이것은 AWS EC2 planform의 Ubuntu Linux 20.04에 설정한 FAIL2BAN 버전 v0.11.1입니다. Jail.local 파일에는 Jail.conf의 표준 기본값이 있지만, 저는 Jail.local에서 다음 2개의 Jail만 활성화합니다.
# Stop the 404 attacks
[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/access.log
maxretry = 5
findtime = 60
bantime = 300
action = iptables-multiport[name=HTTPS, port=https, protocol=tcp]
[recidive]
enabled =true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 5m
findtime = 1d
재귀 정의 파일은 fall2ban 소프트웨어 패키지에 포함된 파일입니다. apache-404.conf 정의 파일은 다음과 같습니다:
# Fail2Ban configuration file
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =
동일한 사용자가 테스트를 위해 사이트에서 유효하지 않은 파일을 반복적으로 클릭하면 실패2ban.log 파일에서 다음을 볼 수 있습니다. 이는 구성에서 그렇게 하지 않는 한 해당 사용자를 차단하지 않는 이유를 알 수 없습니다. 기대가 너무 컸어요.
2023-03-07 12:09:56,316 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:09:56
2023-03-07 12:10:05,513 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:05
2023-03-07 12:10:08,218 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:07
2023-03-07 12:10:13,025 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:12
2023-03-07 12:10:14,629 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:14
2023-03-07 12:10:15,213 fail2ban.actions [173661]: NOTICE [apache-404] Ban 71.29.12.245
2023-03-07 12:10:15,331 fail2ban.filter [173661]: INFO [recidive] Found 71.29.12.245 - 2023-03-07 12:10:15
2023-03-07 12:10:16,233 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:16
2023-03-07 12:10:22,142 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:21
2023-03-07 12:10:24,907 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:24
2023-03-07 12:10:34,019 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:33
2023-03-07 12:10:35,622 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:35
2023-03-07 12:10:35,854 fail2ban.actions [173661]: NOTICE [apache-404] 71.29.12.245 already banned
2023-03-07 12:10:37,521 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:10:37
2023-03-07 12:11:25,901 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:25
2023-03-07 12:11:33,912 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:33
2023-03-07 12:11:35,630 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:35
2023-03-07 12:11:37,245 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:37
2023-03-07 12:11:37,343 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:38,914 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:38
2023-03-07 12:11:40,546 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:40
2023-03-07 12:11:42,149 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:42
2023-03-07 12:11:43,928 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:43
2023-03-07 12:11:45,531 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:45
2023-03-07 12:11:45,563 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:47,140 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:46
2023-03-07 12:11:48,126 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:48
2023-03-07 12:11:51,324 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:51
2023-03-07 12:11:53,258 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:53
2023-03-07 12:11:54,337 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:54
2023-03-07 12:11:54,585 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:11:55,940 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:55
2023-03-07 12:11:57,734 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:57
2023-03-07 12:11:59,337 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:11:59
2023-03-07 12:12:00,940 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:00
2023-03-07 12:12:06,848 fail2ban.filter [173661]: INFO [apache-404] Found 71.29.12.245 - 2023-03-07 12:12:06
2023-03-07 12:12:07,414 fail2ban.actions [173661]: WARNING [apache-404] 71.29.12.245 already banned
2023-03-07 12:14:08,567 fail2ban.filter [173661]: INFO [apache-404] Found 198.199.97.240 - 2023-03-07 12:14:08
2023-03-07 12:17:07,790 fail2ban.actions [173661]: NOTICE [apache-404] Unban 71.29.12.245
iptables에 다음 명령을 실행하면 다음과 같은 결과가 나타납니다.
sudo iptables-save
# Generated by iptables-save v1.8.4 on Tue Mar 7 12:19:33 2023
*filter
:INPUT ACCEPT [92:8233]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:90339]
:f2b-HTTPS - [0:0]
-A INPUT -p tcp -m multiport --dports 443 -j f2b-HTTPS
-A f2b-HTTPS -j RETURN
-A f2b-HTTPS -j RETURN
-A f2b-HTTPS -j RETURN
COMMIT
답변1
fail2ban연구와 테스트를 통해 IP 주소가 차단되었을 때 차단된 것으로 잘못 식별되는 원인이 무엇인지 확인할 수 있었습니다 .
apache-404.confIP 주소는 파일이 제대로 설정되지 않았기 때문에 전혀 금지되지 않은 것으로 밝혀졌습니다 . 액션에 정의된 포트는 HTTPS로만 설정되어 있는데, 이 모든 혼란을 촉발한 사용자는 HTTPS를 사용하지 않았습니다.
이는 올바른 설정입니다(더 이상 작업이 표시되지 않습니다. 단지 기본값이며 포트는 모두 HTTP 및 HTTPS입니다).
# Stop the 404 attacks
[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/access.log
maxretry = 5
findtime = 60
bantime = 300