Centos

Fail2ban 嚴重異常 - 不阻止 ips

  • June 12, 2015

我試圖讓 fail2ban 在 CentOS7(沒有 SELinux)上執行,它使用 firewalld。我的目標是將其設置為禁止 Asterisk 密碼失敗。

安裝程序是預設的 yum install fail2ban

配置方面,我只添加了 jail.local 如下:

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
destemail = xx@xxx.com
sender = donotreply@xxx.com


[asterisk]
enabled = true
#filter = asterisk
#logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 86400

現在,當我重新啟動 fail2ban 服務時,我得到如下的 fail2ban.log 條目:

2015-04-26 13:35:18,149 fail2ban.server         [2820]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-04-26 13:35:18,151 fail2ban.database       [2820]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-04-26 13:35:18,158 fail2ban.jail           [2820]: INFO    Creating new jail 'asterisk'
2015-04-26 13:35:18,182 fail2ban.jail           [2820]: INFO    Jail 'asterisk' uses systemd
2015-04-26 13:35:18,213 fail2ban.jail           [2820]: INFO    Initiated 'systemd' backend
2015-04-26 13:35:18,220 fail2ban.filter         [2820]: INFO    Set maxRetry = 5
2015-04-26 13:35:18,222 fail2ban.actions        [2820]: INFO    Set banTime = 86400
2015-04-26 13:35:18,223 fail2ban.filter         [2820]: INFO    Set findtime = 600
2015-04-26 13:35:18,309 fail2ban.filtersystemd  [2820]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2015-04-26 13:35:18,331 fail2ban.jail           [2820]: INFO    Jail 'asterisk' started
2015-04-26 13:35:18,488 fail2ban                [2820]: CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 64, in run_with_except_hook
   run(*args, **kwargs)
 File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 244, in run
   *self.formatJournalEntry(logentry))
 File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 172, in formatJournalEntry
   'SYSLOG_PID', logentry['_PID']))
KeyError: '_PID'
2015-04-26 13:35:19,211 fail2ban.actions        [2820]: NOTICE  [asterisk] Ban 212.129.1.26
2015-04-26 13:35:19,534 fail2ban.actions        [2820]: NOTICE  [asterisk] Ban 212.83.187.182

我不明白缺少什麼。日誌中的那兩個“禁止”操作實際上沒有發生(我仍然在 Asterisk 日誌中看到來自這些 IP 的嘗試)

我認為你在這裡走錯了路。Asterisk 正在從簡單的安全事件日誌(到平面文件)轉向通過 AMI 轉向安全事件。考慮基於 AMI 事件而不是安全日誌進行阻止。fail2ban 有許多免費的替代品(請查看http://www.voip-info.org/wiki/view/Asterisk+security的範例)。

更重要的是,隨著 Asterisk 從 SIP 更改為 PJSIP,日誌消息已更改(並且仍在更改),因此您必須定期更新您的正則表達式條目,否則安全事件可能會超出您的 fail2ban 設置。這是一個鼴鼠的方法……

引用自:https://serverfault.com/questions/685699