DD (即:2014.10.15)开头,但日志读取MMM DD (即:10月15日)

要解决这个问题,您需要执行以下操作: 

 cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local

编辑common.local并设置: 

 __bsd_syslog_verbose = (<[^.]+ [^.]+>)

重新启动fail2ban:

Ubuntu(不要使用重新启动): 

 sudo service fail2ban stop sudo service fail2ban start

pyinotify问题:

https://github.com/fail2ban/fail2ban/issues/878 

 in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local

我将"backend = auto"改为"backend = polling" ,一切按预期工作;) 

 service fail2ban stop service fail2ban start

/var/log/auth.log很长一段时间是空的,所以在运行命令:service rsyslog restart之后

现在ssh错误的login尝试ip被禁止!