Fail2ban은 첫 번째 만료 후에 다시 금지되지 않습니다.

2024-6-1 • tag-icon

데비안 9의 postfix 로그에 나타나는 IP 주소를 차단하기 위해 Fail2ban을 얻을 수 없습니다. 나는 다음과 같이 실패 정규식을 다시 작성했습니다.

NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:(.*) 550 5.7.1 Service unavailable; client \[(.*)\] blocked using .* from=<.*>, to=<.*>, proto=ESMTP, helo=<.*>

대신에

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

그러니 지금 당장 금지하세요. 그러나 차단이 만료되면 다시 차단하는 대신 차단하지 않고 fail2ban.log에 많은 "Found" 항목을 인쇄합니다.

2019-02-13 20:03:50,558 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:50,574 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,625 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,666 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,752 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,770 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,836 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,861 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,132 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,173 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,216 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,315 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,410 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,497 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,560 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:51,581 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,604 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,751 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.148.30
2019-02-13 20:03:51,860 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,961 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,514 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,561 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:52,602 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,689 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,776 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,868 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,952 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,141 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,238 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,317 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,325 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,411 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,490 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,563 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 188.255.152.32 already banned
2019-02-13 20:03:53,577 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,585 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,671 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,707 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,765 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,773 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,854 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,865 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,908 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5

이 문제를 어떻게 해결할 수 있나요? :/ 정말 답답해요.

편집: ijil.conf에서 postfix 및 postfix-rbl에 대한 금지 조치를 다음과 같이 설정하십시오:

action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

언급한 대로, 일단 failure2ban이 시작되면(또는 systemctl restart failure2ban으로 다시 시작되면) 처음부터 비활성화해도 잘 작동합니다. 하지만 유효기간이 지나면 더 이상 사용할 수 없습니다.

답변1

여기서 일어나는 일은 기본 차단 조치가 대상 포트만 차단한다는 것입니다. 그런 다음 문제가 있는 호스트는 다른 포트에 액세스하고 추가 금지를 실행합니다. 그러나 호스트가 이미 금지되었으므로(다른 포트에 있더라도) 다시 금지할 수 없습니다.

해결책은 문제가 있는 포트뿐만 아니라 모든 포트를 차단하도록 금지 조치를 변경하는 것입니다. 기억에 남는 행동 규칙은 다음과 같습니다.

action   = %(banaction_allports)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

답변1

관련 정보