Linux
fail2ban 似乎正在工作,但伺服器仍會收到連接嘗試
fail2ban 之謎!
一切似乎都執行良好且配置良好,但伺服器仍會收到連接嘗試。
[moso@matrix ~]$ sudo systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-04-16 22:10:45 -03; 13h ago Docs: man:fail2ban(1) Process: 332 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 335 (fail2ban-server) Tasks: 5 (limit: 19183) Memory: 17.9M CPU: 1min 945ms CGroup: /system.slice/fail2ban.service └─335 /usr/bin/python /usr/bin/fail2ban-server -xf start Apr 16 22:10:45 matrix systemd[1]: Starting Fail2Ban Service... Apr 16 22:10:45 matrix systemd[1]: Started Fail2Ban Service. Apr 16 22:10:45 matrix fail2ban-server[335]: Server ready [moso@matrix ~]$ sudo cat /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true filter = sshd banaction = iptables backend = systemd maxretry = 3 findtime = 1d bantime = 2w ignoreip = 127.0.0.1/8 x1.y1.z1.w1/32 x2.y2.z2.w2/32 [moso@matrix ~]$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 10 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 179.43.156.154 [moso@matrix ~]$ sudo iptables -L -n | grep 179.43.156.154 REJECT all -- 179.43.156.154 0.0.0.0/0 reject-with icmp-port-unreachable [moso@matrix ~]$ sudo cat /var/log/fail2ban.log 2022-04-16 22:10:45,655 fail2ban.server [335]: INFO Starting Fail2ban v0.11.2 2022-04-16 22:10:45,657 fail2ban.observer [335]: INFO Observer start... 2022-04-16 22:10:45,667 fail2ban.database [335]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2022-04-16 22:10:45,670 fail2ban.database [335]: WARNING New database created. Version '4' 2022-04-16 22:10:45,670 fail2ban.jail [335]: INFO Creating new jail 'sshd' 2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Jail 'sshd' uses systemd {} 2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Initiated 'systemd' backend 2022-04-16 22:10:45,707 fail2ban.filter [335]: INFO maxLines: 1 2022-04-16 22:10:45,723 fail2ban.filtersystemd [335]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' 2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO maxRetry: 3 2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO findtime: 86400 2022-04-16 22:10:45,724 fail2ban.actions [335]: INFO banTime: 1209600 2022-04-16 22:10:45,724 fail2ban.filter [335]: INFO encoding: UTF-8 2022-04-16 22:10:45,725 fail2ban.jail [335]: INFO Jail 'sshd' started 2022-04-16 22:53:09,239 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-16 22:53:08 2022-04-17 00:33:22,995 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 00:33:22 2022-04-17 01:31:38,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 01:31:38 2022-04-17 01:31:39,266 fail2ban.actions [335]: NOTICE [sshd] Ban 179.43.156.154 2022-04-17 02:58:45,765 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 02:58:45 2022-04-17 05:40:59,243 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 05:40:58 2022-04-17 07:13:51,766 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:13:51 2022-04-17 07:13:52,130 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned 2022-04-17 07:49:33,667 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:49:33 2022-04-17 08:20:44,205 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:20:44 2022-04-17 08:44:07,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:44:07 2022-04-17 08:44:08,129 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned 2022-04-17 09:44:54,464 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 09:44:54 ... [moso@matrix ~]$ journalctl _SYSTEMD_UNIT=sshd.service Apr 16 22:10:15 matrix sshd[151093]: Received signal 15; terminating. -- Boot aa222dfff23f467ab30cd5125c7c3a55 -- Apr 16 22:10:45 matrix sshd[333]: Server listening on 0.0.0.0 port 2206. Apr 16 22:53:08 matrix sshd[656]: Connection from 179.43.156.154 port 40138 on 38.105.209.109 port 2206 rdomain "" Apr 16 22:53:08 matrix sshd[656]: Invalid user root root from 179.43.156.154 port 40138 Apr 16 22:53:08 matrix sshd[656]: Connection closed by invalid user root root 179.43.156.154 port 40138 [preauth] Apr 17 00:33:22 matrix sshd[685]: Connection from 179.43.156.154 port 34498 on 38.105.209.109 port 2206 rdomain "" Apr 17 00:33:22 matrix sshd[685]: Invalid user root root from 179.43.156.154 port 34498 Apr 17 00:33:22 matrix sshd[685]: Connection closed by invalid user root root 179.43.156.154 port 34498 [preauth] Apr 17 01:31:38 matrix sshd[699]: Connection from 179.43.156.154 port 59372 on 38.105.209.109 port 2206 rdomain "" Apr 17 01:31:38 matrix sshd[699]: Invalid user root root from 179.43.156.154 port 59372 Apr 17 01:31:38 matrix sshd[699]: Connection closed by invalid user root root 179.43.156.154 port 59372 [preauth] Apr 17 02:58:44 matrix sshd[722]: Connection from 179.43.156.154 port 57448 on 38.105.209.109 port 2206 rdomain "" Apr 17 02:58:45 matrix sshd[722]: Invalid user root root from 179.43.156.154 port 57448 Apr 17 02:58:45 matrix sshd[722]: Connection closed by invalid user root root 179.43.156.154 port 57448 [preauth] Apr 17 05:40:58 matrix sshd[760]: Connection from 179.43.156.154 port 54992 on 38.105.209.109 port 2206 rdomain "" Apr 17 05:40:58 matrix sshd[760]: Invalid user root root from 179.43.156.154 port 54992 Apr 17 05:40:58 matrix sshd[760]: Connection closed by invalid user root root 179.43.156.154 port 54992 [preauth] Apr 17 07:13:51 matrix sshd[777]: Connection from 179.43.156.154 port 59646 on 38.105.209.109 port 2206 rdomain "" Apr 17 07:13:51 matrix sshd[777]: Invalid user root root from 179.43.156.154 port 59646 Apr 17 07:13:51 matrix sshd[777]: Connection closed by invalid user root root 179.43.156.154 port 59646 [preauth] Apr 17 07:49:33 matrix sshd[789]: Connection from 179.43.156.154 port 33684 on 38.105.209.109 port 2206 rdomain "" Apr 17 07:49:33 matrix sshd[789]: Invalid user root root from 179.43.156.154 port 33684 Apr 17 07:49:33 matrix sshd[789]: Connection closed by invalid user root root 179.43.156.154 port 33684 [preauth] Apr 17 08:20:43 matrix sshd[801]: Connection from 179.43.156.154 port 55522 on 38.105.209.109 port 2206 rdomain "" Apr 17 08:20:44 matrix sshd[801]: Invalid user root root from 179.43.156.154 port 55522 Apr 17 08:20:44 matrix sshd[801]: Connection closed by invalid user root root 179.43.156.154 port 55522 [preauth] Apr 17 08:44:07 matrix sshd[805]: Connection from 179.43.156.154 port 39862 on 38.105.209.109 port 2206 rdomain "" Apr 17 08:44:07 matrix sshd[805]: Invalid user root root from 179.43.156.154 port 39862 Apr 17 08:44:07 matrix sshd[805]: Connection closed by invalid user root root 179.43.156.154 port 39862 [preauth] Apr 17 09:44:54 matrix sshd[822]: Connection from 179.43.156.154 port 42592 on 38.105.209.109 port 2206 rdomain "" Apr 17 09:44:54 matrix sshd[822]: Invalid user root root from 179.43.156.154 port 42592 Apr 17 09:44:54 matrix sshd[822]: Connection closed by invalid user root root 179.43.156.154 port 42592 [preauth] ...
為什麼 IP 179.43.156.154 繼續嘗試連接,如果 fail2ban 似乎工作並且來自 179.43.156.154 的任何連接都應該被拒絕?(參見上面 iptables 的輸出)
問題是……我!
我錯誤地認為fail2ban 禁止了檢測到的埠(如上圖所示,2206)。
導致我得出錯誤結論的另一件事是
sudo iptables -L -n | grep 179.43.156.154
.REJECT all -- 179.43.156.154 0.0.0.0/0 reject-with icmp-port-unreachable
我不考慮規則在哪個鏈中……
只在我在 sshd 上使用的埠添加一行,問題(由我引起)就解決了。
[peracchi@matrix ~]$ cat /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true filter = sshd port = 2206 banaction = iptables backend = systemd maxretry = 5 findtime = 1d bantime = 30d ignoreip = 127.0.0.1/8 a.b.c.d/32 x.y.z.w/32
“一個人不可能學習他認為自己已經知道的東西。” ——愛比克泰德