Linux

fail2ban 一直說已經禁止但實際上並沒有禁止

  • February 7, 2022

我剛剛配置了一個新伺服器並安裝了fail2ban,但是當我一直嘗試使用錯誤的密碼連接時它並沒有禁止我

失敗2ban.log:

2018-03-23 12:46:29,363 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:46:30,747 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:46:33,346 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:46:35,515 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:46:36,372 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:47:45,471 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:47:46,820 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:47:49,503 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:47:50,458 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:47:51,893 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:48:49,699 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:48:51,835 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:48:52,531 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:48:54,477 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:48:57,056 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:50:53,240 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:50:53,677 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:50:55,065 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:50:58,253 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:51:00,494 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:51:00,685 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:52:06,119 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:52:08,300 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:52:11,583 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:52:11,773 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:52:13,498 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:53:07,823 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:53:09,712 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:53:09,842 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:53:11,718 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:53:13,696 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:54:37,181 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:54:37,949 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:54:39,092 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:54:40,906 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:54:42,616 fail2ban.filter         [9756]: INFO    [sshd] Found [my ip]
2018-03-23 12:54:42,955 fail2ban.actions        [9756]: NOTICE  [sshd] [my ip] already banned
2018-03-23 12:54:52,074 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
2018-03-23 12:54:52,075 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
2018-03-23 12:54:52,075 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2018-03-23 12:54:52,075 fail2ban.CommandAction  [9756]: ERROR   Invariant check failed. Trying to restore a sane environment
2018-03-23 12:54:52,180 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: ''
2018-03-23 12:54:52,181 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2018-03-23 12:54:52,181 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- returned 1
2018-03-23 12:54:52,181 fail2ban.actions        [9756]: ERROR   Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': '2018-03-23T11:53:46.707058149-210-194-176.colo.transip.net sshd[27676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip-[my ip].ip.prioritytelecom.net  user=root2018-03-23T11:53:48.733188149-210-194-176.colo.transip.net sshd[27676]: Failed password for root from [my ip] port 31224 ssh22018-03-23T11:54:51.709842149-210-194-176.colo.transip.net sshd[27676]: Failed password for root from [my ip] port 31224 ssh2', 'ip': '[my ip]', 'time': 1521802491.930057, 'failures': 3}': Error stopping action

當我跟踪日誌文件時,我看到我的 ssh 登錄嘗試被記錄下來,但在第三次嘗試之後,我可以繼續嘗試;例如,如果我在第 10 次嘗試後使用了正確的密碼,它就會讓我登錄。

我也時不時地在日誌文件的末尾看到錯誤。

我的監獄本地:

[DEFAULT]
#ban n hosts for one hour:
bantime = 3600

#maxtrys
maxretry = 3

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

有誰知道為什麼會這樣?

看起來您的iptables配置不包含名為f2b-sshd.

首先,對iptables.

iptables既是命令又是 Linux 防火牆子系統的名稱。該命令用於在 RAM 中設置防火牆規則。防火牆規則首先iptables排列成表格:有預設表格,filter還有nat、和表格,用於各種用途。正在做流量過濾,所以它使用表。mangle``raw``security``fail2ban``filter

然後這些表可以進一步劃分為過濾器鏈。每個表都有一定的標準鏈:對於表,filter標準鍊是INPUT和。該鏈僅在系統配置為路由其他系統的流量時使用。該鏈處理該系統的傳入流量。FORWARD``OUTPUT``FORWARD``INPUT

如果fail2ban將其規則直接添加到INPUT鏈中並在所有禁令到期時將該鏈清除乾淨,那麼您將不得不將防火牆輸入規則的完全控制權移交給-除了做什麼之外,fail2ban您無法輕鬆擁有任何自定義防火牆規則。這顯然是不可取的,所以不會那樣做。fail2ban``fail2ban

相反,fail2ban創建自己的過濾器鏈,它可以完全自行管理,並在啟動時向INPUT鏈添加單個規則,以發送任何匹配的流量以通過fail2ban’s 鏈進行處理。

例如,當配置為protect時sshdfail2ban應該在啟動時執行這些命令:

iptables -N f2b-sshd
iptables -A f2b-sshd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports <TCP ports configured for sshd protection> -j f2b-sshd

這些命令創建一個f2b-sshd過濾器鏈,設置RETURN為它的最後一條規則(這樣當任何fail2ban規則處理完畢後,INPUT 規則的正常處理將繼續正常處理fail2ban,最後,在INPUT表的開頭添加一條規則以擷取任何 SSH 流量並首先將其發送到f2b-sshd鏈上。

現在,當fail2ban需要禁止 IP 地址以供 SSH 使用時,它只會在f2b-sshd鏈中插入一條新規則。

如果您正在使用firewalld或其他為您管理 iptables 防火牆規則的系統,或者如果您iptables手動清除所有規則,那麼這些初始規則以及可能整個f2b-sshd過濾器鏈可能會被清除。您應該確保您可能使用的任何防火牆管理工具都在 INPUT 鏈中維護該初始規則,並且根本不會觸及該f2b-sshd鏈。

程式碼段末尾的錯誤消息表明fail2ban正在檢查初始規則是否仍然存在(“不變檢查”),並發現它們不存在。

引用自:https://unix.stackexchange.com/questions/433043

相關問答

Linux

如何將遠端 linux 主機上的時間與本地主機上的時間同步

  • November 4, 2022
檢視問答
Linux

如何完全禁用 SSH 評論?

  • October 23, 2022
檢視問答
Linux

空埠中的埠轉發。但是“無法監聽埠”並且埠已被填滿

  • September 30, 2022
檢視問答
Linux

ssh <host> bash -c ‘cmd’ ,為什麼第一行輸出失去了?

  • September 1, 2022
檢視問答
Linux

從 SSH 執行“Double Commander”或任何其他替代方案?

  • May 28, 2022
檢視問答
Linux

為什麼執行 sudo systemctl stop ssh over ssh 不會立即終止 ssh 會話

  • May 18, 2022
檢視問答