Ipv6

使用 nftables 和 IPv6 的 Fail2ban

  • September 9, 2018

編輯:添加了額外的 .conf 文件管理器,並按照 Marco 的建議稍微改變了措辭


我正在執行應該支持 IPv6的Fail2ban v0.10 。

我已經根據這些說明使用 nftables設置了Fail2ban ,除了我使用 nftables 的“inet”系列而不是 ip 系列,因為我想允許 IPv6 流量到我的伺服器。

該伺服器可通過 IPv6 訪問,據我所知,我的防火牆(nftables)似乎配置正確(表 inet 過濾器)。

然而,’table inet fail2ban’ 是我發表這篇文章的原因,在我看來,Fail2ban 只讀取 IPv4 日誌,並阻止有問題的 IPv4 主機。

我讀對了嗎?如果是這樣,有人知道我如何使 Fail2ban 也可以處理 IPv6 流量嗎?我知道 Fail2ban v0.10 更改日誌指出並非所有禁令操作都支持 IPv6,但我似乎找不到列表。

也歡迎提供指向我可以找到該資訊的連結,因為我自己似乎無法找到該資訊。

我只包括了累犯監獄配置,因為我假設如果我可以讓監獄與 IPv6 一起工作,我可以對其他人做同樣的事情,如果我對這個假設有誤,請告訴我 :)


我的 nftables 規則集:

table inet filter {
   chain input {
       type filter hook input priority 0; policy accept;
       ct state { related, established} accept
       ct state invalid drop
       iifname "lo" accept
       ip protocol icmp accept
       ip6 nexthdr ipv6-icmp accept
       tcp dport ssh accept
       tcp dport http accept
       tcp dport https accept
       limit rate 5/minute burst 5 packets counter packets 972 bytes 56710 log prefix " denied: " level debug
       drop
   }

   chain forward {
       type filter hook forward priority 0; policy accept;
       drop
   }

   chain output {
       type filter hook output priority 0; policy accept;
       accept
   }
}

table inet fail2ban {
   set f2b-sshd {
       type ipv4_addr
   }

   set f2b-nginx-botsearch {
       type ipv4_addr
   }

   set f2b-recidive {
       type ipv4_addr
   }

   chain INPUT {
       type filter hook input priority 100; policy accept;
       ip protocol hopopt-reserved ip saddr @f2b-recidive drop
       tcp dport { http, https} ip saddr @f2b-nginx-botsearch drop
       tcp dport { ssh} ip saddr @f2b-sshd drop
   }
}

/etc/nftables/fail2ban.conf

#!/usr/sbin/nft -f

table inet fail2ban {
       chain INPUT {
               type filter hook input priority 100;
       }
}

/etc/nftables.conf

#!/usr/bin/nft -f

table inet filter {
 chain input {
   type filter hook input priority 0;

   ct state {established, related} accept

   ct state invalid drop

   iifname lo accept

   ip protocol icmp accept
   ip6 nexthdr icmpv6 accept

   tcp dport ssh accept

   tcp dport http accept
   tcp dport https accept

   limit rate 5/minute burst 5 packets counter packets 0 bytes 0 log prefix " denied: " level debug

   drop
 }
 chain forward {
   type filter hook forward priority 0;
   drop
 }
 chain output {
   type filter hook output priority 0;
   accept
 }

}

include "/etc/nftables/fail2ban.conf"

/etc/fail2ban/action.d/nftables-common.local

[Init]
nftables_family = inet
nftables_table  = fail2ban

blocktype       = drop

nftables_set_prefix =

/etc/fail2ban/jail.local

[INCLUDES]

before = paths-arch.conf

[DEFAULT]

ignorecommand =

bantime  = 1h

findtime  = 10m

maxretry = 5

usedns = warn

logencoding = auto

enabled = false

filter = %(__name__)s

protocol = tcp

chain = INPUT

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = nftables-multiport
banaction_allports = nftables-allports

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
               %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]

action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s


[sshd]
enabled = true
mode    = normal
filter  = sshd[mode=%(mode)s]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2

[recidive]
enabled = true
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d
maxretry  = 3
protocol  = 0-255

/etc/fail2ban/filter.d/recidive.conf

[INCLUDES]

before = common.conf

[Definition]

_daemon = fail2ban\.actions\s*

_jailname = recidive

failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

/etc/fail2ban/filter.d/common.conf

[DEFAULT]

_daemon = \S*

__pid_re = (?:\[\d+\])

__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

__daemon_extra_re = \[ID \d+ \S+\]

__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)

__kernel_prefix = kernel: \[ *\d+\.\d+\]

__hostname = \S+

__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}

__bsd_syslog_verbose = <[^.]+\.[^.]+>

__vserver = @vserver_\S+

__date_ambit = (?:\[\])

__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)$

__pam_auth = pam_unix

datepattern = {^LN-BEG}

這可能是這個錯誤,已在 v0.10.1 中修復

引用自:https://serverfault.com/questions/873068