Linux

fail2ban 似乎正在工作,但伺服器仍會收到連接嘗試

  • April 23, 2022

fail2ban 之謎!

一切似乎都執行良好且配置良好,但伺服器仍會收到連接嘗試。

[moso@matrix ~]$ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
    Active: active (running) since Sat 2022-04-16 22:10:45 -03; 13h ago
      Docs: man:fail2ban(1)
   Process: 332 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
  Main PID: 335 (fail2ban-server)
     Tasks: 5 (limit: 19183)
    Memory: 17.9M
       CPU: 1min 945ms
    CGroup: /system.slice/fail2ban.service
            └─335 /usr/bin/python /usr/bin/fail2ban-server -xf start

Apr 16 22:10:45 matrix systemd[1]: Starting Fail2Ban Service...
Apr 16 22:10:45 matrix systemd[1]: Started Fail2Ban Service.
Apr 16 22:10:45 matrix fail2ban-server[335]: Server ready



[moso@matrix ~]$ sudo cat /etc/fail2ban/jail.d/sshd.local
[sshd]
 enabled   = true
 filter    = sshd
 banaction = iptables
 backend   = systemd
 maxretry  = 3
 findtime  = 1d
 bantime   = 2w
 ignoreip  = 127.0.0.1/8 x1.y1.z1.w1/32 x2.y2.z2.w2/32



[moso@matrix ~]$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 10
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 179.43.156.154



[moso@matrix ~]$ sudo iptables -L -n | grep 179.43.156.154
REJECT all -- 179.43.156.154 0.0.0.0/0 reject-with icmp-port-unreachable



[moso@matrix ~]$ sudo cat /var/log/fail2ban.log
2022-04-16 22:10:45,655 fail2ban.server [335]: INFO Starting Fail2ban v0.11.2
2022-04-16 22:10:45,657 fail2ban.observer [335]: INFO Observer start...
2022-04-16 22:10:45,667 fail2ban.database [335]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2022-04-16 22:10:45,670 fail2ban.database [335]: WARNING New database created. Version '4'
2022-04-16 22:10:45,670 fail2ban.jail [335]: INFO Creating new jail 'sshd'
2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Jail 'sshd' uses systemd {}
2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Initiated 'systemd' backend
2022-04-16 22:10:45,707 fail2ban.filter [335]: INFO maxLines: 1
2022-04-16 22:10:45,723 fail2ban.filtersystemd [335]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO maxRetry: 3
2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO findtime: 86400
2022-04-16 22:10:45,724 fail2ban.actions [335]: INFO banTime: 1209600
2022-04-16 22:10:45,724 fail2ban.filter [335]: INFO encoding: UTF-8
2022-04-16 22:10:45,725 fail2ban.jail [335]: INFO Jail 'sshd' started
2022-04-16 22:53:09,239 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-16 22:53:08
2022-04-17 00:33:22,995 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 00:33:22
2022-04-17 01:31:38,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 01:31:38
2022-04-17 01:31:39,266 fail2ban.actions [335]: NOTICE [sshd] Ban 179.43.156.154
2022-04-17 02:58:45,765 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 02:58:45
2022-04-17 05:40:59,243 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 05:40:58
2022-04-17 07:13:51,766 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:13:51
2022-04-17 07:13:52,130 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned
2022-04-17 07:49:33,667 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:49:33
2022-04-17 08:20:44,205 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:20:44
2022-04-17 08:44:07,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:44:07
2022-04-17 08:44:08,129 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned
2022-04-17 09:44:54,464 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 09:44:54
...



[moso@matrix ~]$ journalctl _SYSTEMD_UNIT=sshd.service
Apr 16 22:10:15 matrix sshd[151093]: Received signal 15; terminating.
-- Boot aa222dfff23f467ab30cd5125c7c3a55 --
Apr 16 22:10:45 matrix sshd[333]: Server listening on 0.0.0.0 port 2206.
Apr 16 22:53:08 matrix sshd[656]: Connection from 179.43.156.154 port 40138 on 38.105.209.109 port 2206 rdomain ""
Apr 16 22:53:08 matrix sshd[656]: Invalid user root root from 179.43.156.154 port 40138
Apr 16 22:53:08 matrix sshd[656]: Connection closed by invalid user root root 179.43.156.154 port 40138 [preauth]
Apr 17 00:33:22 matrix sshd[685]: Connection from 179.43.156.154 port 34498 on 38.105.209.109 port 2206 rdomain ""
Apr 17 00:33:22 matrix sshd[685]: Invalid user root root from 179.43.156.154 port 34498
Apr 17 00:33:22 matrix sshd[685]: Connection closed by invalid user root root 179.43.156.154 port 34498 [preauth]
Apr 17 01:31:38 matrix sshd[699]: Connection from 179.43.156.154 port 59372 on 38.105.209.109 port 2206 rdomain ""
Apr 17 01:31:38 matrix sshd[699]: Invalid user root root from 179.43.156.154 port 59372
Apr 17 01:31:38 matrix sshd[699]: Connection closed by invalid user root root 179.43.156.154 port 59372 [preauth]
Apr 17 02:58:44 matrix sshd[722]: Connection from 179.43.156.154 port 57448 on 38.105.209.109 port 2206 rdomain ""
Apr 17 02:58:45 matrix sshd[722]: Invalid user root root from 179.43.156.154 port 57448
Apr 17 02:58:45 matrix sshd[722]: Connection closed by invalid user root root 179.43.156.154 port 57448 [preauth]
Apr 17 05:40:58 matrix sshd[760]: Connection from 179.43.156.154 port 54992 on 38.105.209.109 port 2206 rdomain ""
Apr 17 05:40:58 matrix sshd[760]: Invalid user root root from 179.43.156.154 port 54992
Apr 17 05:40:58 matrix sshd[760]: Connection closed by invalid user root root 179.43.156.154 port 54992 [preauth]
Apr 17 07:13:51 matrix sshd[777]: Connection from 179.43.156.154 port 59646 on 38.105.209.109 port 2206 rdomain ""
Apr 17 07:13:51 matrix sshd[777]: Invalid user root root from 179.43.156.154 port 59646
Apr 17 07:13:51 matrix sshd[777]: Connection closed by invalid user root root 179.43.156.154 port 59646 [preauth]
Apr 17 07:49:33 matrix sshd[789]: Connection from 179.43.156.154 port 33684 on 38.105.209.109 port 2206 rdomain ""
Apr 17 07:49:33 matrix sshd[789]: Invalid user root root from 179.43.156.154 port 33684
Apr 17 07:49:33 matrix sshd[789]: Connection closed by invalid user root root 179.43.156.154 port 33684 [preauth]
Apr 17 08:20:43 matrix sshd[801]: Connection from 179.43.156.154 port 55522 on 38.105.209.109 port 2206 rdomain ""
Apr 17 08:20:44 matrix sshd[801]: Invalid user root root from 179.43.156.154 port 55522
Apr 17 08:20:44 matrix sshd[801]: Connection closed by invalid user root root 179.43.156.154 port 55522 [preauth]
Apr 17 08:44:07 matrix sshd[805]: Connection from 179.43.156.154 port 39862 on 38.105.209.109 port 2206 rdomain ""
Apr 17 08:44:07 matrix sshd[805]: Invalid user root root from 179.43.156.154 port 39862
Apr 17 08:44:07 matrix sshd[805]: Connection closed by invalid user root root 179.43.156.154 port 39862 [preauth]
Apr 17 09:44:54 matrix sshd[822]: Connection from 179.43.156.154 port 42592 on 38.105.209.109 port 2206 rdomain ""
Apr 17 09:44:54 matrix sshd[822]: Invalid user root root from 179.43.156.154 port 42592
Apr 17 09:44:54 matrix sshd[822]: Connection closed by invalid user root root 179.43.156.154 port 42592 [preauth]
...

為什麼 IP 179.43.156.154 繼續嘗試連接,如果 fail2ban 似乎工作並且來自 179.43.156.154 的任何連接都應該被拒絕?(參見上面 iptables 的輸出)

問題是……我!

我錯誤地認為fail2ban 禁止了檢測到的埠(如上圖所示,2206)。

導致我得出錯誤結論的另一件事是sudo iptables -L -n | grep 179.43.156.154.

REJECT all -- 179.43.156.154 0.0.0.0/0 reject-with icmp-port-unreachable

我不考慮規則在哪個鏈中……

只在我在 sshd 上使用的埠添加一行,問題(由我引起)就解決了。

[peracchi@matrix ~]$ cat /etc/fail2ban/jail.d/sshd.local
[sshd]
 enabled   = true
 filter    = sshd
 port      = 2206
 banaction = iptables
 backend   = systemd
 maxretry  = 5
 findtime  = 1d
 bantime   = 30d
 ignoreip  = 127.0.0.1/8 a.b.c.d/32 x.y.z.w/32

“一個人不可能學習他認為自己已經知道的東西。” ——愛比克泰德

引用自:https://serverfault.com/questions/1098811