Iptables

Fail2Ban - IP 表拒絕不禁止

  • September 30, 2019

我在 Ubuntu 16 上執行了 fail2ban,並執行了一些監獄。

一種是 http-get-dos:

在 jail.conf 中

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 100
findtime = 60
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

過濾文件:

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

Fail2Ban 中的監獄似乎執行良好——我只是通過敲擊 URL 對其進行了測試,並且我的 IP 已添加到 IP 表中。

但是,我實際上並沒有被阻止 - IP 表 REJECT 似乎不起作用。

my.ip.address 出現在 Chain fail2ban-HTTP a REJECT 中的 IP 表中,但我沒有被拒絕(仍然可以訪問該站點)

iptables -nvL –line-numbers

Chain INPUT (policy ACCEPT 2689 packets, 413K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       68  5849 fail2ban-HTTP  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2     3104  575K fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
3     3104  575K fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
4      728 43824 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3325 packets, 4380K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-HTTP (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       my.ip.address
    0.0.0.0/0            reject-with icmp-port-unreachable
2       68  5849 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     3104  575K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      728 43824 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

我想知道這是否是一個訂單問題 - 即全球 ACCEPT 勝過 IPTables 中的 fail2ban 規則。但如果這是問題所在,我不知道如何解決它,以及為什麼fail2ban 一開始就沒有把它放得足夠高。

任何建議,非常感謝。

您正在監視兩者httphttps但僅禁止http使用iptables操作。使用iptables-multiport行動並禁止兩者httphttps

action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]

引用自:https://serverfault.com/questions/985223