Ipv6
使用 nftables 和 IPv6 的 Fail2ban
編輯:添加了額外的 .conf 文件管理器,並按照 Marco 的建議稍微改變了措辭
我正在執行應該支持 IPv6的Fail2ban v0.10 。
我已經根據這些說明使用 nftables設置了Fail2ban ,除了我使用 nftables 的“inet”系列而不是 ip 系列,因為我想允許 IPv6 流量到我的伺服器。
該伺服器可通過 IPv6 訪問,據我所知,我的防火牆(nftables)似乎配置正確(表 inet 過濾器)。
然而,’table inet fail2ban’ 是我發表這篇文章的原因,在我看來,Fail2ban 只讀取 IPv4 日誌,並阻止有問題的 IPv4 主機。
我讀對了嗎?如果是這樣,有人知道我如何使 Fail2ban 也可以處理 IPv6 流量嗎?我知道 Fail2ban v0.10 更改日誌指出並非所有禁令操作都支持 IPv6,但我似乎找不到列表。
也歡迎提供指向我可以找到該資訊的連結,因為我自己似乎無法找到該資訊。
我只包括了累犯監獄配置,因為我假設如果我可以讓監獄與 IPv6 一起工作,我可以對其他人做同樣的事情,如果我對這個假設有誤,請告訴我 :)
我的 nftables 規則集:
table inet filter { chain input { type filter hook input priority 0; policy accept; ct state { related, established} accept ct state invalid drop iifname "lo" accept ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport ssh accept tcp dport http accept tcp dport https accept limit rate 5/minute burst 5 packets counter packets 972 bytes 56710 log prefix " denied: " level debug drop } chain forward { type filter hook forward priority 0; policy accept; drop } chain output { type filter hook output priority 0; policy accept; accept } } table inet fail2ban { set f2b-sshd { type ipv4_addr } set f2b-nginx-botsearch { type ipv4_addr } set f2b-recidive { type ipv4_addr } chain INPUT { type filter hook input priority 100; policy accept; ip protocol hopopt-reserved ip saddr @f2b-recidive drop tcp dport { http, https} ip saddr @f2b-nginx-botsearch drop tcp dport { ssh} ip saddr @f2b-sshd drop } }/etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f table inet fail2ban { chain INPUT { type filter hook input priority 100; } }/etc/nftables.conf
#!/usr/bin/nft -f table inet filter { chain input { type filter hook input priority 0; ct state {established, related} accept ct state invalid drop iifname lo accept ip protocol icmp accept ip6 nexthdr icmpv6 accept tcp dport ssh accept tcp dport http accept tcp dport https accept limit rate 5/minute burst 5 packets counter packets 0 bytes 0 log prefix " denied: " level debug drop } chain forward { type filter hook forward priority 0; drop } chain output { type filter hook output priority 0; accept } } include "/etc/nftables/fail2ban.conf"/etc/fail2ban/action.d/nftables-common.local
[Init] nftables_family = inet nftables_table = fail2ban blocktype = drop nftables_set_prefix =/etc/fail2ban/jail.local
[INCLUDES] before = paths-arch.conf [DEFAULT] ignorecommand = bantime = 1h findtime = 10m maxretry = 5 usedns = warn logencoding = auto enabled = false filter = %(__name__)s protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = nftables-multiport banaction_allports = nftables-allports action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action_abuseipdb = abuseipdb action = %(action_)s [sshd] enabled = true mode = normal filter = sshd[mode=%(mode)s] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [nginx-botsearch] enabled = true port = http,https logpath = %(nginx_error_log)s maxretry = 2 [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d maxretry = 3 protocol = 0-255/etc/fail2ban/filter.d/recidive.conf
[INCLUDES] before = common.conf [Definition] _daemon = fail2ban\.actions\s* _jailname = recidive failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5/etc/fail2ban/filter.d/common.conf
[DEFAULT] _daemon = \S* __pid_re = (?:\[\d+\]) __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? __daemon_extra_re = \[ID \d+ \S+\] __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) __kernel_prefix = kernel: \[ *\d+\.\d+\] __hostname = \S+ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} __bsd_syslog_verbose = <[^.]+\.[^.]+> __vserver = @vserver_\S+ __date_ambit = (?:\[\]) __prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)$ __pam_auth = pam_unix datepattern = {^LN-BEG}