Ssh

Fail2ban 不阻止 ssh 嘗試

  • August 23, 2021

我已經設置了 fail2ban 來阻止失敗的 ssh 嘗試。我用 fail2ban-regex 和我的日誌中的一個摘錄檢查了規則,這很好用。

我還檢查了日誌中的“禁令”通知和有問題的 IP,它就在那裡:

zgrep 'Ban.*202.29.214.13' /var/log/fail2ban.log*
/var/log/fail2ban.log:2021-08-23 01:27:19,023 fail2ban.actions        [1460]: NOTICE  [sshd] Ban 202.29.214.13

但是,我的 ssh / auth 日誌仍然會在相關時間戳之後顯示來自該 IP 的嘗試:

Aug 23 01:27:23 myhost123 sshd[4526]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 47633 ssh2]
Aug 23 01:27:23 myhost123 sshd[4526]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 47633 ssh2 [preauth]
Aug 23 01:27:23 myhost123 sshd[4526]: Disconnecting authenticating user root 202.29.214.13 port 47633: Too many authentication failures [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 50424 ssh2]
Aug 23 01:27:31 myhost123 sshd[4533]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 50424 ssh2 [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: Disconnecting authenticating user root 202.29.214.13 port 50424: Too many authentication failures [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 53056 ssh2 [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: Disconnecting authenticating user root 202.29.214.13 port 53056: Too many authentication failures [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 55901 ssh2 [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: Disconnecting authenticating user root 202.29.214.13 port 55901: Too many authentication failures [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 58908 ssh2 [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: Disconnecting authenticating user root 202.29.214.13 port 58908: Too many authentication failures [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 61129 ssh2 [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: Disconnecting authenticating user root 202.29.214.13 port 61129: Too many authentication failures [preauth]
Aug 23 01:28:23 myhost123 sshd[4577]: error: maximum authentication attempts exceeded for invalid user admin from 202.29.214.13 port 3511 ssh2 [preauth]
Aug 23 01:29:24 myhost123 sshd[4613]: error: maximum authentication attempts exceeded for invalid user oracle from 202.29.214.13 port 24149 ssh2 [preauth]
Aug 23 01:30:07 myhost123 sshd[4641]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 37311 ssh2 [preauth]
Aug 23 01:30:15 myhost123 sshd[4647]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 39486 ssh2 [preauth]
Aug 23 01:30:58 myhost123 sshd[4684]: error: maximum authentication attempts exceeded for invalid user test from 202.29.214.13 port 52882 ssh2 [preauth]
Aug 23 01:31:33 myhost123 sshd[4699]: error: maximum authentication attempts exceeded for invalid user user from 202.29.214.13 port 64849 ssh2 [preauth]

fail2ban 不應該完全阻止來自該 IP 的所有請求嗎?任何有關檢查內容的提示表示讚賞。

感謝 Dom 的提示:iptables 限制是問題的根本原因。

檢查:

grep "iptables: Memory allocation problem" /var/log/fail2ban.log

egrep "failcnt|numiptent" /proc/user_beancounters

似乎我無法更改 iptables 限制,只有我的提供商可以。

引用自:https://serverfault.com/questions/1075370