Debian
fail2ban ip被阻止,但仍然登錄嘗試
一切似乎都很好,iptables 顯示它被阻止了,但我仍然得到身份驗證嘗試
我已經配置了fail2ban
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 bantime = 864000 maxretry = 3 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3fail2ban 日誌顯示其已被阻止
2016-01-17 06:25:02,218 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2016-01-17 06:25:03,275 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2016-01-17 06:25:54,330 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2016-01-19 13:21:33,459 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-19 13:21:45,472 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-19 13:22:28,522 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-19 13:22:38,534 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-19 13:22:53,550 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-19 13:23:47,609 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 12:58:54,982 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 12:59:41,030 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 12:59:55,046 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 13:00:06,057 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 13:00:37,091 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned 2016-01-20 13:01:20,137 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already bannediptables -L -n
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 ACCEPT tcp -- 0.0.0.0/0 some_IP_I_need tcp spts:1024:65535 dpt:port_of_websrv state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- some_IP_I_need 0.0.0.0/0 tcp spts:1024:65535 dpt:port_of_websrv state NEW,ESTABLISHED Chain fail2ban-ssh (2 references) target prot opt source destination DROP all -- xxx.xxx.xxx.xxx 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0然而,仍然有一些身份驗證請求,為什麼?
Jan 20 12:59:55 pdwhost sshd[659439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=root Jan 20 12:59:55 pdwhost sshd[659441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=root Jan 20 12:59:57 pdwhost sshd[659439]: Failed password for root from xxx.xxx.xxx.xxx port 43728 ssh2 Jan 20 12:59:57 pdwhost sshd[659439]: fatal: Read from socket failed: Connection reset by peer [preauth] Jan 20 12:59:57 pdwhost sshd[659441]: Failed password for root from xxx.xxx.xxx.xxx port 43729 ssh2 Jan 20 12:59:57 pdwhost sshd[659441]: fatal: Read from socket failed: Connection reset by peer [preauth]如果可能,我通常在非標準埠上執行服務。這讓我也想知道,為什麼這條線顯示埠 22(ssh 在不同的埠上),這是我需要在某個地方更改的東西嗎?
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22還有,舉報這個IP有意義嗎?它來自choopa。
你應該嘗試設置
port = ssh到您真正使用的埠。(我假設即使在非標準埠上執行 ssh,您也不會更改 中的值
/etc/services,而且您可能不應該這樣做。)