服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 为什么iptables不阻止一个IP地址?
Intereting Posts
cloud-init不会增长分区和文件系统 以零停机时间移动SQL Server数据库 机器只响应来自正在ping的机器的networking请求 即使RCPT TO字段不同,转发邮件给“root”用户? (后缀) 在Linux上处理PHP扩展的一般介绍 Haproxy在高容量下坠落 serverspec如果语句在服务器上的MySQL版本 为什么Chrome会抱怨“过时的密码学”? 无法将主机Hyper-V连接到来宾虚拟机的域控制器 我们可以在Windows 7中本地启动Hyper V VHD吗? 更改Windows时间同步设置 iptablesconfiguration失败 巨大的VM磁盘,NFS挂载或巨大的图像文件的最佳做法? 如何设置Tinc作为一个基本的VPN路由所有stream量通过服务器 如何使用Robocopy排除所选文件夹下的所有子文件夹?

为什么iptables不阻止一个IP地址?

我configuration了fail2ban来监视我收到的某种恶意stream量模式,并禁止IP地址关联。

一切似乎都工作得很好 – 正则expression式正确地匹配模式,问题IP地址被添加到iptables

但是,当我检查Apache日志时,我仍然从被禁止的IP地址获取命中。 就好像iptables没有运行一样。

所以让我分享一些细节,以确认一切正确configuration。

首先,我将清除并重新加载iptables规则: 

$ sudo iptables -F $ cat /etc/iptables.firewall.rules *filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT $ sudo iptables-restore < /etc/iptables.firewall.rules $ sudo iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable 14 1432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11 1638 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

现在,以下是fail2banconfiguration的外观: 

 $ cat /etc/fail2ban/filter.d/apache-xmlrpc.conf [Definition] failregex = .*:80 <HOST> .*POST .*xmlrpc\.php.* ignoreregex = $ cat /etc/fail2ban/jail.local [apache-xmlrpc] enabled = true port = http,https filter = apache-xmlrpc logpath = /var/log/apache2/other_vhosts_access.log maxretry = 6 $ fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/apache-xmlrpc.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/apache-xmlrpc.conf Use log file : /var/log/apache2/other_vhosts_access.log Results ======= Failregex |- Regular expressions: | [1] .*:80 <HOST> .*POST .*xmlrpc\.php.* | `- Number of matches: [1] 29 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 80.82.70.239 (Sat Jul 13 02:41:52 2013) 80.82.70.239 (Sat Jul 13 02:41:53 2013) 80.82.70.239 (Sat Jul 13 02:41:55 2013) 80.82.70.239 (Sat Jul 13 02:41:56 2013) 80.82.70.239 (Sat Jul 13 02:41:57 2013) 80.82.70.239 (Sat Jul 13 02:41:58 2013) 80.82.70.239 (Sat Jul 13 02:41:59 2013) 80.82.70.239 (Sat Jul 13 02:42:00 2013) 80.82.70.239 (Sat Jul 13 02:42:02 2013) 80.82.70.239 (Sat Jul 13 02:42:03 2013) 80.82.70.239 (Sat Jul 13 02:42:04 2013) 80.82.70.239 (Sat Jul 13 02:42:05 2013) 80.82.70.239 (Sat Jul 13 02:42:06 2013) 80.82.70.239 (Sat Jul 13 02:42:07 2013) 80.82.70.239 (Sat Jul 13 02:42:09 2013) 80.82.70.239 (Sat Jul 13 02:42:10 2013) 80.82.70.239 (Sat Jul 13 02:42:11 2013) 80.82.70.239 (Sat Jul 13 02:42:12 2013) 80.82.70.239 (Sat Jul 13 02:42:13 2013) 80.82.70.239 (Sat Jul 13 02:42:15 2013) 80.82.70.239 (Sat Jul 13 02:42:16 2013) 80.82.70.239 (Sat Jul 13 02:42:17 2013) 80.82.70.239 (Sat Jul 13 02:42:18 2013) 80.82.70.239 (Sat Jul 13 02:42:19 2013) 80.82.70.239 (Sat Jul 13 02:42:20 2013) 80.82.70.239 (Sat Jul 13 02:42:22 2013) 80.82.70.239 (Sat Jul 13 02:42:23 2013) 80.82.70.239 (Sat Jul 13 02:42:24 2013) 80.82.70.239 (Sat Jul 13 02:42:25 2013) Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 70 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Year.Month.Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 29 However, look at the above section 'Running tests' which could contain important information.

正如你所看到的,我在filter中设置了一个failregex,并启用了filter。 使用fail2ban-regex,筛选器在我正在监视的日志文件中find匹配项。 (我正在积极地受到有问题的IP地址的攻击,这使得testing非常容易。)

所以,现在我重新启动fail2ban,并遵守规则的生效: 

 $ sudo service fail2ban restart * Restarting authentication failure monitor fail2ban [ OK ] $ tail /var/log/fail2ban.log -n 50 2013-07-13 02:42:58,014 fail2ban.server : INFO Stopping all jails 2013-07-13 02:42:58,745 fail2ban.jail : INFO Jail 'apache-xmlrpc' stopped 2013-07-13 02:42:59,439 fail2ban.jail : INFO Jail 'ssh' stopped 2013-07-13 02:42:59,440 fail2ban.server : INFO Exiting Fail2ban 2013-07-13 02:43:08,055 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2013-07-13 02:43:08,057 fail2ban.jail : INFO Creating new jail 'ssh' 2013-07-13 02:43:08,111 fail2ban.jail : INFO Jail 'ssh' uses Gamin 2013-07-13 02:43:08,397 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-07-13 02:43:08,404 fail2ban.filter : INFO Set maxRetry = 6 2013-07-13 02:43:08,414 fail2ban.filter : INFO Set findtime = 600 2013-07-13 02:43:08,435 fail2ban.actions: INFO Set banTime = 600 2013-07-13 02:43:09,277 fail2ban.jail : INFO Creating new jail 'apache-xmlrpc' 2013-07-13 02:43:09,277 fail2ban.jail : INFO Jail 'apache-xmlrpc' uses Gamin 2013-07-13 02:43:09,283 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log 2013-07-13 02:43:09,286 fail2ban.filter : INFO Set maxRetry = 6 2013-07-13 02:43:09,289 fail2ban.filter : INFO Set findtime = 600 2013-07-13 02:43:09,292 fail2ban.actions: INFO Set banTime = 600 2013-07-13 02:43:09,458 fail2ban.jail : INFO Jail 'ssh' started 2013-07-13 02:43:09,792 fail2ban.jail : INFO Jail 'apache-xmlrpc' started 2013-07-13 02:43:11,361 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239 $ sudo iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 244 39277 fail2ban-apache-xmlrpc tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 101 7716 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable 3404 582K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 349 20900 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 12 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " 2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3331 4393K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-xmlrpc (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 80.82.70.239 0.0.0.0/0 244 39277 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 223.4.147.8 0.0.0.0/0 101 7716 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

在fail2ban日志显示时,规则集似乎configuration正确。 您已经可以看到有问题的IP地址被立即捕获并被禁止。 iptables的输出显示它实际上正在被丢弃。

但是,我已经注意到,在fail2ban-apache-xmlrpc链下匹配的IP地址没有丢包。 果然,我检查了Apache日志: 

 $ tail /var/log/apache2/other_vhosts_access.log www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:53 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:54 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:56 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:57 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:58 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:59 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:00 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:02 +0000] "POST /xmlrpc.php HTTP/1.1" 403 474 "-" "-"

不,它没有被堵塞! 我也可以在fail2ban日志中确认这一点: 

 $ tail /var/log/fail2ban.log 2013-07-13 02:52:30,757 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:37,767 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:44,783 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:51,814 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:58,830 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:05,842 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:11,858 fail2ban.actions: WARNING [apache-xmlrpc] Unban 80.82.70.239 2013-07-13 02:53:12,910 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239 2013-07-13 02:53:20,118 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:27,129 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned

它不断重新出现在Apache日志,因此fail2ban正试图保持禁止它!

我真的不知道为什么iptables不会从这个IP地址丢弃stream量的生活。 规则顺序对我来说似乎是正确的,DROP在其他任何事情之前。

Google已经有了一堆结果,人们也遇到类似的问题,但似乎总是回到禁止SSH通信的问题上,因为它们处于非标准端口。 在我的情况下,我只是试图禁止标准HTTP端口80上的IP地址。

我希望我只是俯视一些简单的事情。 这是一个在Linode上运行Ubuntu 12.04的VPS。 如果有人有任何想法,请让我知道。 非常感谢…

编辑 :这是iptables -S的输出 

 $ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-apache-xmlrpc -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-xmlrpc -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j ACCEPT -A fail2ban-apache-xmlrpc -s 80.82.70.239/32 -j DROP -A fail2ban-apache-xmlrpc -j RETURN -A fail2ban-ssh -s 223.4.147.8/32 -j DROP -A fail2ban-ssh -j RETURN

iptables -s输出看起来是正确的,我不知道80.82.70.239/32是如何通过防火墙到您的服务器上的any:80 。 我的第一个猜测是你在服务器前有一个代理/负载平衡器,而Apache正在loggingHTTP_X_FORWARDED_FOR头或者什么被称为。 如果事实certificate,您将不得不将防火墙逻辑移动到代理/负载均衡器或应用程序级别(Apache将FORWARDED_FOR标头并拒绝访问。

无论哪种方式:

我将采取的下一步行动是捕获上面发布的iptables -s的输出。 禁用fail2ban,并将configuration中的fail2ban链和IP地址阻塞到iptables中。

但是,以下列情况-A

 -A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP: "

如果你觉得更好的陷阱80和443去吧。 我们的想法是,如果我们关注来自可疑来源的数据包,来自防火墙的日志可能会显示我们缺less的东西。

iptables的输出实际上表明,虽然有一个规则的IP地址fail2ban认为应该过滤掉,没有数据包已经通过fail2ban xmlrpc链,实际上是由该规则下降。 相反,所有通过该链的224个数据包已被接受。

也就是说,规则确实是正确的。 但是,接受TCP端口80规则的stream量似乎比通过fail2banfilter链接受的stream量更多。 最有可能的原因是,你想要阻止的stream量进来,而fail2ban链还没有插入input(我注意到你没有在你的默认规则,这可能是好的,但这意味着,如果你重新加载iptables fail2ban链将不会立即生效)。

尝试运行iptables -z以清零数据包并再次观察iptables -nvL的输出。 输出不应该是一样的。 另外,考虑在iptables的初始规则( /etc/iptables.firewall.rules )中保存fail2ban链的规则。 保存这样的委托规则: 

 fail2ban-apache-xmlrpc tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443

还保存链的存在(如fail2ban-apache-xmlrpc ),但不保存实际禁止的IP。

我在自己的网站上遇到了和你一样的问题。 非常类似的设置,LAMP堆栈,几个functionfail2ban监狱,但我仍然看到那些被认为禁止访问日志文件中显示的IP地址。 我没有任何代理/负载均衡器在Apache面前。

我的问题的解决scheme非常简单:将禁用语句移到iptablesconfiguration文件的顶部!