Ubuntu

監獄錯誤,無法啟動

  • November 5, 2017

我創建了一個監獄和行動,試圖捕捉“DDoS 攻擊”,但是每當我重新啟動 Fail2Ban 時,日誌文件都會顯示這個監獄的錯誤。監獄和過濾器看起來相當簡單,並在幾個部落格中轉載,但我用來比較的一個是here

這是監獄:

[http-get-dos]
enabled = true
filter = http-get-dos
action =  iptables[name=Http-Get-Dos, port="http,https"]
logpath = %(apache_access_log)s
maxretry = 300
findtime = 300
bantime = 300

這是過濾器:

# Fail2Ban configuration file
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs
# You should set up in the jail.conf file, the maxretry and findtime carefully

failregex = ^<HOST> -.*"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#

這一切看起來很簡單,但由於某種原因,如果我在啟用此監獄後重新啟動服務,我會在 Fail2ban 日誌中看到以下錯誤:

2017-11-04 12:48:13,296 fail2ban.jail           [1460]: INFO    Creating new jail 'http-get-dos'
2017-11-04 12:48:13,298 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' uses poller
2017-11-04 12:48:13,300 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,300 fail2ban.jail           [1460]: INFO    Initiated 'polling' backend
2017-11-04 12:48:13,303 fail2ban.actions        [1460]: INFO    Set banTime = 300
2017-11-04 12:48:13,304 fail2ban.filter         [1460]: INFO    Set findtime = 300
2017-11-04 12:48:13,306 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/access.log
2017-11-04 12:48:13,308 fail2ban.filter         [1460]: INFO    Added logfile = /var/log/apache2/other_vhosts_access.log
2017-11-04 12:48:13,309 fail2ban.filter         [1460]: INFO    Set jail log file encoding to UTF-8
2017-11-04 12:48:13,310 fail2ban.filter         [1460]: INFO    Set maxRetry = 300

2017-11-04 12:48:14,411 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stdout: b''
2017-11-04 12:48:14,441 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- stderr: b"iptables v1.6.0: invalid port/service `http,https' specified\nTry `iptables -h' or 'iptables --help' for more information.\n"
2017-11-04 12:48:14,458 fail2ban.action         [1460]: ERROR   iptables -w -N f2b-Http-Get-Dos
iptables -w -A f2b-Http-Get-Dos -j RETURN
iptables -w -I INPUT -p tcp --dport http,https -j f2b-Http-Get-Dos -- returned 2
2017-11-04 12:48:14,463 fail2ban.actions        [1460]: ERROR   Failed to start jail 'http-get-dos' action 'iptables': Error starting action
2017-11-04 12:48:20,150 fail2ban.jail           [1460]: INFO    Jail 'http-get-dos' started

似乎監獄的動作部分引起了問題,但我不明白為什麼。該操作類似於其他監獄使用的操作。

有什麼想法可以解決這個問題以使監獄正常執行嗎?

我沒有足夠的聲譽來發表評論,所以我會在這裡發布作為答案。

看起來好像這條線:

action = iptables[name=Http-Get-Dos, port="http,https"]

正在將變數傳遞給 iptables,並且由於port="http,https"您在單個 iptables 規則中指定了兩個目標埠。我找不到任何關於此的特定文件,但它看起來不正確 - 我認為這是問題的原因。

我認為 HTTP 和 HTTPS 應該有單獨的操作。

編輯:我在 google 上發現了一些使用 port=“http,https” 的條目,它們指定了 iptables-multiport 而不是 iptables。iptables-multiport 操作似乎執行 iptables --match multiport在此處描述),允許您一次指定多個埠(請參閱此伺服器故障問題)。所以我認為另一個解決方案是使用 iptables-multiport 操作。

引用自:https://serverfault.com/questions/881818