Fail2ban은 해당 IP가 금지되었다고 계속 말하다가 이미 금지되었다고 말합니다.

Fail2ban은 해당 IP가 금지되었다고 계속 말하다가 이미 금지되었다고 말합니다.

이것은 AWS EC2 planform의 Ubuntu Linux 20.04에 설정한 FAIL2BAN 버전 v0.11.1입니다. Jail.local 파일에는 Jail.conf의 표준 기본값이 있지만, 저는 Jail.local에서 다음 2개의 Jail만 활성화합니다.

    # Stop the 404 attacks
    [apache-404]
    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/apache*/access.log
    maxretry = 5
    findtime = 60
    bantime = 300
    action = iptables-multiport[name=HTTPS, port=https, protocol=tcp]


    [recidive]
    enabled =true
    logpath  = /var/log/fail2ban.log
    banaction = %(banaction_allports)s
    bantime  = 5m
    findtime = 1d

재귀 정의 파일은 fall2ban 소프트웨어 패키지에 포함된 파일입니다. apache-404.conf 정의 파일은 다음과 같습니다:

    # Fail2Ban configuration file 
    [Definition]
    failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ 
    ignoreregex =

동일한 사용자가 테스트를 위해 사이트에서 유효하지 않은 파일을 반복적으로 클릭하면 실패2ban.log 파일에서 다음을 볼 수 있습니다. 이는 구성에서 그렇게 하지 않는 한 해당 사용자를 차단하지 않는 이유를 알 수 없습니다. 기대가 너무 컸어요.

    2023-03-07 12:09:56,316 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:09:56
    2023-03-07 12:10:05,513 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:05
    2023-03-07 12:10:08,218 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:07
    2023-03-07 12:10:13,025 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:12
    2023-03-07 12:10:14,629 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:14
    2023-03-07 12:10:15,213 fail2ban.actions        [173661]: NOTICE  [apache-404] Ban 71.29.12.245
    2023-03-07 12:10:15,331 fail2ban.filter         [173661]: INFO    [recidive] Found 71.29.12.245 - 2023-03-07 12:10:15
    2023-03-07 12:10:16,233 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:16
    2023-03-07 12:10:22,142 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:21
    2023-03-07 12:10:24,907 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:24
    2023-03-07 12:10:34,019 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:33
    2023-03-07 12:10:35,622 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:35
    2023-03-07 12:10:35,854 fail2ban.actions        [173661]: NOTICE  [apache-404] 71.29.12.245 already banned
    2023-03-07 12:10:37,521 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:37
    2023-03-07 12:11:25,901 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:25
    2023-03-07 12:11:33,912 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:33
    2023-03-07 12:11:35,630 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:35
    2023-03-07 12:11:37,245 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:37
    2023-03-07 12:11:37,343 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:38,914 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:38
    2023-03-07 12:11:40,546 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:40
    2023-03-07 12:11:42,149 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:42
    2023-03-07 12:11:43,928 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:43
    2023-03-07 12:11:45,531 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:45
    2023-03-07 12:11:45,563 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:47,140 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:46
    2023-03-07 12:11:48,126 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:48
    2023-03-07 12:11:51,324 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:51
    2023-03-07 12:11:53,258 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:53
    2023-03-07 12:11:54,337 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:54
    2023-03-07 12:11:54,585 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:11:55,940 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:55
    2023-03-07 12:11:57,734 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:57
    2023-03-07 12:11:59,337 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:59
    2023-03-07 12:12:00,940 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:00
    2023-03-07 12:12:06,848 fail2ban.filter         [173661]: INFO    [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:06
    2023-03-07 12:12:07,414 fail2ban.actions        [173661]: WARNING [apache-404] 71.29.12.245 already banned
    2023-03-07 12:14:08,567 fail2ban.filter         [173661]: INFO    [apache-404] Found 198.199.97.240 - 2023-03-07 12:14:08
    2023-03-07 12:17:07,790 fail2ban.actions        [173661]: NOTICE  [apache-404] Unban 71.29.12.245

iptables에 다음 명령을 실행하면 다음과 같은 결과가 나타납니다.

     sudo iptables-save
    # Generated by iptables-save v1.8.4 on Tue Mar  7 12:19:33 2023
    *filter
    :INPUT ACCEPT [92:8233]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [95:90339]
    :f2b-HTTPS - [0:0]
    -A INPUT -p tcp -m multiport --dports 443 -j f2b-HTTPS
    -A f2b-HTTPS -j RETURN
    -A f2b-HTTPS -j RETURN
    -A f2b-HTTPS -j RETURN
    COMMIT

답변1

fail2ban연구와 테스트를 통해 IP 주소가 차단되었을 때 차단된 것으로 잘못 식별되는 원인이 무엇인지 확인할 수 있었습니다 .

apache-404.confIP 주소는 파일이 제대로 설정되지 않았기 때문에 전혀 금지되지 않은 것으로 밝혀졌습니다 . 액션에 정의된 포트는 HTTPS로만 설정되어 있는데, 이 모든 혼란을 촉발한 사용자는 HTTPS를 사용하지 않았습니다.

이는 올바른 설정입니다(더 이상 작업이 표시되지 않습니다. 단지 기본값이며 포트는 모두 HTTP 및 HTTPS입니다).

    # Stop the 404 attacks
    [apache-404]
    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/apache*/access.log
    maxretry = 5
    findtime = 60
    bantime = 300

관련 정보