Centos
Fail2ban 嚴重異常 - 不阻止 ips
我試圖讓 fail2ban 在 CentOS7(沒有 SELinux)上執行,它使用 firewalld。我的目標是將其設置為禁止 Asterisk 密碼失敗。
安裝程序是預設的 yum install fail2ban
配置方面,我只添加了 jail.local 如下:
[DEFAULT] backend = systemd banaction = firewallcmd-ipset destemail = xx@xxx.com sender = donotreply@xxx.com [asterisk] enabled = true #filter = asterisk #logpath = /var/log/asterisk/messages maxretry = 5 bantime = 86400
現在,當我重新啟動 fail2ban 服務時,我得到如下的 fail2ban.log 條目:
2015-04-26 13:35:18,149 fail2ban.server [2820]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1 2015-04-26 13:35:18,151 fail2ban.database [2820]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2015-04-26 13:35:18,158 fail2ban.jail [2820]: INFO Creating new jail 'asterisk' 2015-04-26 13:35:18,182 fail2ban.jail [2820]: INFO Jail 'asterisk' uses systemd 2015-04-26 13:35:18,213 fail2ban.jail [2820]: INFO Initiated 'systemd' backend 2015-04-26 13:35:18,220 fail2ban.filter [2820]: INFO Set maxRetry = 5 2015-04-26 13:35:18,222 fail2ban.actions [2820]: INFO Set banTime = 86400 2015-04-26 13:35:18,223 fail2ban.filter [2820]: INFO Set findtime = 600 2015-04-26 13:35:18,309 fail2ban.filtersystemd [2820]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. 2015-04-26 13:35:18,331 fail2ban.jail [2820]: INFO Jail 'asterisk' started 2015-04-26 13:35:18,488 fail2ban [2820]: CRITICAL Unhandled exception in Fail2Ban: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 64, in run_with_except_hook run(*args, **kwargs) File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 244, in run *self.formatJournalEntry(logentry)) File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 172, in formatJournalEntry 'SYSLOG_PID', logentry['_PID'])) KeyError: '_PID' 2015-04-26 13:35:19,211 fail2ban.actions [2820]: NOTICE [asterisk] Ban 212.129.1.26 2015-04-26 13:35:19,534 fail2ban.actions [2820]: NOTICE [asterisk] Ban 212.83.187.182
我不明白缺少什麼。日誌中的那兩個“禁止”操作實際上沒有發生(我仍然在 Asterisk 日誌中看到來自這些 IP 的嘗試)
我認為你在這裡走錯了路。Asterisk 正在從簡單的安全事件日誌(到平面文件)轉向通過 AMI 轉向安全事件。考慮基於 AMI 事件而不是安全日誌進行阻止。fail2ban 有許多免費的替代品(請查看http://www.voip-info.org/wiki/view/Asterisk+security的範例)。
更重要的是,隨著 Asterisk 從 SIP 更改為 PJSIP,日誌消息已更改(並且仍在更改),因此您必須定期更新您的正則表達式條目,否則安全事件可能會超出您的 fail2ban 設置。這是一個鼴鼠的方法……