Fail2ban
Fail2ban 不禁止 IP
執行新安裝的 OpenSuse 13.2(執行 rsyslog)
我的 jail.conf 文件包含:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=mymail@gmail.com, sender=mymail@gmail.com, sendername="Fail2Ban"] logpath = /var/log/messages maxretry = 5
/var/log/消息:
2014-11-21T16:16:17.167566-05:00 suse sshd[31000]: error: PAM: Authentication failure for root from 62-210-172-145.rev.poneytelecom.eu 2014-11-21T16:16:17.232040-05:00 suse sshd[31000]: Received disconnect from 62.210.172.145: 11: [preauth] 2014-11-21T16:16:17.863395-05:00 suse sshd[31007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-172-145.rev.poneytelecom.eu user=root
fail2ban 日誌文件:
2014-11-21 21:10:06,426 fail2ban.server [30553]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14 2014-11-21 21:10:06,428 fail2ban.jail [30553]: INFO Creating new jail 'ssh-iptables' 2014-11-21 21:10:06,479 fail2ban.jail [30553]: INFO Jail 'ssh-iptables' uses pyinotify 2014-11-21 21:10:06,526 fail2ban.jail [30553]: INFO Initiated 'pyinotify' backend 2014-11-21 21:10:06,529 fail2ban.filter [30553]: INFO Added logfile = /var/log/messages 2014-11-21 21:10:06,532 fail2ban.filter [30553]: INFO Set maxRetry = 5 2014-11-21 21:10:06,537 fail2ban.filter [30553]: INFO Set findtime = 600 2014-11-21 21:10:06,539 fail2ban.actions[30553]: INFO Set banTime = -1 2014-11-21 21:10:06,639 fail2ban.jail [30553]: INFO Jail 'ssh-iptables' started 2014-11-21 21:10:21,142 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210- 172-145.rev.poneytelecom.eu = ['62.210.172.145'] 2014-11-21 21:10:21,144 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145'] 2014-11-21 21:10:21,147 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145'] 2014-11-21 21:10:21,149 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145'] 2014-11-21 21:10:21,151 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
有什麼想法為什麼不禁止IP?
server:/etc/fail2ban # fail2ban-client status ssh-iptables Status for the jail: ssh-iptables |- filter | |- File list: /var/log/messages | |- Currently failed: 0 | `- Total failed: 0
fail2ban-regex 的結果
Results ======= Failregex: 1256 total |- #) [# of hits] regular expression | 1) [858] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?: (?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)? \s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ | 2) [30] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ | 3) [141] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$ | 5) [227] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [33235] ISO 8601 `- Lines: 33235 lines, 0 ignored, 1256 matched, 31979 missed Missed line(s): too many to print. Use --print-all-missed to print all 31979 lines
您使用的是哪個版本的 fail2ban?我遇到了預設 OpenSuse 發行版附帶的 fail2ban 的一些問題。即使是正則表達式匹配,它也沒有被禁止。現在我在 OpenSue 13.1 中使用 fail2ban-0.8.14-2.24.1.noarch.rpm,它工作正常。