Linux的SSH服务器 – fail2ban将不会禁止IP地址

我的v-Server上有fail2ban的问题。我按照教程中的说明安装了所有东西，但是fail2ban不会阻塞ip地址。

/etc/init.d/fail2ban状态说：

* Status of authentication failure monitor * fail2ban is running

如果我testing我的filter：

 fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

有一些匹配，但在我的iptables没有条目

 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh fail2ban-default tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-default (1 references) target prot opt source destination

这是我的jail.conf：

 [ssh] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 60 action = iptables[name=SSH, port=22, protocol=tcp]

在这里我的/filter.d/sshd.conf

 [Definition] _daemon = sshd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

和我的动作：/action.d/iptables.conf

 [Definition] actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] name = default port = ssh protocol = tcp chain = INPUT

我已经尝试了一切，并通过许多论坛search，但我找不到一个错误。如果我尝试使用错误的密码loginfail2ban，请不要禁止我，我可以继续login。难道fail2ban没有权限在iptables中写入内容吗？

也许任何人有一个想法该怎么做？谢谢

这是什么站在auth.log

 Jul 24 18:04:13 sshd[12438]: Invalid user sfdsdf from 79.224.101.224 Jul 24 18:04:13 sshd[12438]: input_userauth_request: invalid user sfdsdf [preauth] Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:19 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:20 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:22 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:24 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:26 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:28 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:30 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:34 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:36 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:37 sshd[12438]: fatal: Read from socket failed: Connection reset by peer [preauth] Jul 24 18:04:37 sshd[12438]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:37 sshd[12438]: PAM service(sshd) ignoring max retries; 5 > 3 Jul 24 18:04:53 sshd[12440]: Invalid user blabla from 79.224.101.224 Jul 24 18:04:53 sshd[12440]: input_userauth_request: invalid user blabla [preauth] Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:58 sshd[12440]: Failed password for invalid user blabla from 79.224.101.224 port 51194 ssh2 Jul 24 18:05:00 sshd[12440]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:10 sshd[12442]: Invalid user hihi from 79.224.101.224 Jul 24 18:05:10 sshd[12442]: input_userauth_request: invalid user hihi [preauth] Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:05:15 sshd[12442]: Failed password for invalid user hihi from 79.224.101.224 port 51195 ssh2 Jul 24 18:05:16 sshd[12442]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:22 sshd[12444]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:30 sshd[12446]: Invalid user hoho from 79.224.101.224 Jul 24 18:05:30 sshd[12446]: input_userauth_request: invalid user hoho [preauth] Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:05:34 sshd[12446]: Failed password for invalid user hoho from 79.224.101.224 port 51198 ssh2

您可以使用命令fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf来validation这些正则expression式中的任何一个是否匹配。对我来说，他们没有，原因是系统日志格式不匹配filters.d / common.conf中定义为__prefix_line的内容。

我的正则expression式的技巧吸吮，但这是非常可以修复的东西。

要使用除-L以外的任何命令运行iptables，它需要root权限; 因此，守护程序必须以root身份运行。

确认是这种情况。