為什麼fail2ban 不禁止這種攻擊?
我安裝了 fail2ban 來禁止對 ssh 密碼進行暴力破解。有業務需求不禁用本機密碼驗證。
fail2ban 是使用相同的廚師食譜安裝的,該手冊有效地禁止了對其他機器的 ssh 攻擊。配置了一個 ssh 監獄:
# service fail2ban status fail2ban-server (pid 5480) is running... WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid' Status |- Number of jail: 1 `- Jail list: ssh
手動禁止使用者有效:
# fail2ban-client set ssh banip 103.41.124.46
但它似乎並沒有自動禁止任何人:
# cat /var/log/fail2ban.log 2014-11-20 18:23:47,069 fail2ban.server [67569]: INFO Exiting Fail2ban 2014-11-20 18:44:59,202 fail2ban.server [5480]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14 2014-11-20 18:44:59,213 fail2ban.jail [5480]: INFO Creating new jail 'ssh' 2014-11-20 18:44:59,214 fail2ban.jail [5480]: INFO Jail 'ssh' uses poller 2014-11-20 18:44:59,249 fail2ban.jail [5480]: INFO Initiated 'polling' backend 2014-11-20 18:44:59,270 fail2ban.filter [5480]: INFO Added logfile = /var/log/secure 2014-11-20 18:44:59,271 fail2ban.filter [5480]: INFO Set maxRetry = 6 2014-11-20 18:44:59,272 fail2ban.filter [5480]: INFO Set findtime = 600 2014-11-20 18:44:59,272 fail2ban.actions[5480]: INFO Set banTime = 300 2014-11-20 18:44:59,431 fail2ban.jail [5480]: INFO Jail 'ssh' started 2014-11-21 11:09:37,447 fail2ban.actions[5480]: WARNING [ssh] Ban 103.41.124.46 2014-11-21 11:10:32,602 fail2ban.actions[5480]: WARNING [ssh] Ban 122.225.97.75 2014-11-21 11:14:37,899 fail2ban.actions[5480]: WARNING [ssh] Unban 103.41.124.46 2014-11-21 11:15:32,976 fail2ban.actions[5480]: WARNING [ssh] Unban 122.225.97.75 2014-11-21 11:30:06,295 fail2ban.comm [5480]: WARNING Command ['ban', 'ssh', '189.203.240.89'] has failed. Received Exception('Invalid command',) 2014-11-21 11:30:33,966 fail2ban.actions[5480]: WARNING [ssh] Ban 189.203.240.89 2014-11-21 11:35:34,303 fail2ban.actions[5480]: WARNING [ssh] Unban 189.203.240.89
例如,這是一種本
/var/log/messages
應被擷取並禁止的攻擊:Nov 21 07:51:32 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:34 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2 Nov 21 07:51:35 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2 Nov 21 07:51:35 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:37 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2 Nov 21 07:51:37 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2 Nov 21 07:51:38 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2 Nov 21 07:51:38 my_hostname sshd[51084]: Failed password for root from 122.225.109.219 port 3501 ssh2 Nov 21 07:51:39 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2
這也正在登錄
/var/log/secure
:Nov 25 16:06:40 cluster-122-1413591380-db sshd[75769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:46 cluster-122-1413591380-db sshd[75769]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:48 cluster-122-1413591380-db sshd[75778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:55 cluster-122-1413591380-db sshd[75778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:06:57 cluster-122-1413591380-db sshd[75780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:03 cluster-122-1413591380-db sshd[75780]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:05 cluster-122-1413591380-db sshd[75793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:12 cluster-122-1413591380-db sshd[75793]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:13 cluster-122-1413591380-db sshd[75797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:21 cluster-122-1413591380-db sshd[75797]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:22 cluster-122-1413591380-db sshd[75803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:28 cluster-122-1413591380-db sshd[75803]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:29 cluster-122-1413591380-db sshd[75809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:36 cluster-122-1413591380-db sshd[75809]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root Nov 25 16:07:38 cluster-122-1413591380-db sshd[75811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41 user=root
這是我的
jail.local
:# Fail2Ban configuration file. # # The configuration here inherits from /etc/fail2ban/jail.conf. Any setting # omitted here will take it's value from that file # # Author: Yaroslav O. Halchenko <snip> # # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 findtime = 600 bantime = 300 maxretry = 5 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails can inherit from the configuration in /etc/fail2ban/jail.conf. # Enable any defined in that file jail by including # # [SECTION_NAME] # enabled = true # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 6 [ssh-iptables] enabled = false
為什麼fail2ban不起作用?或者,為什麼它沒有在沒有我手動干預的情況下禁止上面的攻擊者?
該參數
logpath
應設置為將記錄 SSH 嘗試的日誌文件的路徑。因此,如果是/var/log/messages
,那麼/var/log/secure
顯然是不正確的。將參數更改
logpath
為正確的文件。
在 RHEL 和 CentOS 上,身份驗證錯誤轉到 /var/log/messages 或 /var/log 安全:
# cat /etc/rsyslog.conf | grep auth # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure
預設情況下,sshd 配置為 SyslogFacility 設置為 AUTH,它轉到 /var/log/messages。如果您按如下方式覆蓋 /etc/ssh/sshd_config,它將轉到 /var/log/secure:
SyslogFacility AUTHPRIV
我正在使用 SoftLayer 雲上的機器,去年某個時候,它們的基本映像配置從 AUTHPRIV 更改為 AUTH。
預設情況下,fail2ban 在 /etc/fail2ban/jail.local 中有以下監獄:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 6
我建議在 /etc/fail2ban/jail.local 中添加第二個監獄:
[ssh-log-messages] enabled = true port = ssh filter = sshd logpath = /var/log/messages maxretry = 6
然後重啟fail2ban,使第二個jail生效:
service fail2ban restart
另一種方法是在 /etc/fail2ban/filter.d/sshd.conf 中擴展 sshd 正則表達式。/var/log/secure 和 /var/log/messages 中有足夠的資訊來禁止 IP。不幸的是,fail2ban 無法在不添加備用正則表達式的情況下解析所有消息。這留作練習。