Fail2ban

Fail2ban 不禁止 IP

  • August 6, 2015

執行新安裝的 OpenSuse 13.2(執行 rsyslog)

我的 jail.conf 文件包含:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
      sendmail-whois[name=SSH, dest=mymail@gmail.com, sender=mymail@gmail.com,     sendername="Fail2Ban"]
logpath  = /var/log/messages
maxretry = 5

/var/log/消息:

2014-11-21T16:16:17.167566-05:00 suse sshd[31000]: error: PAM: Authentication failure for root from 62-210-172-145.rev.poneytelecom.eu
2014-11-21T16:16:17.232040-05:00 suse sshd[31000]: Received disconnect from 62.210.172.145: 11:  [preauth]
2014-11-21T16:16:17.863395-05:00 suse sshd[31007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-172-145.rev.poneytelecom.eu  user=root

fail2ban 日誌文件:

2014-11-21 21:10:06,426 fail2ban.server [30553]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2014-11-21 21:10:06,428 fail2ban.jail   [30553]: INFO    Creating new jail 'ssh-iptables'
2014-11-21 21:10:06,479 fail2ban.jail   [30553]: INFO    Jail 'ssh-iptables' uses pyinotify
2014-11-21 21:10:06,526 fail2ban.jail   [30553]: INFO    Initiated 'pyinotify' backend
2014-11-21 21:10:06,529 fail2ban.filter [30553]: INFO    Added logfile = /var/log/messages
2014-11-21 21:10:06,532 fail2ban.filter [30553]: INFO    Set maxRetry = 5
2014-11-21 21:10:06,537 fail2ban.filter [30553]: INFO    Set findtime = 600
2014-11-21 21:10:06,539 fail2ban.actions[30553]: INFO    Set banTime = -1
2014-11-21 21:10:06,639 fail2ban.jail   [30553]: INFO    Jail 'ssh-iptables' started
2014-11-21 21:10:21,142 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-    172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,144 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,147 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,149 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']
2014-11-21 21:10:21,151 fail2ban.filter [30553]: WARNING Determined IP using DNS Lookup: 62-210-172-145.rev.poneytelecom.eu = ['62.210.172.145']

有什麼想法為什麼不禁止IP?

server:/etc/fail2ban # fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables   
|- filter
|  |- File list:        /var/log/messages
|  |- Currently failed: 0
|  `- Total failed:     0

fail2ban-regex 的結果

Results
=======

Failregex: 1256 total
|-  #) [# of hits] regular expression
|   1) [858] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:  (?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)? \s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via  \S+)?\s*$
|   2) [30] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication module for  .* from <HOST>\s*$
|   3) [141] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
|   5) [227] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [33235] ISO 8601
`-

Lines: 33235 lines, 0 ignored, 1256 matched, 31979 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 31979 lines

您使用的是哪個版本的 fail2ban?我遇到了預設 OpenSuse 發行版附帶的 fail2ban 的一些問題。即使是正則表達式匹配,它也沒有被禁止。現在我在 OpenSue 13.1 中使用 fail2ban-0.8.14-2.24.1.noarch.rpm,它工作正常。

引用自:https://serverfault.com/questions/646193